Your Child's Data Has Rights — Does Your EdTech Platform Know That?
On August 11, 2023, the Government of India passed the Digital Personal Data Protection Act 2023 — India's first comprehensive data privacy legislation. For parents of school-age children using digital educational platforms, this law creates rights you did not previously have — and responsibilities you should hold educational technology companies to.
What the DPDP Act Says About Children's Data
The DPDP Act provides specific, heightened protection for children's personal data. Under the Act, a "child" is any person under the age of 18. Organisations that collect or process children's data must: obtain verifiable parental or guardian consent before collecting any personal data from a child; not perform tracking or behavioural monitoring of children for advertising purposes; not target children with advertisements based on their personal data or online behaviour; ensure that all content accessible to children through their platform is age-appropriate; and implement age-gating measures — systems designed to verify that users claiming to be adults are not actually children. These are not aspirational guidelines — they are legal obligations with enforcement mechanisms. The Digital Personal Data Protection Board of India has authority to investigate complaints, order remediation, and impose financial penalties on organisations that violate these provisions.
Your Rights as a Parent Under the DPDP Act
As a parent or guardian of a child under 18, the DPDP Act grants you specific rights over your child's personal data held by any organisation. The right to information means you can ask any organisation exactly what personal data they hold about your child, how it was collected, what it is being used for, and who has access to it. The right to correction and erasure means you can request that any incorrect data about your child be corrected, and that any or all data about your child be erased. An organisation must comply with a valid erasure request within 30 days unless there is a specific legal reason to retain the data.
The European Union's GDPR is widely considered the global gold standard for data privacy legislation. The DPDP Act 2023 is broadly comparable in its core provisions — both establish rights to information, correction, and erasure; both impose consent requirements; both provide specific protections for children. The key difference is that GDPR applies to any organisation processing the data of EU residents regardless of where the organisation is based, while DPDP Act 2023 applies to organisations processing the data of Indian residents. Indian families living in the UAE, UK, Singapore, or other countries may be covered by both — and choosing EdTech platforms that comply with both DPDP and GDPR provides the highest level of protection for their child's data.
The Five Questions Every Parent Must Ask Before Their Child Uses Any EdTech AI
These five questions, asked directly of any EdTech platform you are considering, will tell you within minutes whether the platform has genuinely thought about data protection or is simply using privacy language as a marketing tool.
Question 1: What specific verifiable consent mechanism do you use to confirm that a user claiming to be a parent or guardian is actually an adult? Vague answers about "checking the box at registration" are not verifiable parental consent under the DPDP Act.
Question 2: Do you process my child's personal data for any purpose beyond providing the educational service I have contracted? This includes sharing data with third-party advertising networks, using behavioural data to train AI models, or selling anonymised data to research organisations.
Question 3: If I submit a request to erase all personal data about my child, how long will it take, what will be erased, and what — if anything — will be retained and under what legal basis? Legitimate platforms will have a clear, documented data erasure process with specific timeframes.
Question 4: Who within your organisation has access to my child's personal data, and what authorisation controls determine that access? Educational data about children should be accessible only to personnel with a specific, defined need.
Question 5: Do you have a designated Data Protection Officer as required under DPDP Act, and how do I contact them? A company that cannot provide this contact information has a compliance gap.
Khypri AI answers all five of these questions clearly, positively, and with specifics. We are fully DPDP Act 2023 and GDPR compliant. Your child's data is used only to improve their learning — never for advertising, never sold, never shared without consent. Try Khypri AI free today.