Comply DP

Legal Guides10 min read

How Schools Breach Children's Data Privacy and What the DPDP Act Requires

Schools posting children's photos and achievements online without verifiable parental consent may violate the DPDP Act. Legal risks, real-world harm cases, and a practical compliance checklist for schools, coaching centres, and edtech.

Written bySanket Sharma· Former Advocate, Supreme Court of India · ComplyDP Co-Founder

Last updated:

28 June 2026 · ComplyDP Legal Guide

Annual-day photos, trophy ceremonies, and classroom snapshots have become routine content on school websites and social media feeds. Yet many of these posts go live without verifiable parental consent, potentially violating the Digital Personal Data Protection (DPDP) Act, 2023 and exposing minors to privacy breaches, online abuse, and regulatory action.

Why school social posts are a DPDP compliance problem

Under the DPDP Act, anyone below 18 is a child. Processing a child's digital personal data, including photographs, videos, names, academic results, and location metadata embedded in images, requires verifiable consent from a parent or lawful guardian before collection or use. A vague line buried in an admission form ("the school may use photographs for publicity") rarely meets that standard. Consent must be specific, informed, and tied to defined purposes such as internal records, yearbooks, or external marketing.

Schools, coaching centres, edtech platforms, hospitals treating minors, and employers running internship programmes all fall within the Act's scope. The obligation is not limited to online platforms; it applies wherever digital personal data is processed.

What the DPDP Act requires for children's data

Section 9 of the DPDP Act and Rule 7 of the 2025 Rules impose heightened safeguards for children:

Verifiable parental or guardian consent before processing a child's personal data. No behavioural tracking or targeted advertising directed at children. No processing likely to cause a detrimental effect on a child's well-being. Standard Data Fiduciary duties still apply: privacy notices, purpose limitation, security safeguards, retention limits, grievance redress, and Data Principal rights including erasure.

For schools, this means every photo upload, results announcement, biometric attendance system, and learning-app integration must be mapped to a lawful basis, with parental consent documented and retrievable for audit.

How widespread is non-compliance?

Industry observers estimate that only about 30–35% of schools take children's data privacy seriously. Even among those that do, many rely on blanket admission-form permissions that do not specify commercial use, third-party sharing, or social media publication. Coaching institutes and edtech startups, often processing far more granular behavioural data, frequently lag further behind.

When celebration posts become harm: a real case

The risks are not theoretical. When a Uttar Pradesh student topped her Class X board examinations in 2024, her school's celebratory social media posts drew strangers who mocked her appearance, created memes, and subjected her to sustained online trolling. She later told reporters that no consent was obtained before her academic achievement was publicised. The incident illustrates how a well-intentioned post can spiral into reputational harm, psychological distress, and a potential DPDP violation when consent and purpose are undefined.

Six common breach patterns in schools

Posting identifiable photos and videos on Instagram, Facebook, or YouTube without opt-in parental consent for each channel. Publishing rank lists, merit certificates, or exam results with full names on public websites. Sharing student data with edtech vendors, transport apps, or event photographers without Data Processing Agreements. Using CCTV or AI attendance systems that capture biometric data without notice and consent workflows. Retaining alumni and student records indefinitely without a defined retention schedule. Operating mobile apps or LMS platforms that track usage behaviour without age-gating and guardian verification.

Global momentum and India's patchy response

Governments worldwide are tightening child online protections as risks extend beyond cyberbullying to grooming, harmful content, scams, and misuse of children's digital identities. Australia passed a law requiring major social media platforms to prevent children under 16 from holding accounts. France and the UK have advanced measures to limit children's social media exposure. In India, Karnataka has proposed restrictions on social media access for under-16s. Yet day-to-day compliance by schools and education providers remains inconsistent, leaving many children exposed.

What schools, coaching centres, and edtech must do now

Audit every touchpoint where children's digital personal data is collected, stored, or shared, including websites, apps, CCTV, biometric systems, and vendor integrations. Replace blanket admission clauses with purpose-specific consent forms covering photography, social media, third-party sharing, and biometric processing. Implement verifiable parental consent: OTP to a registered guardian number, signed digital forms with audit trails, or other methods proportionate to risk, not a checkbox claiming the student is over 18. Publish child-specific privacy notices in plain language, separate from general school policies. Create a photo and media policy: define who may capture images, which platforms are approved, and how parents opt in or out per event. Execute Data Processing Agreements with every vendor that handles student data. Train staff annually on DPDP obligations, social media boundaries, and incident reporting. Establish a grievance channel and a process for parental access, correction, and erasure requests. Run a tabletop exercise for personal data breaches involving minors. Notification to the Data Protection Board and affected guardians must happen within 72 hours.

Penalties schools cannot ignore

Violations involving children's data can attract penalties up to ₹250 crore under Section 33 of the DPDP Act. The Data Protection Board of India will consider whether the organisation had reasonable safeguards, whether consent was verifiable, and how quickly incidents were reported. For schools dependent on reputation and trust, regulatory action is only one risk. The reputational damage from a public enforcement notice or a viral privacy failure can be worse.

How ComplyDP helps education providers

ComplyDP automates DPDP readiness for schools, coaching institutes, and edtech platforms, from scanning websites and cookie practices to generating child-specific consent templates, privacy notices, and vendor risk checklists. The platform maps data flows across digital properties and flags gaps against Section 9 requirements before they become headlines.

Start with a free readiness check

Run a free DPDP compliance scan at complydp.com/report to assess your website's notice, consent, and cookie practices. For deeper guidance on children's data templates, see the DPDP Compliance Template Pack including a ready-to-use Parental Consent form for Section 9 processing.

Frequently asked questions

Can schools post children's photos on social media under the DPDP Act?

Only with verifiable parental or guardian consent for that specific purpose and channel. Blanket admission-form permissions or implied consent from attendance do not meet the DPDP standard.

What is verifiable parental consent under DPDP?

Consent that can be demonstrated to a regulator, typically via OTP to a registered guardian, signed digital forms with audit trails, or other verification proportionate to the processing risk.

Do coaching institutes and edtech apps have the same obligations as schools?

Yes. Any entity processing digital personal data of children under 18 must obtain verifiable guardian consent, avoid behavioural tracking directed at children, and meet standard Data Fiduciary duties.

What penalties apply if a school breaches children's data privacy?

Penalties under the DPDP Act can reach ₹250 crore. Beyond fines, schools face reputational harm, grievance complaints, and mandatory breach notifications to the Data Protection Board and affected guardians.