Quick Facts
- DPDP Act schools rules require verifiable parental consent before processing any child data under 18.
- Schools posting student photos or videos without consent may breach the law and risk penalties.
- Penalties for breaches can reach Rs 250 Crore, so schools must review consent practices now.
In This Article
The DPDP Act schools framework now requires schools to obtain verifiable parental consent before they process any personal data of a child under 18, including photos and videos.
This rule flows from the Ministry of Electronics and Information Technology and the Digital Personal Data Protection Act, 2023. Schools, coaching centres, and EdTech firms count as Data Fiduciaries. They routinely post trophies, smiling faces, and achievements online, often without checking the law. The DPDP Rules, 2025 placed education squarely inside a national compliance framework.
Key Takeaways
- Any school or coaching centre that collects student data is a Data Fiduciary and must follow DPDP rules.
- Verifiable parental consent means real proof, not a tick box on an admission form or a quiet WhatsApp share.
- Most child data obligations become enforceable after an 18-month window, giving schools time to prepare seriously.
- Posting children’s photos for marketing or social media without consent is the most common, and most risky, breach.
CampusFeed Take
The quiet shift here is that a celebratory photo on a school page is now a legal act, not a feel-good gesture. The DPDP Act treats a child’s image as personal data, so an annual-day reel shared without consent carries the same weight as a leaked record. School owners and principals should watch this closest, because compliance readiness in India is uneven and small institutions carry the highest exposure. Expect the next 18 months to separate schools that build a clear consent system from those that keep posting first and apologising later. The smart move is a parent consent register before the enforcement window closes. By Soumya Verma.
Who do the DPDP Act schools rules apply to?
The DPDP Act applies to any entity that collects or processes personal data in digital form, which makes nearly every school a Data Fiduciary. Under the law, a child is any person who has not completed 18 years of age. This threshold is stricter than the United States COPPA standard of 13 and the European GDPR (General Data Protection Regulation) range of 13 to 16 years.
Schools, colleges, coaching centres, and EdTech (education technology) platforms all fall inside this scope. Each one handles student names, photographs, marks, attendance, and behaviour records every day. Before processing any of this child data, the school must obtain verifiable parental consent from a parent or lawful guardian, according to the DPDP Rules, 2025.
Key Rules and Penalties at a Glance
The DPDP Act sets out clear obligations for schools handling children’s data, paired with heavy penalties for breaches. The table below summarises the core rules.
| Rule Area | What the DPDP Act Requires |
|---|---|
| Consent | Verifiable parental consent before processing any child data under 18 (Section 9). |
| Photos and videos | A child’s image and voice are personal data, so posting needs prior consent. |
| Tracking ban | No behavioural monitoring, profiling, or targeted advertising aimed at children (Section 9). |
| Security | Reasonable safeguards to prevent unauthorised access or breaches (Section 8). |
| Data erasure | Erase personal data once its purpose is served, such as after a student leaves. |
| Penalty | Up to Rs 250 Crore for failure to protect personal data, per the DPDP Act schedule. |
The standout figure is the penalty: breaches involving children’s data sit among the most heavily fined categories under the DPDP Act, with exposure running into hundreds of crores.
About the DPDP Act, 2023
The Digital Personal Data Protection Act, 2023 is India’s first comprehensive data privacy law, enacted in August 2023 after six years of consultation. It is governed by the Ministry of Electronics and Information Technology and enforced through the Data Protection Board of India. The Act regulates how organisations collect, store, and share personal data, and gives every individual rights to know, correct, and erase their data. For children under 18, verifiable parental consent is mandatory before any processing.
How are schools handling child data today?
Many schools and EdTech platforms still rely on weak methods such as self-declared age, generic consent checkboxes, or a single line on the admission form. These approaches are unlikely to meet the verifiable consent standard set by the DPDP Rules, 2025. Common slip-ups include collecting unnecessary details on admission forms, sharing student data with photographers or vendors without consent, and using unsecured WhatsApp groups to circulate student information.
Most schools take the requirement lightly, and there is little clarity on the scope of the consent obtained.
That reading reflects a wider gap between awareness and action. A 2025 survey found that while many parents claimed awareness of risks like identity theft, fewer than half regularly adjusted privacy settings. The DPDP Act now shifts the duty firmly onto the school, not the parent, to prove that valid consent exists. You can read the full text on the official MeitY data protection portal.
What This Means For You
If you are a parent
You have the right to know what data your child’s school collects and why. You can refuse consent for non-essential uses, such as marketing photos, and you can ask the school to delete data when its purpose ends. If a school posts your child’s image without asking, you can raise a grievance with the school first and, later, the Data Protection Board.
Turn Your Achievements Into Stories That Students Actually Read
Feature admissions, placements, rankings, events, research initiatives, achievements, and institutional milestones before a highly engaged education-focused audience.
If you are a student
If you are under 18, the law treats your photos, name, and achievements as protected personal data. Your school cannot track your online behaviour, profile you, or target ads at you. When you turn 18, you gain direct control over your own data and can manage your consent yourself.
If you are a school principal or teacher
Start with a data audit: list what you collect, where it sits, and who can access it. Redesign consent forms so parents give clear, purpose-specific permission, especially for photos and videos. Move student information off unsecured WhatsApp groups and onto secure systems. Treat the 18-month window as preparation time, not a free pass.
If you run a college or university
Map every vendor and EdTech tool that touches student data and check each contract for DPDP alignment. Avoid bundled consents that mix attendance, marketing, and third-party sharing. Consider appointing a privacy officer now, even before any Significant Data Fiduciary designation makes one mandatory.
What Is Next
Schools should use the preparation window to build compliant consent systems before enforcement begins. Watch for these milestones:
- Publication of the final Fourth Schedule listing exempt classes of Data Fiduciaries.
- End of the 18-month window, after which most child data obligations become enforceable.
- Possible sector-specific guidance and audit templates for schools.
Has your child’s school ever asked for your consent before posting a photo online?
Frequently Asked Questions
Last updated: June 28, 2026 at 14:30 IST
Last verified: June 28, 2026
Disclaimer: This article is for general informational purposes only and is based on publicly available information at the time of publishing. Exam dates, cutoffs, fees, deadlines, eligibility criteria, and scholarship details can change without notice. Always verify the latest information from the official portal of the relevant body (MeitY, Data Protection Board of India) before taking any action. CampusFeed and its authors are not responsible for decisions made based on this article. This is not legal, financial, or career advice. Please consult a qualified professional for individual guidance.
Written by Soumya Verma. Published: June 28, 2026. Updated: June 28, 2026. Have a tip or correction? Write to us at editorial@campusfeed.in.