A 16-year-old student in Kerala fills out a "Free IELTS Seminar" registration form at a local study centre. Within 48 hours, she receives calls from three loan providers, two overseas universities she never enquired about, and a coaching institute in another city. Her parents had no idea their daughter's name, phone number, academic scores, and financial background were already circulating across a commercial lead-sharing network.
This is not an isolated incident. For millions of Indian students, this is simply how the process works.
And the law is now catching up.
The Digital Threat to Students Is Real — and Growing
Before we talk compliance, it is important to understand what is actually at stake when a student's personal data enters an uncontrolled pipeline.
According to the NCRB Crime in India 2024 report, India registered 1,238 cases of cybercrimes against children under the Information Technology Act in a single year — and that is only what was reported. Critically, nearly 9 in 10 of those cybercrimes involved the transmission of sexually explicit content targeting children. Cybercrime cases in India crossed 1 lakh for the first time in 2024, with cybercrimes rising 17% even as overall crime declined.
What does this have to do with an education consultant?
When a student's name, phone number, date of birth, photograph, and location are collected through a seminar form or WhatsApp inquiry and passed through multiple unverified partners — each link in that chain is a potential point of exposure. Digital grooming, fake identities, blackmail, and misuse of private photographs are becoming increasingly common, with social media platforms, online gaming, and private chat applications making it easier for offenders to approach children. Criminals use fake identities to extract personal information from children. Sometimes advertisements on social media and gaming websites include malware links. In other cases, children and adolescents unwittingly share their personal information online — which is then misused to threaten and coerce them.
A student's phone number and profile shared carelessly by a consultant does not just result in spam calls. In the wrong hands, it can be the starting point of grooming, sextortion, or identity fraud. The data you collect is not just a marketing asset. It is a potential vector for harm to a real child.
This is the responsibility the Digital Personal Data Protection (DPDP) Act, 2023 and the DPDP Rules, 2025 are asking the education sector to take seriously.
What the DPDP Act Requires From You?
The Act defines any organisation that collects and decides how to use personal data as a Data Fiduciary. Education consultants, study centres, coaching institutes, and overseas education firms all qualify — without exception.
For students under 18, the obligations are stricter. The Act defines a child as anyone under 18 years — broader than GDPR (16) or the US COPPA framework (13). Before processing any personal data of a minor, verifiable parental or guardian consent is mandatory, using approved methods such as DigiLocker-based identity verification. A student signing their own form does not satisfy this requirement.
Beyond parental consent, the law requires that consent be specific to the stated purpose. A student who registered for a free counselling session has not consented to being contacted by loan DSAs, insurance companies, or partner universities six months later. Behavioural profiling and targeted advertising directed at children are explicitly prohibited.
The burden of proving valid consent lies entirely on the organisation that collected the data.
"But We Need to Share Data to Operate" — The Partner and Vendor Question
This is a legitimate concern, and the DPDP Act does not prohibit data sharing with partners. What it does is regulate how that sharing happens. The good news is that compliant data sharing is entirely workable — it simply requires structure.
Here is how to do it right:
1. Classify your partners clearly.
Under DPDP, entities you share data with are either Data Processors (they act on your instructions) or independent Data Fiduciaries (they determine their own purpose). A university you refer students to is likely an independent fiduciary. A CRM vendor storing your leads is a processor. This distinction determines your contractual obligations.
2. Sign Data Processing Agreements (DPAs) with every partner.
The DPDP Act keeps the Data Fiduciary fully accountable for what processors do with the data. Every vendor — cloud storage, analytics tools, loan referral partners, university agents — must have a signed agreement that binds them to the same data protection standards you follow. Due diligence on third-party vendors with access to personal data, checking their DPDP compliance, is a non-negotiable first step. Proper Third-Party Risk Management reduces risks from external partners and ensures data protection standards are maintained.
3. Take explicit, purpose-specific consent before sharing.
If your intake form mentions that a student's data may be shared with "partner universities, loan providers, and affiliated agents for counselling purposes," and the student (or their parent, if under 18) affirmatively agrees — that sharing is lawful. What is not lawful is a hidden clause in fine print, or using data for purposes never disclosed at the point of collection. Sharing student data with advertisers, sponsors, or affiliates — directly or indirectly — poses severe legal and reputational risks, even where anonymisation is claimed.
4. Use the Consent Manager framework from November 2026.
From November 13, 2026, the Consent Manager Framework becomes operational. Organisations will be able to register with the Data Protection Board as third-party intermediaries to manage user consent and permissions systematically across partner platforms. Forward-thinking consultants should begin building consent infrastructure now so they are ready to plug into this framework seamlessly.
5. Delete data when the purpose ends.
If a student did not enrol, their data should not sit in your CRM for years being recycled to other campaigns. Define retention timelines and honour them — and require the same from every partner you shared that data with.
The Penalty You Cannot Afford to Ignore
Non-compliance is not a theoretical risk. The penalty schedule under the DPDP Act is structured to compel action:
* INR 250 crore for failure to maintain reasonable security safeguards
* INR 200 crore for violations specifically relating to children's personal data
* INR 200 crore for failure to notify a data breach to the Data Protection Board
* Government may order blocking of non-compliant platforms in extreme cases
For an industry built on the trust of students and parents making life-altering decisions, a regulatory action or a publicised data breach is not just financial exposure. It is a reputational collapse that no marketing budget can repair.
Compliance as Competitive Advantage
The deadline for full enforcement is May 13, 2027 — but the preparation must begin now. Data mapping, consent redesign, vendor contracts, and parental verification workflows all take time to build correctly.
The consultants who move early will not just avoid penalties. They will be the ones parents actively seek out — the firms that can point to a transparent privacy policy, a clean consent trail, and a demonstrated commitment to protecting the students in their care.
India's students deserve to chase their ambitions without their personal data being treated as a commodity. Education consultants — the very professionals trusted to guide those ambitions — are now legally and ethically responsible for making that happen.
The DPDP framework is not a threat to your business model. It is the foundation on which a more credible, trustworthy, and sustainable one can be built.
