DPDPA Compliance for Schools, Coaching Institutes & EdTech Platforms
Verifiable parental consent under Section 9 is mandatory from 2026. Penalties reach ₹200 crore. Get audit-ready for K-12 schools, coaching chains, and EdTech apps.
Schools, coaching institutes, and EdTech platforms handle the most sensitive category of data under the DPDPA, 2023 — children's data. Section 9 makes verifiable parental consent non-negotiable, and Section 9(3) bans behavioural tracking and targeted advertising of children outright. With enforcement live from 2026 and penalties up to ₹200 crore, generic admission-form consent, WhatsApp marksheets, unconsented yearbook photos, and ad-funded EdTech models are now direct liabilities. This page maps every obligation specific to K-12 schools, CBSE/ICSE/IB boards, coaching chains, and EdTech apps using Fedena, Edupro, or Teachmint.
Critical sections for Schools, Coaching & EdTech
Your DPDPA obligations
Verifiable Parental Consent
Every child under 18 requires verifiable consent from a parent or guardian before processing. Aadhaar-OTP, DigiLocker, or video-KYC — not checkbox declarations.
No Behavioural Tracking of Children
Absolute prohibition on tracking, behavioural monitoring, or targeted advertising directed at children. Affects every EdTech app using ad SDKs or analytics pixels.
Purpose-Limited Notice in Regional Language
Notice in English plus parent's regional language, itemising each purpose: biometric attendance, CCTV, transport GPS, exam proctoring.
Data Processing Agreements with EdTech Vendors
School is Data Fiduciary; Fedena, Edupro, Google Workspace, Zoom are Processors. Execute DPAs, audit security, restrict cross-border transfers.
Breach Notification within 72 hours
Any unauthorised access — ransomware, leaked Drive folder, exposed S3 bucket — must be reported to the DPB and affected parents.
Data Retention & Erasure
Student data must be deleted within a reasonable period after the purpose ends. Indefinite alumni databases need fresh consent.
Significant Data Fiduciary Obligations
Large EdTech (>50 lakh users, or sensitive child data at scale) face DPIA, independent audit, and India-based DPO appointment.
Common violation scenarios
School publishes Class 10 toppers' photos and home addresses on website and WhatsApp without parental consent
Up to ₹200 crore
EdTech app onboards minors via self-declared age checkbox and runs Meta Pixel for retargeting ads
Up to ₹200 crore
Coaching institute leaks 12,000 student records via unpatched Fedena instance
Up to ₹250 crore
Boarding school stores hostel CCTV in Singapore cloud, no DPA, no retention policy
Up to ₹150 crore
School fails to notify DPB within 72 hours of ransomware breach of student records
Up to ₹200 crore
Industry-specific risks
- Biometric attendance (fingerprint/face) of minors collected without verifiable parental consent — Section 9 breach, ₹200 cr exposure
- Classroom and hostel CCTV live-streamed to parents without purpose-limitation notice
- EdTech apps using third-party ad SDKs (Google Ads, Meta Pixel) profiling children — direct Section 9(3) violation
- School management systems (Fedena, Edupro, Teachmint) on overseas servers without DPA or transfer assessment
- Coaching institute mock-test platforms storing student PII and answer scripts in unencrypted S3 buckets
- Yearbooks, brochures, and social posts featuring identifiable minors without fresh, specific consent
Consent capture checklist
- Verifiable parental consent captured for every student under 18 before any data collection (Section 9 mandatory)
- Age-gating on EdTech apps and school portals — DOB verified, not self-declared
- Parent identity verified via Aadhaar-OTP, DigiLocker, or government-ID cross-check before consent acceptance
- Separate consent for biometric attendance, classroom CCTV, and exam-hall proctoring with face recognition
- Withdrawal mechanism: parents can revoke consent and request deletion of child's data in one click
- Consent records timestamped and archived for 3 years post-enrolment for DPB audit
- No behavioural tracking, ad profiling, or third-party SDK sharing of children's data (Section 9(3))
- Yearbook, prospectus, and website photos of students require fresh purpose-specific parental consent
→ Generate a bilingual DPDPA consent form for Schools, Coaching & EdTech
Frequently asked questions
Does my CBSE/ICSE school need DPDPA consent if parents already signed the admission form?
Yes. A generic admission-form signature is NOT verifiable parental consent under Section 9. You need a separate, purpose-specific, revocable consent notice in English and the regional language covering each processing activity — biometric attendance, CCTV, photographs, third-party EdTech logins, transport GPS. Old admission forms must be re-papered before 2026 enforcement.
Our coaching institute shares marks on WhatsApp parent groups. Is this DPDPA-compliant?
No. Sharing a child's marks, photographs, or attendance on WhatsApp without verifiable parental consent and a documented purpose violates Section 9. Penalty exposure is up to ₹200 crore. Migrate to a consented parent portal with role-based access and audit logs.
What counts as 'verifiable' parental consent for an EdTech app onboarding a 14-year-old?
DPB guidance points to Aadhaar-OTP linked to the parent, DigiLocker credentials, credit-card micro-charge with name match, or video-KYC of the parent. Self-declared checkboxes ('I am the parent') and email confirmations are NOT verifiable and will fail audit.
Can we still publish the school yearbook with student photos?
Only with fresh, specific, opt-in parental consent for each child appearing in the yearbook. Consent obtained at admission three years ago does not cover yearbook publication. Children who opted out must be excluded or blurred — including in PDFs hosted on the school website.
Do CCTV cameras in classrooms and exam halls need consent?
Yes. CCTV capturing minors is personal data processing. You need parental consent (Section 9), a posted purpose notice (Section 5), retention under 90 days unless incident-flagged, and access logs. Live-streaming exam halls to parents needs additional Section 9 consent.
Our school uses Fedena / Edupro / Google Workspace. Are we covered by their consent flows?
No. The school is the Data Fiduciary; the SaaS vendor is a Data Processor under Section 8(5). You must execute a DPA, audit their security, ensure data is stored in India or adequacy-jurisdictions, and obtain consent in your own name — not the vendor's.
Get a Schools, Coaching & EdTech-specific compliance audit
Free 48-hour DPDPAReady audit — we map your exact workflow against every applicable Section and ship the consent forms, retention schedules, and breach playbooks you need.
Get your free audit →Article reviewed against DPDPA 2023, Schedule, and DPDPA Rules 2025.