Of all the provisions in the DPDP Act 2023, the requirements around children's data are the strictest — and carry the highest penalties (up to ₹200 Crore). Every school, coaching centre, college, and EdTech platform in India must understand these rules.
The Legal Basis: Rule 10
DPDP Rule 10 governs the processing of personal data of children and persons with disabilities. Key provisions:
- A child is defined as any person under 18 years of age
- Before processing a child's personal data, a Data Fiduciary must obtain verifiable consent from the child's parent or legal guardian
- The Fiduciary must verify the parent's identity and age (the parent must themselves be an adult)
- The Fiduciary cannot target advertising to children based on their personal data
- The Fiduciary cannot track or monitor children's online behaviour
Who Is Affected?
Any institution or platform that processes data of individuals under 18:
- Schools (CBSE, ICSE, state board, international) — student data, attendance, performance
- Coaching centres and tutorial institutes — student records, fee data
- EdTech platforms — Byju's, Unacademy, and any online learning platform with student users
- Sports academies — student/athlete records
- Medical institutions treating minors — patient data
- Any app or website where users under 18 register
What "Verifiable" Parental Consent Means
The Act requires that parental consent be "verifiable" — meaning you can't just take a checkbox or a digital signature at face value. You must have a mechanism to verify that:
- The person giving consent is actually the parent or legal guardian
- The parent is themselves an adult
The DPDP Rules specify the DigiLocker age verification token as the recommended mechanism. Parents verify their age via DigiLocker (which links to Aadhaar), and the token confirms they are 18+. The actual Aadhaar number is not shared — only the age-verified token.
Practical Implementation for Schools
At Admission
The consent collection process should happen at admission, before any student data is entered into your systems:
- Send the parent's phone number a DPDP consent request (via SMS or WhatsApp)
- The parent completes DigiLocker age verification (takes ~2 minutes)
- They review what data will be collected (name, DOB, address, academic records, biometrics if applicable) and confirm consent
- The consent is logged with a timestamp in your records
For Existing Students
If your school has been operating before the DPDP Act's enforcement date, you must retroactively obtain parental consent for all current students before May 13, 2027. This is a significant undertaking for schools with hundreds or thousands of students — start early.
Communication and Notifications
Consent for storing student records does not automatically cover sending promotional communications to parents. If you want to send fee payment reminders, exam schedules, or event notifications — that's a separate use case that parents must explicitly consent to.
What You Cannot Do With Student Data
- Target advertising: You cannot use a student's data to show them or their parents targeted advertisements, even for your own services
- Behaviour tracking: You cannot track which videos they watch, how long they spend on the platform, or build behavioural profiles
- Third-party sharing: You cannot share student data with third parties for marketing purposes without explicit consent
- Indefinite retention: Once a student leaves your institution, you cannot retain their data indefinitely. Define a retention period (typically 3-7 years for academic records) and delete after
The Penalty Risk
₹200 Crore is the maximum penalty for violations involving children's data. This applies per violation — a school that processes 1,000 students' data without proper parental consent has committed 1,000 violations, not one. Practically, the DPB will likely treat this as a single systemic violation, but the exposure is enormous.
How EasyDP Handles Parental Consent
EasyDP's parental consent flow is specifically designed for schools and EdTech platforms. When a student's record is created, the system automatically:
- Detects that the student is under 18 based on their date of birth
- Sends a consent request to the parent's phone number
- Guides the parent through DigiLocker age verification
- Collects and logs the verifiable consent
- Stores the consent record with timestamp, parent ID token, and specific data purposes consented to
This entire flow is available in Hindi, Tamil, Telugu, Kannada, Malayalam, and English — because many parents in India are more comfortable in their regional language.