Sector wise readiness

EdTech: the children's data twist that applies from day one

29 June 2026 · about 4 minutes

One misconception I keep seeing when EdTech startups read DPDP checklists: they assume every box applies from day one. It does not.

A tutoring app on its first 1,000 students is not expected to operate like a national edtech. A small coaching platform does not need every compliance product a large player buys. A sector map is a superset, not a launch checklist.

But EdTech has one twist most sectors do not, and it does apply from day one: you are processing children's data, and that changes the baseline itself.

What applies from the start, whatever your size

• ✅ Notice
• ✅ Consent and easy withdrawal
• ✅ Security safeguards (access control on student records)
• ✅ Rights handling
• ✅ Grievance mechanism
• ✅ Processor contracts
• ✅ Breach response
• ✅ Verifiable parental consent before processing a child's data, with due diligence that the parent is an identifiable adult
• ✅ No behavioural monitoring or ad targeting of children

What may not apply to you yet

• ❌ SDF obligations. These switch on only if the Central Government notifies you. Minors at scale and behavioural data make large EdTech strong candidates to assess, but size alone does not make you an SDF.
• ❌ Annual DPIAs
• ❌ Independent audits
• ❌ Dedicated DPO
• ❌ Enterprise grade tooling

Two things EdTech founders consistently get wrong

The education exemption is narrow, and it does not cover growth tactics. Tracking is permitted only for the institution's educational activities or a child's safety. Engagement optimisation and ad targeting on minors, the highest exposure activity in EdTech, falls outside it entirely.

The children's data prohibitions are absolute, not consent waivable. You cannot get a parent to sign away the no targeting rule. Unless a specific Fourth Schedule exemption applies, the prohibition stands no matter what consent you collect.

The better question

The better question is not "does EdTech have this requirement?"

It is "have I actually triggered this requirement?"

Law creates obligations. Scale and risk influence implementation. Confusing the two is how EdTech startups spend on tools they do not need while missing the basics, and the basics here are not optional.

Which obligation do you see EdTech startups over implementing most? Drop it in the comments.

Next in this series: E-commerce ›

#DPDP #DataProtection #EdTech #StudentPrivacy #Privacy #ChildrensData

This is part of a sector wise DPDP readiness mapping covering 28 sectors. It separates statutory obligations from common audit expectations and tooling suggestions. General information about the DPDP Act 2023 and the DPDP Rules 2025, not legal advice.