Key Takeaways
- Only 30-35% of Indian schools take child data privacy regulations seriously, according to education consultants
- India's DPDP Act 2023 classifies anyone under 18 as a child and mandates verifiable parental consent before processing their data
- A UP Class X topper faced online abuse after her school posted celebratory content without obtaining consent
Indian schools routinely post children's photographs on websites and social media without verifiable parental consent, violating the Digital Personal Data Protection Act 2023. According to education consultant Sharmishtha Gupta, only 30-35% of schools take these regulations seriously. The rest rely on vague blanket permissions that fail to specify how student images might be used commercially or publicly.
The consequences are not hypothetical. When a student topped her Class X board examinations in Uttar Pradesh in 2024, her school's celebratory posts triggered a cascade of online harassment. Strangers mocked her appearance, created memes, and subjected her to sustained trolling. "In my case, no consent was obtained before publicising my academic achievement," she told the Economic Times.
What does the DPDP Act require for child data privacy?
The DPDP Act 2023 governs how organizations collect, use, store, and share personal data. It sets a strict threshold: anyone below 18 is classified as a child, and processing their personal data requires verifiable parental consent. This applies broadly. Schools, coaching centers, edtech companies, hospitals, banks, and social media platforms all fall under its scope.
India's age threshold is notably higher than many global standards. The EU's GDPR allows member states to set the age of consent for data processing between 13 and 16. The US COPPA applies to children under 13. India's blanket 18-year threshold creates stricter obligations but also a larger compliance gap.
The law prohibits tracking, behavioral monitoring, and targeted advertising directed at children. For schools, this means annual day photos, trophy ceremonies, and classroom snapshots all require explicit, verifiable consent before they land on Instagram or the school website.
Why are schools failing at compliance?
Gupta, a former head of schools and independent consultant in Delhi NCR, points to a knowledge gap. Even schools that acknowledge the regulation often misunderstand its scope. They obtain blanket permissions at admission time and assume this covers everything from report cards to social media posts. It does not.
Verifiable consent means more than a signature on a form. It requires clarity about what data will be collected, how it will be used, and who will see it. A photo posted to celebrate a student's achievement is different from that same photo appearing in a promotional brochure or a paid advertisement.
Most schools lack the administrative infrastructure to track these distinctions. They have no data protection officer, no consent management system, and no protocol for removing content when a parent objects. The regulation exists, but the machinery to enforce it does not.
How do other countries handle children's online safety?
Australia passed a law in 2024 requiring major social media platforms to prevent children under 16 from having accounts, regardless of parental consent. The burden shifts entirely to platforms, not parents.
France and the UK have advanced similar measures to limit children's exposure to social media. Karnataka has proposed restricting social media access for those under 16, though this remains at the proposal stage.
The global trend is clear: governments are moving from protecting children's data to restricting their access to platforms altogether. India's DPDP Act takes a different approach, placing the onus on organizations to obtain consent rather than banning access outright. Whether this model works depends entirely on enforcement.
What are the real risks for students?
The UP topper's experience illustrates the immediate risk: online harassment that no one anticipated. But the longer-term concerns extend further. Children's digital footprints, created without their consent, follow them into adulthood. A photo posted when a child was seven years old remains searchable when they apply for jobs at 27.
The risks go beyond embarrassment. Grooming, identity theft, and location tracking all become possible when children's images and personal details circulate online. Schools celebrating achievements may inadvertently reveal which children are academically gifted, athletically talented, or simply present at a particular location on a particular day.
What should schools do now?
The compliance gap is not insurmountable. Schools need three things: a designated data protection officer, a clear consent management process, and a protocol for handling objections and removal requests.
- Replace blanket consent forms with specific, purpose-limited permissions
- Establish a clear process for parents to withdraw consent
- Audit existing online content for images posted without proper authorization
- Train staff on what constitutes verifiable consent under the DPDP Act
The cost of compliance is modest compared to the reputational and legal risk of a publicized violation. When a student's celebratory photo becomes the catalyst for harassment, the school's judgment comes under scrutiny. That scrutiny will only intensify as enforcement of the DPDP Act matures.
Logicity's Take
Schools face a compliance problem that edtech platforms solved years ago. Consent management platforms like OneTrust, TrustArc, and India-based Securiti.ai offer tools for tracking permissions and managing data subject requests. Enterprise pricing typically starts at $10,000 annually, but education-focused solutions from providers like Lightspeed Systems and Securly offer more affordable options. The real barrier is not cost but awareness. Most school administrators do not know these tools exist, and most school boards have not budgeted for data compliance. That will change after the first high-profile DPDP enforcement action against an educational institution.
Frequently Asked Questions
What age does India's DPDP Act consider a child?
The DPDP Act 2023 classifies anyone below 18 years old as a child, requiring verifiable parental consent before processing their personal data.
Do schools need consent to post student photos on social media?
Yes. Under the DPDP Act, schools must obtain verifiable parental consent before posting any personal data, including photographs, on websites or social media platforms.
What happens if schools violate child data privacy rules?
Schools can face legal action under the DPDP Act for processing children's data without proper consent. Violations may result in penalties and reputational damage.
Is a blanket consent form at admission sufficient?
Generally no. Verifiable consent requires clarity about specific uses. A blanket form that does not specify commercial use, publicity, or social media posting may not meet DPDP requirements.
How can parents protect their children's data at school?
Parents should request the school's data protection policy, ask specifically how photos will be used, and formally withdraw consent in writing if they object to online posting.
Need Help Implementing This?
If you're an education administrator navigating DPDP compliance, or a parent concerned about your child's data, reach out to Logicity for guidance on data protection frameworks and compliance tools suited to educational institutions.
Source: Tech-Economic Times / ET
Huma Shazia
Senior AI & Tech Writer
Produced with AI assistance and reviewed by the Logicity editorial team. Learn more in our Editorial Policy.
