-
CENTRES
Progammes & Centres
Location
India’s new DPDP Rules set strong child-data safeguards, but their impact will depend on how schools, parents, and platforms implement them over the next 18 months.
Image Source: Getty Images
Last week, the Ministry of Electronics and Information Technology (MeitY) notified the Digital Personal Data Protection (DPDP) Rules, 2025. These rules have arrived at the moment when children’s digital presence is expanding faster than any regulatory system can keep up. From EdTech platforms and school ERP (Enterprise Resource Planning) systems to gaming apps, social media, and digital toys, children generate enormous volumes of data. Parents often fail to understand the implications, and sometimes do not even know that it exists.
Until now, this data has been governed by fragmented guidelines, weak contractual arrangements, and uneven institutional capacity. The formal notification of the DPDP Rules marks a decisive shift, placing schools, colleges, EdTech companies, and education boards squarely within a national compliance framework. Nonetheless, the question remains: how effectively will this law protect children’s data, especially when tested against on-ground practices and awareness?
DPDP Act 2023 applies to all digital data, including paper records which are digitised later, and establishes a high bar for the processing of children’s data. Any organisation, school or EdTech company that collects data is called a Data Fiduciary. It must obtain verifiable parental consent before collecting or using the personal data of anyone under the age of 18. This is particularly crucial as children today experience constant digital surveillance in the online world. Ed-tech companies track screen time, clicks, keystrokes, and quiz performance. Gaming apps extract location, device identifiers, behavioural patterns, and friend networks. Schools increasingly rely on third-party vendors for everything from homework submission to online exams, often with minimal cybersecurity safeguards.
The formal notification of the DPDP Rules marks a decisive shift, placing schools, colleges, EdTech companies, and education boards squarely within a national compliance framework.
A data fiduciary is also responsible for implementing enhanced security safeguards when handling children’s data, including processing data only for necessary and defined purposes, and maintaining transparency on third-party sharing. DPDP Act also prohibits behavioural tracking and targeted advertising for children, reinforcing the idea that commercial interests cannot override a child’s right to a safe digital environment. This makes children protected rights-holders, instead of passive data subjects.
The DPDP Act will also set up a Data Protection Board to monitor compliance, investigate breaches, and impose penalties for violations related to children’s data privacy. This alone will require many institutions to audit existing practices, redesign consent forms, and rethink how they collect and share learner information across systems.
MeitY has notified the DPDP Rules with a phased roll-out. While rules related to the data protection board take effect immediately, rules for consent managers, i.e. entities that will allow users to give, manage, and withdraw consent, come into force after 12 months. Most obligations for Data Fiduciaries, including verifiable parental consent, security safeguards, breach notifications, data minimisation, and processing restrictions for children’s data, come into force after 18 months. This means that although the law recognises children’s rights today, full legal protection will not be enforceable until the culmination of the 18-month window.
The DPDP Act provides the right architecture, but the protection will only become real if institutions use the next 18 months to prepare seriously.
This rule should not be viewed as a weakness in adoption but as a preparatory window that grants institutions time to adapt. In India, the levels of readiness for digital education are highly inconsistent. While a select few well-funded schools boast strong IT governance and robust cybersecurity protocols, the vast majority of institutions—particularly peri-urban and rural schools, along with small EdTech companies—lack these essential measures. Therefore, the DPDP Act’s effectiveness will depend less on the rules and more on what schools, companies, state governments, and parents do in the next 18 months.
Three factors will shape the outcome. First, there is the ability and will of parents to act as informed gatekeepers for their children’s data. A 2025 survey found that while 60 percent of parents claimed awareness of risks like identity theft, only 42.7 percent regularly adjusted privacy settings, and nearly one-third never used them, revealing a sharp gap between perception and protective action. Household surveys have also indicated that oftentimes it is children who introduce and navigate online services for the family, rather than the other way around. Thus, parents’ awareness of data rights, online safety, and responsible technology is the backbone of their informed participation. The government needs to undertake a nationwide Digital Parenting Awareness Campaign with the help of State Education Departments, modelled on literacy and health awareness drives. Short, vernacular infographics and radio segments on learner data rights, safe app use, and reporting of cyber incidents are needed. School-level data literacy sessions during parent-teacher meetings must be leveraged to explain privacy settings, data-sharing practices, and grievance-redress options for parents.
Second, schools often outsource digital functions to vendors without due diligence. Over the next 18 months, they must map where the student data is collected and where it flows, renegotiate contracts with vendors, ensure secure data storage, and train teachers to spot data risks. Nationwide teacher-training programmes should embed digital pedagogy, data privacy, and ethical use of technology as core competencies. NCERT (National Council of Educational Research and Training) and SCERTs can partner with EdTech firms to deliver bilingual micro-courses on topics such as password management, secure content sharing, and consent collection in classrooms. Certification on responsible data handling and cyber safety can be made mandatory for school Principals, to be completed within these 18 months. EdTech and gaming platforms must redesign children’s products with privacy-by-design to avoid costly re-engineering later. The government should release simplified templates and checklists tailored for schools and small businesses.
Parents’ awareness of data rights, online safety, and responsible technology is the backbone of their informed participation
Third, effective implementation will be contingent on the autonomy, resourcefulness, and accessibility of the Data Protection Board. The regulator should include specialised talent such as cybersecurity specialists and privacy engineers. It should be supported by building an in-house digital forensics unit, capable of investigating leaks, tracing unauthorised access, and examining algorithmic profiling. Much like the European Union’s GDPR (General Data Protection Regulation), DPDP rules need to be supplemented by sector-specific guidelines and inspection protocols, checklists or audit templates, before obligations become enforceable. Its accessibility should be formulated like Consumer forums in India, which are designed to be easy to approach, non-intimidating, low-cost, usable without a lawyer, and responsive to everyday grievances.
The DPDP Act provides the right architecture, but protection will only become real if institutions use the next 18 months to prepare seriously. If this period is utilised for meaningful preparation, it can establish a robust data protection system for safeguarding children’s digital data.
Arpan Tulsyan is a Senior Fellow at the Centre for New Economic Diplomacy (CNED), Observer Research Foundation.
The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.
Arpan Tulsyan is a Senior Fellow at ORF’s Centre for New Economic Diplomacy (CNED). With 16 years of experience in development research and policy advocacy, Arpan ...
Read More +
PREV
