Schools, Coaching Centres & Platforms Processing Children’s Data: Are You Compliant?

July 17, 2026

By Vikrant Rana, Anuradha Gandhi and Rishabh Gupta

The Problem: What Organisations Are Actually Doing

Across India, educational institutions and businesses that deal with minors have made it a routine practice to photograph children celebrating achievements, post their names and images on social media, websites, and marketing material, share performance data with third parties, and collect biometric or health-related data — all without obtaining verifiable parental consent. These photographs and videos are posted without the child or parent having any meaningful opportunity to review, restrict, or object.

What organisations routinely post or share includes:

  • Students’ photos and videos at events, sports days, award ceremonies
  • Names, class details, and academic achievements on school/institution websites
  • Admission data shared with edtech platforms and marketing companies
  • Health and attendance data shared with hospitals or government bodies
  • Footage collected via CCTV and shared with third parties without notice

The Legal Framework: DPDP Act, 2023

The Digital Personal Data Protection Act, 2023 (DPDP Act) is India’s first comprehensive data protection statute. It classifies anyone below 18 years of age as a “child” and mandates that data fiduciaries — entities that determine the purpose and means of processing personal data — obtain verifiable parental consent before processing a child’s personal data.

Who Does the DPDP Act Apply To?

Any organisation that processes children’s personal data falls squarely within the ambit of the Act, including:

  • Schools and educational institutions
  • Coaching centres and tutoring platforms
  • Edtech companies and online learning portals
  • Hospitals, clinics, and healthcare providers
  • Banks and financial institutions (e.g., for education loans)
  • Employers (where employees are minors)
  • Social media platforms accessible to minors

The Act applies to all these entities. Compliance is not optional.

What Is “Verifiable” Parental Consent?

Section 9 of the DPDP Act r/w Rule 10 of the DPDP Rules, 2025 does not merely require a click-through checkbox or a blanket admission form consent. It requires consent that is:

  • Free and informed: the parent or guardian must understand what data is being collected and why.
  • Specific: each purpose of processing must be separately identified and consented to.
  • Verifiable: the organisation must be able to demonstrate that consent was obtained from a parent or legal guardian, not the child.
  • Withdrawable: consent may be withdrawn at any time, and processing must cease upon withdrawal.
  • Due Diligence: Organizations shall adopt appropriate technical and organizational measures and conduct due diligence for checking that the individual identifying herself as the parent is an adult. This may be undertaken through:
  1. Reliable details of identity an age of the individual with the organization;
  2. Details of identity and age, voluntarily provided:
  1. By the individual; or
  2. Through a virtual token mapped to such details, which is issued by an authorized entity
    • Exemption for Educational Institutions: Section 9(3) and (4) of the Digital Personal Data Protection Act (DPDP) prohibits Data Fiduciaries fromTracking or behavioral monitoring of children
    • Directing targeted advertising at children
    • Undertaking any processing of personal data that may harm the well-being of children

    However, Schedule 4 of the DPDP Rules provides a limited exemption for Educational Institutions. These institutions may undertake tracking or behavioral monitoring of children without verifiable consent, but only under the following conditions:

    1. Educational activities: When such tracking or monitoring is required strictly for the educational activities of the institution.
    2. Child safety: When undertaken in the interests of the safety of children enrolled with the institution.

    Additionally, if any Educational Institution, crèche, or child care center engages a third-party transport provider, that entity may track the location of enrolled children during travel to and from the institution, solely in the interests of their safety.

Other laws governing processing of children’s information

  1. Information Technology Act, 2000 r/w Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021
    The Rules were amended in 2026 to include special provisions to regulate deepfakes and synthetically generated information. It provides that intermediaries creating such images shall:

    • Provide for an additional user information (warning) requirement for intermediaries that offer a computer resource which enables or facilitates creation/ generation/ modification/ alteration/ sharing of synthetically generated information (SGI).
    • Intermediaries must inform/warn users that violations relating to unlawful SGI may attract penalties/punishment under the IT Act and other applicable laws.
    • Further, the Rules also provides for timeline for removal of such images within 3 hours of receipt of such order/notice
  2. Guidelines for Prevention of Misleading Advertisement in Coaching Sector, 2024
    These guidelines aim to safeguard students and the public from deceptive marketing practices commonly employed by coaching centers. Key provisions include:[1]

    • Explicit Consent for Posting Personal Information: prevent coaching centers from using students’ names, photos, or testimonials in advertisements without their written consent. Such consent must only be obtained only after the student’s success.
    • Regulation of Advertisements: The guidelines explicitly prohibit coaching institutes from making false claims related to Selection rates, success stories, exam rankings, and job security promises, assured admissions, high exam scores, guaranteed selections or promotions
    • Transparency and Disclosure: Coaching centers will need to disclose important information, such as the name, rank, and course details alongside the student’s photo in an advertisements. Any disclaimers will need to be prominently displayed, with the same font size as other important details, ensuring that consumers are not misled by fine print.
  3. State Laws which has Banned Social Media for Children
    Karnataka has announced a ban on social media use by children under the age of 16. Further, the Andhra Pradesh government is planning to introduce measures to restrict social media access for children below 13 years of age in order to protect them from its potential negative impact.

Rights of Students, Parents & Guardians

The DPDP Act creates enforceable rights for data principals — in the case of children, these rights are exercisable by parents or guardians on behalf of the child. These are not aspirational rights; they are legally actionable under the statute.

RIGHT WHAT IT MEANS
Right to Know Parents and guardians have the right to know what personal data about their child is being collected, how it is being used, with whom it is shared, and for how long it is retained.
Right to Correction Inaccurate or outdated personal data about the child must be corrected or updated upon request. Organisations cannot refuse without valid legal justification.
Right to Erasure Parents and guardians may request deletion of their child’s personal data where it is no longer necessary for the purpose for which it was collected, or where consent has been withdrawn.
Right to Withdraw Consent Consent for processing a child’s data may be withdrawn at any time. The organisation must stop processing upon withdrawal, subject to applicable legal obligations.
Right to Grievance Redressal Every data fiduciary must establish a grievance mechanism. Parents and guardians may file complaints if their rights are denied or data is misused. Unresolved complaints may be escalated to the Data Protection Board of India.
Right Against Tracking & Profiling The DPDP Act prohibits tracking, behavioural monitoring, or targeted advertising directed at children. This includes personalised content algorithms used by  social media entities and other organizations except educational institutions

Students who are minors do not exercise these rights independently under the Act — they are exercised by parents or lawfully appointed guardians. Institutions must have a clear, documented process for receiving and responding to such requests.

Global context: How other jurisdictions are responding

India’s DPDP Act places it in alignment with a global regulatory trajectory. Internationally, governments are tightening safeguards for children’s digital lives:

  • Australia: passed a law in 2024 requiring major social media platforms to prevent children under 16 from creating accounts, placing the compliance burden on platforms rather than parents.
  • France & the United Kingdom: have advanced legislative measures to curtail children’s access to social media and impose stricter consent and age-verification obligations on platforms.
  • United States – The U.S. Children’s Online Privacy Protection Act (COPPA), originally enacted in 1998, requires websites and online services to obtain verifiable parental consent before collecting, using, or disclosing personal information from children under 13. Further in January 2025, the Federal Trade Commission made some amendments and expanded the scope of the act:
    1. Requiring opt-in consent for targeted advertising and other disclosures to third parties:
    2. Covered operators to only retain personal information for as long as reasonably necessary to fulfill a specific purpose for which it was collected.
  • Expanding the definition of personal information to include biometric identifiers as well as government-issued identifiers.

Takeaways for in-house Counsel

If your organisation collects, processes, or shares any personal data relating to individuals below the age of 18 — in any capacity — the following action items require immediate attention:

  1. Data Mapping & Audit
    • Conduct a comprehensive audit of all data flows involving children’s personal data across departments, vendors, and third-party platforms.
    • Identify every category of children’s data being collected: names, photographs, videos, biometrics, health records, academic performance, behavioural data.
    • Map which third parties receive children’s data (edtech vendors, marketing agencies, government bodies, social media platforms).
  2. Consent Architecture
    • Replace blanket admission-form consents with granular, purpose-specific consent notices compliant with the DPDP Act.
    • Implement a mechanism to verify that consent is obtained from a parent or legal guardian — not the child.
    • Build a consent withdrawal process: when a parent withdraws consent, processing must cease, and data must be deleted within prescribed timelines.
    • Retain records of all consents obtained, including timestamp, purpose, and identity verification method.
  3. Vendor Contracts
    • Review all contracts with third-party vendors who receive or process children’s data — this includes edtech platforms, school management software providers, and marketing agencies.
    • Ensure Data Processing Agreements (DPAs) impose DPDP Act-compliant obligations on vendors, including data minimisation, purpose limitation, and deletion clauses.
  4. Institutional Policies
    • Draft and implement a Children’s Data Protection Policy, separate from the general privacy policy.
    • Train school administrators, HR teams, marketing departments, and front-line staff on the prohibition on posting children’s photographs or data without verifiable consent.
    • Appoint or designate a responsible officer for data protection compliance and grievance redressal.
  5. Grievance Mechanism
    • Establish a documented, accessible grievance redressal process for parents and guardians to raise complaints about data misuse or denial of rights.
    • Ensure the grievance officer’s contact details are prominently published on your website and in communications with parents.
  6. Social Media & Marketing
    • Immediately audit your organisation’s social media handles and website for any content featuring children posted without verifiable parental consent.
    • Implement a pre-publication approval process requiring proof of consent before any child’s image or data is shared publicly.
    • Prohibit targeted advertising or algorithmic profiling of users identified as minors.
PENALTY EXPOSURE: NON-COMPLIANCE UNDER THE DPDP ACT

The DPDP Act provides for significant financial penalties for failure to comply with consent obligations, failure to implement reasonable security safeguards, and failure to respond to data principal requests. Penalties for breach of children’s data obligations can run into hundreds of crores of rupees. The Data Protection Board of India will have powers to investigate complaints, issue orders, and impose penalties. The reputational consequences of a public breach involving children’s data are likely to be severe and immediate.

[1] https://www.pib.gov.in/PressReleaseIframePage.aspx?PRID=2073013&reg=48&lang=2

For more information please contact us at : info@ssrana.com