• This article explores the hidden dangers of these platforms, examines India’s DPDP Act, and highlights the urgent need for safer digital practices in schools across the country.
• The rise of free EdTech platforms in Indian classrooms has revolutionized learning, but brought with it a hidden threat—student data privacy. While these tools offer easy access and convenience, many collect, store, and share sensitive student information without proper safeguards. With growing digital dependence in education, concerns over data misuse are escalating.

1. Why Free EdTech Tools Are Popular—and Problematic

The Rise of Free EdTech in India

India's educational landscape has witnessed a significant shift towards digital learning, especially in the wake of the COVID-19 pandemic. Free Educational Technology (EdTech) platforms have become increasingly popular due to their accessibility and cost-effectiveness. These platforms offer a range of services, from interactive lessons to virtual classrooms, making education more accessible to students across various socio-economic backgrounds.

The Allure of Cost-Free Solutions

For many schools, particularly those in underfunded regions, free EdTech tools present an attractive solution. They eliminate the need for expensive infrastructure and provide immediate access to educational resources. Teachers can easily integrate these tools into their curricula, enhancing the learning experience without incurring additional costs.

Underlying Privacy Concerns

However, the adoption of these free platforms is not without its challenges. Many of these tools collect extensive data from users, including personal information, learning behaviors, and even location data. This data collection often occurs without explicit consent from students or their guardians, raising significant privacy concerns

2. The DPDP Act: What Rules Apply to EdTech Companies

Overview of the DPDP Act

The Digital Personal Data Protection (DPDP) Act, 2023, is a significant legislative step in India aimed at safeguarding individuals' personal data. It establishes a framework for data processing, emphasizing consent, purpose limitation, and data minimization.

Applicability to EdTech Platforms

Under the DPDP Act, EdTech companies are considered data fiduciaries, meaning they are responsible for collecting, storing, and processing personal data in compliance with the law. Key obligations include:

• Obtaining Consent: Prior consent must be acquired before collecting personal data.
• Data Minimization: Only necessary data should be collected for specified purposes.
• Purpose Limitation: Data should be used solely for the purposes stated at the time of collection.
• Security Measures: Adequate safeguards must be in place to protect data from breaches.

Special Provisions for Children

The Act includes specific provisions for processing children's data:

• Parental Consent: For individuals under 18, verifiable parental or guardian consent is mandatory.
• Prohibition of Harmful Processing: Data processing that could cause harm to children is strictly prohibited.

3. Data Sharing with Third Parties Without School Knowledge

• Establish Clear Agreements: Schools should ensure that formal data processing agreements (DPAs) are in place with EdTech vendors. These agreements must specify how data will be used, stored, and whether it can be shared with third parties. Without these agreements, schools remain vulnerable to legal and ethical violations.
• Regular Audits and Compliance Checks: Institutions must regularly audit their EdTech tools and vendors to ensure ongoing compliance with India's DPDP Act. Such checks help identify any unauthorized data sharing or changes in privacy policies that could affect student privacy.

The DPDP Act’s Role in Third-Party Sharing

The DPDP Act mandates that data fiduciaries (i.e., EdTech platforms) must not share personal data with third parties without the knowledge and explicit consent of the data principal (in this case, the student or guardian). It also requires that platforms be transparent about the purpose of such data sharing.

However, enforcement remains a challenge. Many platforms still use vague or buried clauses in their terms of service to justify data sharing. Educational institutions must take proactive steps to scrutinize these terms and ensure they align with the law.

4. Case Studies: Privacy Breaches via Free Tools

1. ClassDojo’s Tracking Controversy

In 2022, a study by the Centre for Internet and Society (CIS) in India highlighted concerns regarding ClassDojo, a popular free EdTech tool used in many Indian classrooms. While marketed as a behavior management app, researchers found that ClassDojo stored detailed behavioral and emotional data about students. This included records of attentiveness, behavior reports, and emotional states. None of this data collection was clearly disclosed to parents, nor was it governed by Indian data laws at the time.

2. Google Classroom and Location Data

Although widely used in government and private schools during the COVID-19 lockdowns, Google Classroom raised red flags when reports emerged that the app collected user location and device information, even when these weren’t needed for core educational functions. Though Google later updated its policies, this incident revealed how global platforms operating in India weren’t necessarily aligning with local privacy expectations.

3. BYJU’S and Targeted Advertising

In 2021, BYJU’S, one of India’s leading EdTech giants, faced backlash for allegedly using student data to push aggressive marketing through WhatsApp, SMS, and phone calls. Parents claimed they were being approached for course packages based on their children’s activity within the app. Though BYJU’S denied unethical practices, the incident revealed the lack of a clear framework on student data usage in India at the time.

5. Safer Alternatives and Best Practices for Schools

Choose Indian-Compliant EdTech Solutions

Opt for tools and platforms that are transparent about their data handling practices and are compliant with the DPDP Act. Prefer Indian-based EdTech companies that openly publish their data policies and privacy measures.

Implement a Digital Policy Framework

Schools must establish internal digital policies that include:

• Approved platform lists
• Data retention schedules
• Staff training on privacy practices
• Mandatory DPIA (Data Protection Impact Assessment) before adopting new tools

Conduct Regular Data Audits

Periodic reviews of the data being collected, stored, or shared are essential. Schools should maintain logs of platform permissions and revoke unnecessary access to student data.

Obtain Informed Parental Consent

In accordance with the DPDP Act, schools must ensure that verifiable parental consent is obtained before students under 18 are enrolled on any digital platform. Simplify consent forms, translate them into local languages, and clearly explain how data will be used.

Limit Data Collection to Essentials

Platforms should be configured to collect only the minimum required data. Schools must disable unnecessary features that track behavior, location, or device usage unless strictly necessary for learning purposes.

Raise Awareness Through Workshops

Conduct digital literacy workshops for teachers, students, and parents to explain privacy risks, safe internet practices, and how to recognize red flags in apps and websites.

Appoint a School Data Privacy Officer

Even if not mandated by law yet, having a designated person to oversee digital privacy, manage permissions, and act as a liaison with tech providers will improve accountability.

The widespread use of free EdTech platforms in Indian classrooms has exposed students to serious data privacy risks. From hidden data collection to third-party sharing without consent, the lack of transparency and regulation is alarming. While the DPDP Act offers a framework for protection, schools must take proactive steps to ensure compliance and safeguard student data. By choosing safer alternatives, educating stakeholders, and enforcing strict digital policies, India can create a more secure digital learning environment for its future generations.

6. Final Thoughts

• Schools must prioritize student data privacy by selecting tools that align with India’s DPDP Act and limiting access to only essential information for educational purposes.
• Free EdTech tools often come with hidden costs, compromising student privacy and exposing institutions to legal risks. Awareness and vigilance are key.
• Transparent consent processes and regular data audits should become standard practices in every Indian classroom using digital tools.
• Educators, parents, and policymakers must work together to build a secure digital ecosystem that protects every child’s right to privacy.