Introduction

Indian classrooms are increasingly adopting technology-enabled learning by incorporating adaptive software, learning management systems (LMS), app-based and mobile platforms, immersive tools such as Virtual Reality (VR) and Augmented Reality (AR), online assessments, simulations, and virtual labs.^[1] Digital education, through government platforms as well as private educational technology (EdTech) enterprises, flourished during the COVID-19 pandemic in 2020–22 as schools and universities moved completely online. Even after they reopened, EdTech continued to grow as a supplement to traditional classroom-based learning, a substitute for private tutoring, or to cater to interest-based pedagogies.^[2]

E-books, gamified content, collaborative software, and mobile apps now define how millions of students access knowledge, often based on a personalised and focused approach. This surge in e-learning has created vast repositories of learner data that is related not only to academic performance but includes personally identifiable information, behavioural analytics, and biometric usage metadata.^[3] Learner data comprises any information generated, collected, or inferred about students and their learning processes through EdTech.

While the expansion of EdTech is promising for personalised and inclusive education, it raises serious governance challenges. A large volume of learner data being generated, stored, and shared, often without meaningful consent or adequate security protocols, poses privacy and ethical risks.^[4] Children represent a vulnerable group whose dignity, equity, and opportunity can suffer long-term consequences due to data breaches or profiling, thanks to the proliferation of predictive algorithms and analytics.^[5] Therefore, it is necessary to move learner data beyond a narrow privacy framing and understand how it has implications for children’s learning outcomes, autonomy, and well-being.^[6] Accordingly, governance of learner data must be assessed not only in terms of legal compliance, but also to see whether digital education systems support child development and educational inclusivity.

India’s Digital Personal Data Protection (DPDP) Act, 2023, offers a general privacy protection framework, but does not contain sector-specific operational standards tailored towards learner data and educational technologies. As EdTech tools and platforms become widespread, the absence of a dedicated governance architecture for educational data may pose challenges to consistent protection, erode public trust, and exacerbate inequalities.

This brief examines responsible governance of EdTech in India, focusing on regulatory frameworks and stakeholder capacity-building to mitigate learner data risks. It maps the expanding Indian EdTech ecosystem, examines privacy, security, and autonomy risks as well as regulatory gaps, and proposes actionable recommendations to align India’s digital education future with its constitutional commitment to ensure privacy, equity, and quality learning for all.

Understanding Educational Technology (EdTech)

EdTech includes a range of components that collect diverse forms of learner data, such as:

• Educational Apps: Mobile and web-based applications focusing on specific skills, subjects, or age groups, such as BYJU’S, Doubtnut, and Hello These apps often collect detailed behavioural and performance data to personalise learning experiences.
• Online Learning Platforms: Comprehensive platforms that offer structured courses, live classes, and assessments, for example, Unacademy, Vedantu, and They aggregate large volumes of academic and engagement data across diverse learner cohorts.
• Content Providers: Organisations that create and distribute digital educational content, such as e-books, simulations, and interactive They may collect usage data to refine their content and measure its effectiveness.
• Learning Management Systems (LMS): Platforms such as Google Classroom and Moodle that facilitate course administration, delivery, and tracking. LMSes centralise data related to assignments, attendance, grades, and communication. 
• Artificial Intelligence (AI) and Analytics Tools: Specialised standalone or integrated platform tools that analyse learner data to provide insights, predictive analytics, and recommendations for teachers and

Together, these EdTech tools and technologies support and transform the process of teaching and learning and make education more accessible, personalised, and effective.

The Expanding Indian EdTech Ecosystem

The evolution of the Indian EdTech sector took place in four distinct waves, each reflecting shifts in technology, learner access, and learning needs.^[7] The first wave (1990s–2010)^[a] was largely business-to-business (B2B)–focused, with schools adopting smartboards and enterprise resource planning (ERP) software for greater administrative efficiency. The second wave (2010–2018) saw a move toward business-to-customer (B2C) learning, driven by increased internet access and lower data costs. This phase also witnessed the rise of K-12 learning apps and online test preparation platforms. The third wave (2019–2021), during the COVID-19 pandemic, was marked by a surge in EdTech start-ups and the adoption of cutting-edge tools like AI, machine learning, and gamified learning experiences. In the current or fourth wave (2022–present), EdTech has evolved into a permanent and integral part of the learning ecosystem,  complementing classroom teaching through digital resources, interactive content, and personalised learning pathways that enhance student engagement and outcomes. While expanding access remains a priority, this phase is also characterised by greater localisation of digital content to Indian curricula and languages, the emergence of immersive learning, and the integration of AI-driven personalisation (see Figure 1).

Figure 1: Evolution of EdTech in India

Source: Author’s own,  adapted from Inc42, 2023.^[8]

Since the COVID-19 pandemic, India’s EdTech industry has been growing consistently. It was valued at US$3.63 billion in 2025,  with projections to reach US$33.31 billion by 2034 (see Figure 2).^[9]

Figure 2: India’s EdTech Market: Projected Year-on-Year Growth

Source: IMARC Group, “India Edtech Market Size, Share, Trends and Forecast by Sector, Type, Deployment Mode, End User, and Region, 2026–2034.”^[10]

The K-12 (school education) sector dominates the EdTech market with a share of 43 percent in 2025, driven by the large student population’s need for supplementary material.^[11] It is expected to contribute 0.4 percent of India’s gross domestic product (GDP) in 2029, up from 0.1 percent in 2020.^[12]

There are three key factors driving this growth. First, government programmes such as Digital India, Study Webs of Active-learning for Young Aspiring Minds (SWAYAM), and the National Education Policy (NEP) 2020 have accelerated digital integration in education. Second, expanding mobile and internet penetration in the country, with over 600 million smartphone users^[13] and affordable data plans, has made online learning accessible even in rural areas. Third, EdTech platforms have integrated advanced features such as personalisation, gamification, AI-based interactive learning, and multilingual user interfaces for greater accessibility and user engagement. They now support a range of academic, skill-based, and upskilling courses.

In 2022, students in India spent over 950 million hours on primary and secondary education apps, and 187 million hours on language-learning apps.^[14] In 2025, the largest user group for EdTech platforms comprised students in classes 11 and 12, who used these platforms primarily to prepare for entrance exams like Joint Entrance Examination (JEE) and National Eligibility-cum-Entrance Test (NEET),with 50 percent of them dedicating over five hours every day.^[15]

Understanding Learner Data in the Context of EdTech

Learner data typically includes:

1. Academic Performance Data: Grades, test scores, assignments, progress reports, and assessment results, all of which provide insights into a student’s knowledge, learning gaps, and overall academic trajectory.
2. Behavioural Data: Metrics such as login frequency, time spent on learning modules, click patterns,^[b] engagement with resources, participation in discussions, and completion rates. This data helps understand learning habits, motivation, and engagement levels.
3. Personal and Demographic Information: Name, age, gender, contact information, language preferences, and in some cases, socioeconomic background or parent profiles. This data is often collected during registration for identification and personalisation.
4. Biometric Data: Facial expressions, voice recordings, or even fingerprints collected during the login process. While this is still an emerging form in India, it is relevant for enhancing security and monitoring engagement.^[16]
5. Social and Emotional Data: This category refers to social learning behaviour and, in some cases, aspects of emotional well-being inferred from discussion forums, chat logs, and peer interactions. Some platforms require student videos or photo identification, and in the age of deepfakes,^[c] this amplifies risks of misuse and consent violation.
6. Device and Technical Data: Information about the device(s) used, browsers, IP addresses, and network quality, collected to optimise user experience and troubleshoot various technical issues.

These types of data are used to train systems, personalise learning, offer predictive analysis, inform teaching strategies, and aid institutional decision-making (see Figure 3).^[17],[18]

Figure 3: Uses of Learner Data in EdTech

Source: Author’s own.

Learner data is collected, stored, and utilised through a variety of methods, each with its own privacy and security implications. They include: user inputs, where learners or their parents share personal information during registration or profile updates; automated tracking through tools such as cookies, tracking pixels, and analytics used by platforms to monitor user activity, engagement, and navigation patterns;  assessment engines like online quizzes, assignments, and adaptive tests that automatically capture performance data; and third-party integrations such as Google Analytics, app permissions, or payment gateways, which may collect additional data points.

While this data enables personalised learning and improved educational outcomes, it also has potential for privacy and security risks, if not managed judiciously.^[19] First, breaches of confidentiality—if information such as performance or learning difficulties gets circulated, it could harm the student’s well-being and damage their reputation. Exposure of sensitive emotional or behavioural data could also result in embarrassment, humiliation, stigma, lowered self-esteem, or reduced participation, especially for vulnerable learners.^[20] Second is the concern of coercion, where data collected might be leveraged to subtly pressure or control learners, undermining their autonomy. Third is appropriation, when personal learner data is exploited commercially, or for profiling, or targeted advertising without explicit consent.^[21] Fourth is the risk of distortion if algorithms generate inaccurate or biased feedback, misrepresenting learners’ abilities. This could lead to negative psychological and educational outcomes.^[22] Fifth are concerns of intrusion through unwarranted surveillance, excessive data tracking, or invasive questioning that can impact a student’s educational experience. Lastly, decisional interference emerges when EdTech recommender systems restrict options or nudge learners towards specific options, impinging on their freedom of choice.^[23]

Additionally, cybersecurity threats such as data breaches, phishing, and malware can compromise sensitive information, leading to risks of identity theft and misuse of personal data.^[24] Many educational institutions lack robust cybersecurity policies and training, leaving them vulnerable to such attacks. 

Below are three major data-security breach incidents that occurred in India’s education space in the last six years: Unacademy (online learning platform): In May 2020, a hacker gained access to Unacademy’s database and offered 20–22 million user accounts for sale. The compromised data included usernames, emails, account joining dates, hashed passwords, last login dates, and account status. Unacademy later said that only 11 million accounts were affected and that no sensitive information (financial, location) was shared.[25] Skolaro (school management/EdTech start-up): Sometime in March 2020, the data of 50,000+ students, parents, and teachers, belonging to 100 Indian schools that was stored on this Gurugram-based platform, got leaked due to unsecured servers. This reportedly included student photographs, usernames, passwords, ages, religion, addresses, school information, dates of birth, and medical histories.[26] Digital Infrastructure for Knowledge Sharing (DIKSHA): DIKSHA is a national school education app owned and operated by the Ministry of Education. In 2023, reports emerged that a Microsoft Azure cloud server storing DIKSHA data was left unprotected and was indexed by Google. The data revealed the full names, phone numbers, and email addresses of more than one million teachers and 600,000 students. Post this breach, the National Council of Educational Research and Training (NCERT) initiated a third-party security audit of DIKSHA to ensure data safety.[27] These incidents are evidence that learner-data governance in India has failed at multiple levels: vendor security, institutional due diligence, and public-platform accountability. This is consistent with  United Nations Children's Fund’s (UNICEF) warning that schools often lack the legal or technical expertise to determine how children’s data is collected and processed by EdTech companies.[28] United Nations Educational, Scientific and Cultural Organization (UNESCO) similarly notes the need to monitor implementation of the data protection law, as cyberattacks and data exposure risks continue with the rise in digital education.[29]

The Regulatory Framework in India

India’s regulatory framework for learner data privacy and protection is evolving, reflecting growing awareness of the sensitive nature of this data. Currently, the Digital Personal Data Protection (DPDP) Act, 2023, is the key legislation. It offers consent-based collection with clearly delineated roles and duties for data fiduciaries.^[30] Table 1 maps its key provisions and their implications concerning learner data collected by educational institutions and EdTech providers.

 Table 1: Implications of DPDP Act, 2023, Provisions for Educational Institutions and EdTech Platforms

Provision	What the DPDP Act Says	Implications
Scope/Applicability	Applies to all digital personal data processed in India (including paper data, digitised later).	Covers all institutions that digitise learner data (schools, universities, EdTech apps, government platforms)
Children’s Data Protection (Under 18)	Verifiable parental consent mandatory; profiling, behavioural tracking, or targeted advertising of children prohibited.	Directly applies to school/EdTech data collection and analytics systems.
Data Fiduciary Duties	Fiduciaries must implement security safeguards, maintain records, and notify breaches.	Educational institutes/EdTech providers act as data fiduciaries; third-party service providers (cloud, LMS vendors) as data processors.
Rights of Data Principals (Learners/Parents)	Right to access, correction, erasure, and grievance redressal.	Students and parents can request for data deletion or correction from institutions, and make complaints to competent authorities, mainly the Data Protection Board.
Purpose Limitation and Data Minimisation	Process data for specified purposes and collect what is necessary.	Prevents over-collection of learner data, supports privacy.
Security Safeguards and Breach Notification	Mandatory technical/organisational safeguards; report breaches to the Data Protection Board and affected individuals.	Applies to all institutional and EdTech databases holding learner data.
Legitimate Uses and Exemptions	Allows limited processing without consent (legal obligations, public interest, research).	Enables anonymised use of learner data for educational research.
Cross-Border Data Transfer	Permitted only under government-notified conditions ensuring equivalent protection.	EdTech providers using overseas servers or analytics tools must verify compliance.
Penalties and Enforcement	Non-compliance can attract penalties up to ₹250 crore per violation.	Schools and EdTech firms are equally liable for breaches or consent violations.

Source: Author’s own, using sources as mentioned.^[31]

There are three main takeaways from Table 1. First, although the DPDP Act is not education-sector-specific, it does cover educational institutions and EdTech providers that process learner data digitally, and establishes their fiduciary obligations to comply with safeguards, consent, and security norms for children’s data. Second, the Act requires verifiable parental or lawful guardian’s consent for processing children’s data, while restricting behavioural tracking and targeted advertising aimed at minors. Third, it grants a range of  rights to access, correct, and erase data, as well as seek grievance redressal to individuals with heavy penalties for violations of its provisions.

The DPDP Act has the potential to improve learner data protection if its provisions are effectively enforced and there is clarity in implementation. The rules of the Act were notified in November 2025, about two years after its enactment, and most provisions relevant to EdTech have an 18-month window for implementation. While this transitional period has been provided to give time to institutions to adapt, it also means that in the meantime, schools and EdTech companies continue to function without complete regulatory guidance. Concerns have been raised about the potential compliance costs for EdTech vendors, especially smaller firms.^[32] While it is a valid concern, this should not supersede regulatory standards in education.

Institutional awareness and capacity to manage consent, verification, and grievance redressal remains limited. Without sector-specific guidance from the Data Protection Board and proper coordination between the Ministry of Electronics and Information Technology (MeitY) and the Ministry of Education (MoE),^[d] lack of capacity-building, template policies, and child-specific compliance standards, learner data protection depends more on institutional discretion than regulatory oversight.

The DPDP Act also empowers the central government to exempt any government agency from its provisions on the grounds of national security, public order, or for certain research and statistical purposes. This could let off government-run educational databases such as Unified District Information System for Education Plus (UDISE+), Performance Assessment, Review, and Analysis of Knowledge for Holistic Development (PARAKH) surveys, and student scholarship databases, leaving student data potentially vulnerable to misuse. An amendment to the Right to Information (RTI) Act via the DPDP Act has also raised concerns that transparency could be eroded under the guise of privacy, as large volumes of data held by authorities might be unavailable for public scrutiny.^[33]

Another dilemma is that enforcing provisions for minors would require verifying their ages online, entailing intrusive measures such as collecting identification documents or biometrics, which clash with data minimisation principles. Conversely, less stringent methods like self-declaration of age can be easily circumvented. Regulators have yet to clarify what practices are acceptable to confirm student ages, making it ambiguous for  schools and EdTech providers.

The DPDP Act relies on parents to act as informed gatekeepers for their children’s data. However, many parents lack the awareness or technical knowledge to make nuanced privacy decisions. A 2025 survey found that while 60 percent of parents claimed to be aware of risks like identity theft, only 42.7 percent regularly adjusted privacy settings, and nearly one-third never used them.^[34] Similarly, another survey reported that while 74 percent of Indian parents worry about online safety, one-third have never discussed it with their child.^[35] Household surveys indicate that in India, it is oftentimes children who handle online services for the family.^[36] Thus, parental consent may not guarantee meaningful protection, leading to uninformed acceptance in some cases and excessive restrictions that limit educational opportunities in others.

Last, some provisions of the DPDP Act meant to protect children’s data might override certain child safety features. For example, the strict ban on tracking and monitoring minors online will affect platforms that use behavioural tracking to detect cyberbullying or self-harm risks. The European Union (EU) experienced a similar dilemma—its regulations initially curtailed online child tracking, only to later allow tailored exceptions when the lack of monitoring began impairing safety tools.^[37] Indian laws currently lack explicit exceptions for using data for child protection, beyond a draft rule that allows location tracking while the child is en route to and from school.^[38]

Another argument is that restrictions on tracking or targeted advertising may undermine personalisation and thereby weaken the usefulness of digital learning systems,^[39] but this requires a qualifier: personalised education can be achieved using limited, context-specific learner data without relying on pervasive tracking or advertising-style optimisation. UNICEF and UNESCO provide a normative basis for this distinction, while the UK Children’s Code offers a design-oriented model for embedding children’s interests into digital services. ^{[40],[41],[42]}

Besides the DPDP Act, the Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, imposes due-diligence obligations on intermediaries hosting user content, including grievance mechanisms and takedown processes.^[43]

Policy guidance in the NEP 2020 also underscores ethical, equitable digital learning and calls for a robust public digital infrastructure,^[44] principles that align with privacy by design and data minimisation in school systems and government platforms. The draft National Data Governance Framework Policy (NDGFP) focuses on safeguards for the usage of anonymised data sets from government and private entities for research and innovation.^[45] It clarifies when and how learner data can be anonymised and shared, and how public platforms should structure data access. The National Commission for Protection of Child Rights (NCPCR) also has a mandate on children’s rights that can intersect with EdTech practices.^[46]

While India has a strong data protection act and complementary IT rules, education-specific areas such as biometric data safeguards, age-assurance protocols, procurement clauses for EdTech vendors, regular audit standards, and parental awareness initiatives remain underdeveloped. These are critical to bridge the gap between law and classroom realities. India’s framework can draw valuable lessons from the EU’s General Data Protection Regulation (GDPR) to address some of these concerns.^[47]

The GDPR emphasises that educational institutions must collect only data that is “adequate, relevant and limited to what is necessary” and clearly define the purpose of collection. The UK also offers guidance for schools, listing seven principles for data processing, including purpose limitation.^[48] It asks schools to handle special category data (health or biometric data) with heightened scrutiny.

A consistent theme in the EU’s and the UK’s guidance is that schools must remain the “data controller” and make sure that processors or vendors abide by data-protection obligations.^[49] Schools must also ensure that third-party arrangements are documented, from privacy notices and data-sharing agreements to results of vendor audits. This is especially relevant in India where many schools use vendor services, often without strong oversight.

Another relevant aspect is the emphasis on transparent, child-friendly privacy notices to students and parents on usage and sharing of their data. While the DPDP Act has provisions for verifiable parental consent for minors, it could include measures such as learner data privacy notice templates, requirement to explain data tracking in a youth-friendly language and manner.

The UK/EU guidance also emphasises embedding a data-protection culture in educational institutions through staff training, documented policies, regular audits, and breach-response protocol. Such structured and sector-specific programmes are absent in India. Adapting these to Indian regulatory rules, sector guidelines, and school operational practices will help ensure that learner data protection is not just legislated but implemented as well.

A Framework for Responsible EdTech Governance in India

This section outlines five actionable areas for a framework for responsible EdTech governance, tailored to India’s unique social, educational, and technological contexts.

Establish a Three-Layered Governance Model

A governance architecture that integrates legal, institutional, and technological layers rather than relying solely on statutory compliance through the Data Protection Board of India (DPBI), will enhance the regulatory ecosystem (see Table 2).

Table 2: A Three-Layered Governance Model

Layer	Bodies	Role
Legal	MoE, MeitY, DPBI	Provide specific guidelines, including clear procurement standards for EdTech vendors, mandatory data protection impact assessments for new platforms, and rules for algorithmic transparency in learning analytics.
Institutional	State Councils of Educational Research and Training (SCERTs), school data protection committees	Monitor compliance, approve new digital tools after risk assessments, and offer to ensure contextual oversight of regulations.
Technological	EdTech providers, consortiums	Adopt guidelines, further  privacy-enhancing technologies (PETs), encrypted storage, and anonymisation of student identifiers, which can drastically reduce breach risks.

At the regulatory layer, the MoE and the MeitY should jointly formulate a National EdTech Data Protection guideline as a sector-specific extension of the DPDP Act. This would define the legal basis for processing learner data, set consent standards for minors, classify sensitive data, establish retention schedules, and audit protocols, thus aligning education policy with digital governance norms.

At the institutional layer, SCERTs  and district/school data protection committees should form an internal Data Governance Council that can ensure monitoring compliance, approve new digital tools after conducting risk assessments, and coordinate with the  DPBI. Councils could function like institutional ethics committees, ensuring contextual oversight rather than overarching regulations.

At the technological layer, EdTech companies, vendors, and their consortiums should adopt PETs, such as encryption and anonymisation of student identifiers, to minimise breach risks. The DPBI could support this process by issuing sector-specific guidance for EdTech and recommending adoption-ready templates, open-source tools and standard protocols that help schools, start-ups and other non-technical teams meet baseline expectations on privacy, security, transparency and interoperability. For example, the DPBI could provide a standard child-data privacy notice, a parental-consent template, a school–vendor data-sharing agreement, a breach-reporting checklist, and open-source code modules for consent logs, role-based access, data-retention alerts, and audit trails. A small school or EdTech start-up would then not need to design privacy systems from scratch. It could adopt these tested templates and tools, while still customising them for its product or institutional context.

Together, these three layers can ensure that governance is not confined to law but distributed across the ecosystem and implemented in practice.

Strengthen Institutional Coordination through the National Educational Technology Forum (NETF)

There are multiple stakeholders with overlapping responsibilities in the Indian EdTech space, cutting across ministries, agencies, institutions, and private actors. The National Educational Technology Forum (NETF) should therefore evolve from an advisor to a policy interface that links the MoE, MeitY, DPBI, and state governments, and functions as the nodal coordination platform for digital education governance. It can be responsible for:

1. aligning standards for privacy, interoperability, and accessibility across central and state initiatives;
2. issuing guidance documents and model templates for consent management, vendor contracts, and data-protection audits; and
3. maintaining a national repository of anonymised learning datasets, privacy-preserving research tools, and DPDP Act-compliant EdTech solutions.

The NETF should also organise consultations, workshops, and policy roundtables to explore field-level issues and bring together SCERTs, Central Board of Secondary Education (CBSE), EdTech, and teacher associations for local adaptation of national standards. It can also convene a Community of Practice for data-protection officers and educators to share insights.

Implement Capacity-Building and Awareness Initiatives for Teachers, Parents, and Learners

Effective governance requires systematic, multi-stakeholder programmes to build awareness and capacity to exercise informed consent and fully understand their implications for children’s rights and safety.^[50] To this end, three measures can be undertaken:

Nationwide teacher-training programmes should integrate digital pedagogy, data privacy, and ethical use of technology. These modules should be added into the National Initiative for School Heads' and Teachers' Holistic Advancement (NISHTHA) and PM e-VIDYA platforms.^[51],[52] NCERT and SCERTs can partner with EdTech firms to deliver bilingual micro-courses on topics such as password management, secure content sharing, and consent collection. Certification courses on responsible data handling and cyber-safety can be made mandatory for school principals.^[53] This will enable teachers to ensure that classroom technology use complies with the DPDP Act and school-level data protocols.

Parents and communities should evolve from passive consent-givers to active stakeholders.^[54] A nationwide Digital Parenting Awareness Campaign can be undertaken by State Education Departments, modelled on literacy and health-awareness drives. Short vernacular infographics; radio segments on learner data rights, safe app use, and reporting cyber incidents; and data literacy sessions during parent–teacher and community meetings will add to their awareness.

It is essential to ensure equity and inclusion in learner data protection. Children from marginalised, rural, and low-income backgrounds are often at highest risk as they use shared or public devices, have limited digital literacy, and enrol on EdTech platforms without full parental understanding or informed consent. Inclusive, multilingual, low-literacy-friendly consent mechanisms using visual cues or audio narration can be developed for them.

Additionally, adoption of a graded consent system for adolescents aged 13–18 years, such as in the GDPR, would work better than the blanket 18-year threshold, as it would recognise the evolving capacities of older children, preventing over-regulation while still safeguarding younger minors.

Enhance the DPBI’s Accessibility and Responsiveness

The DPBI should function as an accessible, user-friendly, and responsive grievance redressal authority, similar to consumer forums. It should include the following facilities:

• complaint filing through multiple channels, such as online portals, mobile apps, and in person.
• Simple procedures with step-by-step guidance.
• Zero or minimal fees for filing complaints to ensure that economic barriers do not prevent redress.
• Legal representation to be optional so as to allow individuals and small institutions to engage directly with the DPBI.
• Clear timelines for acknowledgment, investigation, and resolution of complaints, with status tracking facility and regular updates.

Making the DPBI approachable and accessible will increase trust in the regulatory system, improve compliance, and help learner data protection become stronger.

Improve Institutional Readiness and Capacity

Schools and universities require resources to implement data protection measures securely and equitably. Institutional readiness should be treated as a budgeted policy objective and can be achieved by:

1. Allocating a fixed percentage of Samagra Shiksha^[e] and higher-education digital grants for data protection infrastructure—secure servers, updated antivirus systems, and encrypted networks.
2. Establishing regional data protection helpdesks to assist schools with compliance, breach response, and EdTech procurement due diligence. These helpdesks can support schools in reviewing and assessing the compliance of an EdTech product, and assist them with breach response. This is important because many schools may lack the technical and legal capacity to assess vendor claims before adopting digital tools.
3. Encouraging ‘hub-and-spoke’ models in smaller schools or those located in rural areas. In this model, a district-level institution or well-equipped government school can act as a ‘hub,’ while nearby schools can function as ‘spokes.’ The hub can provide training, model checklists, vendor-review templates, cyber-safety sessions, and first-level guidance on learner-data protection to support the spokes. This model can allow smaller schools to access shared expertise instead of trying to build specialised capacity individually.
4. Developing a data-management checklist (can be a joint exercise by the MoE and MeitY) that specifies minimum standards for consent, controlling access, and framing vendor contracts, among others.

Conclusion

India’s need for responsible EdTech governance is both urgent and complex. The rapidly evolving digital learning landscape requires  fostering innovation while protecting learner rights and advancing educational equity. While the DPDP Act, 2023, provides a useful foundation, it needs to be backed by sector-specific standards, regulatory coordination, institutional readiness, and stakeholder capacity  for understanding consent, assessing data practices, ensuring vendor accountability, and protecting children’s rights in everyday EdTech use. Crafting such a framework will involve continuous dialogue, evidence-based policymaking, and an inclusive governance ethos that centres learners.

By adopting these comprehensive, coordinated measures, India can build a robust and trustworthy EdTech ecosystem that will support learners while safeguarding their fundamental privacy and dignity, and therefore fulfil the vision of equitable and quality digital education for all.

---

Arpan Tulsyan is Senior Fellow with the Centre for New Economic Diplomacy, Observer Research Foundation.

The author acknowledges the use of ChatGPT 5.2 to generate a draft outline for this paper. Grammarly was used for language refinements prior to submission. 

---

All views expressed in this publication are solely those of the author, and do not represent the Observer Research Foundation, either in its entirety or its officials and personnel.

Endnotes

^[a] While educational technology has its roots in radio, film, and computer-assisted instruction, EdTech in its contemporary sense emerged with the spread of the internet in the late 1990s and early 2000s. In India, it became a visible sector from the late 2000s, before expanding rapidly post the COVID-19 disruption with the availability of cheap mobile internet plans.

^[b] Click patterns are generated through a learner’s interaction with a digital platform, comprising what links they open, what they skip, repeat, pause, attempt, or abandon. These traces can help platforms infer engagement, learning pace, areas of difficulty, and patterns of persistence or disengagement.

^[c] Deepfakes are AI-generated or AI-manipulated audiovisual content that can make individuals appear to say or do things they never actually said or did. They raise serious concerns for education, media literacy, consent, privacy, misinformation, and trust in digital evidence.

^[d] Institutionally, MeitY leads national data-protection policy and will anchor DPDP enforcement, while the MoE, with the Central Board of Secondary Education (CBSE), NCERT, and state boards, governs the curriculum and platform operations.

^[e] Samagra Shiksha is a centrally sponsored scheme of the Department of School Education and Literacy, Ministry of Education, Government of India, focusing on quality and inclusive school education. This programme merges three erstwhile schemes: Sarva Shiksha Abhiyan (SSA), Rashtriya Madhyamik Shiksha Abhiyan (RMSA), and Teacher Education.

^[1] Ken Ip, “The Rise of EdTech: Transforming Education through Entrepreneurial Ventures,” Advances in Online Education: A Peer-Reviewed Journal 3, no. 2 (2024): 177–193, https://www.researchgate.net/publication/386446123_The_rise_of_EdTech_Transforming_education_through_entrepreneurial_ventures.

^[2] Sudipta Chakraborty, “The Rise of EdTech Startups in India: Growth, Challenges, and Future Prospects in Post-Pandemic Education,” International Journal of Advanced Research in Ideas and Innovations in Technology, vol. 11, no. 2 (2025): 5–16, https://ijariie.com/AdminUploadPdf/The_Rise_of_EdTech_Startups_in_India__Growth__Challenges__and_Future_Prospects_in_Post_Pandemic_Education_ijariie25857.pdf.

^[3] UNESCO, Minding the Data: Protecting Learners’ Privacy and Security (Paris: UNESCO, 2022), https://unesdoc.unesco.org/ark:/48223/pf0000381494.

^[4] UNESCO, Minding the Data.

^[5]Edwin Ohiorenuan Imohimi, “Building Privacy and Preserving AI Models for Secure Student Data Management in Educational Technology Platforms,” Journal of Intelligent Learning Systems and Applications 17, no. 3 (August 2025): 149–171, https://www.scirp.org/journal/paperinformation?paperid=144570.

^[6] UNICEF Office of Research – Innocenti, International WG on Digital Education, and Ministry of Foreign Affairs of Finland, Data Governance in Education Technology: Policy Recommendations (Florence: UNICEF Office of Research – Innocenti, 2025), https://www.unicef.org/innocenti/media/11621/file/UNICEF-Innocenti-Data-Governance-Education-Technology-Policy_Recommendations-2025.pdf.

^[7] Inc42 Media, Inside India’s $29 Bn+ EdTech Opportunity: Decoding Market Landscape & Trends Report 2023 (Bengaluru: Inc42 Media, 2023), https://inc42.com/reports/inside-indias-29-bn-EdTech-opportunity-decoding-market-landscape-trends-report-2023/.

^[8] Inc42 Media, Inside India’s $29 Bn+ EdTech Opportunity.

^[9] Inc42 Media, Inside India’s $29 Bn+ EdTech Opportunity.

^[10] IMARC Group, India EdTech Market: Industry Trends, Share, Size, Growth, Opportunity and Forecast by Sector, Type, Deployment Mode, End User, and Region, 2026-2034 (IMARC Group, 2025), https://www.imarcgroup.com/india-edtech-market/toc.

^[11] IMARC Group, India EdTech Market.

^[12] LeadSquared, Impact Study of EdTech in India: Driving Innovation & Creating Opportunities (New Delhi: Higher Education Plus/LeadSquared, January 2025), https://highereducationplus.com/wp-content/uploads/2025/01/EdTech_Assessment_Report_.pdf.

^[13] Ministry of Information & Broadcasting, Government of India, https://www.pib.gov.in/PressReleaseIframePage.aspx?PRID=1876553.

^[14] Statista, “India: Time Spent on Education Apps by Sub-genre,” Statista, https://www.statista.com/statistics/1407017/india-time-spent-on-education-apps-by-subgenre/.

^[15]  LeadSquared, Impact Study of EdTech in India.

^[16]Hernandez-de-Menendez, M.R. Morales-Menendez, C.A. Escobar , “Biometric Applications in Education,” International Journal of Interactive Design and Manufacturing 15 (2021): 365–380,  https://link.springer.com/article/10.1007/s12008-021-00760-6.

^[17] Hernández-de-Menéndez, M.R. Morales-Menendez, C.A. Escobar, and R.A. Ramírez Mendoza, “Learning Analytics: State of the Art,” International Journal of Interactive Design and Manufacturing 16, no. 3 (2022): 1209–1230, https://pmc.ncbi.nlm.nih.gov/articles/PMC9206225/.

^[18] John T. Avella et al., “Learning Analytics Methods, Benefits, and Challenges in Higher Education: A Systematic Literature Review,” Online Learning 20, no. 2 (2016): 13–29, https://files.eric.ed.gov/fulltext/EJ1105911.pdf.

^[19] Qinyi Liu and Mohammad Khalil, “Understanding Privacy and Data Protection Issues in Learning Analytics Using a Systematic Review,” British Journal of Educational Technology 54, no. 6 (2023): 1715–1747, https://www.researchgate.net/publication/373927925_Understanding_privacy_and_data_protection_issues_in_learning_analytics_using_a_systematic_review.

^[20]Daniel J. Solove, “A Taxonomy of Privacy,” University of Pennsylvania Law Review 154, no. 3 (2006): 477–564, https://scholarship.law.upenn.edu/penn_law_review/vol154/iss3/1/.

^[21] Solove, “A Taxonomy of Privacy.”

^[22] Solove, “A Taxonomy of Privacy.”

^[23] Solove, “A Taxonomy of Privacy.”

^[24] Sanjog Mahendra Lokhande et al., “Cyber Security in Education,” International Research Journal of Engineering and Technology 11, no. 6 (June 2024), https://www.irjet.net/archives/V11/i6/IRJET-V11I687.pdf.

^[25] Anandi Chandrashekhar, “Unacademy Database of 22 Million Users Hacked, Information Put Up for Sale,” Economic Times, May 8, 2020, https://economictimes.indiatimes.com/small-biz/startups/newsbuzz/unacademy-database-of-22-million-users-hacked-up-for-sale/articleshow/75594089.cms.

^[26] Aman Rawat, “Exclusive: Edtech Startup Leaks Data of Over 50K School Children, Govt Officials,” Inc42, March 14, 2020, https://inc42.com/buzz/exclusive-edtech-startup-leaks-data-of-over-50k-indian-children/.

^[27] Abhik Sengupta, “Flaw in Diksha App Exposed Data of Nearly 6 Lakh Students, Report Claims,” India Today, January 27, 2023, https://www.indiatoday.in/technology/news/story/flaw-govt-diksha-app-exposed-data-6-lakh-students-report-claims-2327237-2023-01-27.

^[28] UNICEF Innocenti, Data Governance for EdTech.

^[29] UNESCO, Global Education Monitoring Report Summary 2023: Technology in Education: A Tool on Whose Terms? (Paris: UNESCO, 2023), https://www.unesco.org/gem-report/sites/default/files/medias/fichiers/2023/07/Summary_v5.pdf.

^[30]  Government of India, Digital Personal Data Protection Act, 2023 (New Delhi: Government of India, 2023), https://www.meity.gov.in/static/uploads/2024/06/2bf1f0e9f04e6fb4f8fef35e82c42aa5.pdf.

^[31] Ministry of Electronics and Information Technology (MeitY), Government of India, https://static.pib.gov.in/WriteReadData/specificdocs/documents/2025/nov/doc20251117695301.pdf.

^[32] Shweta Venkatesan, Meghna Bal, and Vikash Gautam, “An Empirical Appraisal of the Children’s Data Privacy Provisions in the DPDPA,” Esya Centre, September 2025, https://wolf-plantain-w7wa.squarespace.com/s/An-Empirical-Appraisal-of-the-Childrens-Data-Privacy-Provisions-in-the-DPDPA-1.pdf.

^[33] “Unacceptable Dilution of Right to Information,” Economic and Political Weekly, April 26, 2025,  https://www.epw.in/journal/2025/16/editorials/unacceptable-dilution-right-information.html.

^[34] Salik Khan, “Parents Don’t Always Know Best: The Problem with Gatekeeping Children’s Internet Access,” Scroll.in, January 15, 2025, https://scroll.in/article/1077690/parents-dont-always-know-best-the-problem-with-gatekeeping-childrens-internet-access.

^[35] Tech Desk, “Parents Worried About Privacy of Children Attending School Online, Shows Google Survey,” Indian Express, February 9, 2021, https://indianexpress.com/article/technology/tech-news-technology/parents-worried-about-privacy-and-security-of-children-attending-school-online-google-survey-7181219/.

^[36] Central Square Foundation, BaSE Report: Bharat Survey for EdTech 2025 (New Delhi: Central Square Foundation, 2026), https://www.edtechbase.centralsquarefoundation.org/BaSE%20Report%202025.pdf.

^[37] Vasudha Mukherjee, “Social Media Platforms Worry New Data Law Could Affect Child Safety, Ads,” Business Standard, July 4, 2024, https://www.business-standard.com/industry/news/social-media-platforms-worry-new-data-law-could-affect-child-safety-ads-124070400673_1.html.

^[38] Ministry of Electronics and Information Technology, Government of India, Draft Digital Personal Data Protection Rules, 2025 (New Delhi: Government of India, January 3, 2025), https://dpdpa.com/dpdprulesofficial.pdf.

^[39]Venkatesan, Bal, and Gautam, An Empirical Appraisal of the Children’s Data Privacy Provisions in the DPDPA.

^[40] UNICEF Office of Research – Innocenti, Data Governance in Education Technology: Policy Recommendations

^[41] Venkatesan, Bal, and Gautam, An Empirical Appraisal of the Children’s Data Privacy Provisions in the DPDPA.

^[42] Information Commissioner’s Office, Age Appropriate Design: A Code of Practice for Online Services, https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/childrens-information/childrens-code-guidance-and-resources/

^[43] Ministry of Electronics and Information Technology, Government of India, Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021 (as amended), 6^th April, 2023, https://www.meity.gov.in/static/uploads/2024/02/Information-Technology-Intermediary-Guidelines-and-Digital-Media-Ethics-Code-Rules-2021-updated-06.04.2023-.pdf

^[44] PRS Legislative Research, “The Information Technology (Intermediary Guidelines and Digital Media Ethics Code) Rules, 2021, https://prsindia.org/billtrack/the-information-technology-intermediary-guidelines-and-digital-media-ethics-code-rules-2021

^[45]Government of India, National Data Governance Framework Policy (2022) https://mcrhrdi.gov.in/cio2022/presentations/law/National%20Data%20Governance%20Framework%20Policy_26%20May%202022.pdf

^[46] National Commission for Protection of Child Rights, Being Safe Online (New Delhi: NCPCR), 2017, https://ncpcr.gov.in/uploads/16613370496305fdd946c31_being-safe-online.pdf

^[47]European Parliament and Council of the European Union, Regulation (EU) 2016/679 on the Protection of Natural Persons with Regard to the Processing of Personal Data and on the Free Movement of Such Data, and Repealing Directive 95/46/EC (General Data Protection Regulation), Official Journal of the European Union, L 119, 4 May 2016, pp. 1–88  https://gdpr-info.eu/.

^[48] UK Government, “What Data Protection Means for Schools,” Data Protection in Schools (Guidance) (London: Department for Education, 2023), https://www.gov.uk/guidance/data-protection-in-schools/what-data-protection-means-for-schools.

^[49] DataGuard, “GDPR Compliance for Schools in the UK, UK Government, “What Data Protection Means for Schools,” Data Protection in Schools (Guidance) (London: Department for Education, 2023), https://www.dataguard.com/blog/gdpr-compliance-for-schools-in-the-uk.

^[50] United Nations Children’s Fund Regional Office for Europe and Central Asia, Data Protection in Schools: Guidance for Legislators, Policy Makers and Schools (Geneva: UNICEF Regional Office for Europe and Central Asia, 2024), https://www.unicef.org/eca/media/35876/file/Data%20protection%20in%20schools%20.pdf.

^[51] National Council of Educational Research and Training, “NISHTHA Training,” ITPD NCERT, https://itpd.ncert.gov.in/mod/page/view.php?id=32213.

^[52] Ministry of Human Resource Development, Government of India, “PM e-VIDYA,” https://pmevidya.education.gov.in/.

^[53] Central Institute of Educational Technology, National Council of Educational Research and Training, Cyber Safety for Schools (New Delhi: NCERT, n.d.), https://ciet.ncert.gov.in/storage/app/public/files/14/cyber-safety/Cyber_safety_for_schools_Eng.pdf.

^[54] Central Institute of Educational Technology, Cyber Safety and Security.

• Education
• India
• Children's data protection
• Data governance framework
• Data privacy in education
• Data security in education
• Digital education in India
• Digital learning ecosystem
• Digital Personal Data Protection Act
• EdTech governance
• Educational data governance
• Learner data protection

The views expressed above belong to the author(s). ORF research and analyses now available on Telegram! Click here to access our curated content — blogs, longforms and interviews.