A Project by Meridian Bridge Strategy
Book Consultation
EdTech

BYJU'S

Ready Score 38/100
Critical Risk vs Industry Avg: 49
Sushant Pasumarty
ANALYSIS SUPERVISED BY Sushant Pasumarty
📅 25 Feb 2026

Executive Summary

BYJU'S, a major EdTech platform, handles sensitive educational data, including that of children. Its privacy policy is extensive but hasn't fully updated for the DPDP Act 2023, particularly struggling with granular consent, verifiable parental consent for minors, and specific data retention timelines. These gaps create substantial regulatory risk, especially concerning Section 23 (Children's Data).

⚠️ Compliance Gaps

  • No explicit DPDP Act 2023 reference; relies on IT Act 2000 framework
  • Bundled consent fails 'freely given' and 'specific' DPDP standards
  • Inadequate verifiable parental consent mechanisms for children's data (Section 23)
  • Data retention period vague; uses 'as long as necessary' language
  • No mention of Data Protection Board for grievance escalation
  • Cross-border transfer lacks specificity on permitted jurisdictions
  • Nomination rights under Section 14 not addressed

✅ Strengths

  • Acknowledges commitment to protecting children's privacy
  • Grievance officer contact details provided
  • Specific categories of collected data are listed
  • Right to withdraw consent mentioned, though mechanism is unclear

Overview

BYJU’S (Think and Learn Pvt. Ltd.) is one of India’s largest EdTech companies, providing online learning programs for students across various age groups. This means it collects significant amounts of personal data, including sensitive information about children, their learning patterns, performance, and parental details. The DPDP Act, 2023 has specific and stringent requirements for processing children’s data (under 18 years), making BYJU’S policy a crucial test case for compliance.

DPDP Readiness: Section-by-Section Analysis

Section 6 — Consent & Notice 🔴

BYJU’S policy largely relies on bundled consent, where accepting terms of service equates to agreeing to the privacy policy. This is problematic under DPDP, which requires free, specific, informed, and unambiguous consent.

What the policy says: “By providing Your Information or making use of the facilities provided by the Website, You hereby consent to the collection, storage, processing and transfer of any or all of Your Personal Information… as specified under this Privacy Policy.”

DPDP requirement: Consent must be given for each specific purpose. For children (under 18), verifiable parental consent is mandatory (Section 23).

Gap:

  • No granular consent: Users cannot selectively agree to data uses (e.g., allow learning data but not marketing).
  • Children’s data: While the policy states “explicit consent of a parent or legal guardian” is required for children, it lacks verifiable mechanisms to ensure this. Simply clicking a checkbox is insufficient for DPDP Section 23, which prohibits processing “Personal Data of a Child that is likely to cause detrimental effect.”

Section 7 — Certain Legitimate Uses ⚠️

BYJU’S claims broad legitimate interests for data processing. These include “operating, providing, developing, and improving the Services,” “personalization,” and “marketing and promotional purposes.”

DPDP requirement (Section 7): Legitimate uses are narrowly defined (e.g., voluntary provision, state functions, medical emergencies, employment). Many of BYJU’S stated purposes, especially marketing and personalization, would require explicit consent, not just a legitimate use claim under DPDP.

Gap: The policy’s general “legitimate interest” clauses for commercial activities are unlikely to withstand scrutiny under the DPDP Act’s narrower interpretation.

Section 8 — Obligations of Data Fiduciary ⚠️

The policy mentions “reasonable security practices and procedures” and “confidentiality” of data. It also references the IT Act 2000’s “sensitive personal data or information” rules.

DPDP requirement (Section 8): Data Fiduciaries must implement “reasonable security safeguards” to prevent data breaches. For children’s data (Section 23), specific obligations include not undertaking tracking, behavioural monitoring, or targeted advertising directed at children.

Gap:

  • Security measures are generic.
  • The policy’s statements about “improving services,” “personalization,” and “marketing” inherently suggest practices (like tracking and monitoring) that are restricted or outright prohibited for children under DPDP. It doesn’t explicitly state it doesn’t engage in these for children.

Section 9 — Data Retention 🔴

Critical gap. The policy uses vague language regarding data retention.

What the policy says: “We retain your personal information for as long as necessary to provide the services you have requested, comply with our legal obligations, resolve disputes, and enforce our agreements.”

DPDP requirement (Section 9): Data Fiduciaries must cease to retain personal data when the purpose of collection is fulfilled, or consent is withdrawn, and ensure deletion within a “reasonable period.”

Gap: No specific retention periods are provided for different data types (e.g., student performance data, parental contact info). This lack of clarity creates significant liability, especially with children’s data.

Section 11 — Rights of Data Principal ⚠️

BYJU’S acknowledges the right to “review, modify or delete your account information” and the right to “withdraw your consent.”

DPDP requirement (Section 11): Data Principals have rights including access, correction, erasure, and the right to nominate (Section 14). Clear, easy-to-use mechanisms for exercising these rights must be provided.

Gap:

  • While withdrawal of consent is mentioned, the practical mechanism is not clearly outlined.
  • No mention of the right to nominate another person to exercise rights on their behalf (crucial for parents of children).
  • The process for full data erasure requests is not detailed.

Section 12 — Right of Grievance Redressal ⚠️

A Grievance Officer’s name, email, and address are provided.

DPDP requirement (Section 12): Data Principals have the right to grievance redressal. The Data Fiduciary must respond within a reasonable period (often 30 days is implied) and inform the Data Principal of their right to escalate to the Data Protection Board.

Gap:

  • No mention of the Data Protection Board as an escalation path after internal grievance resolution.
  • No explicit commitment to a specific response timeline (e.g., 30 days).

Section 16 — Cross-Border Data Transfer 🔴

The policy indicates data may be transferred internationally without specifying countries or safeguards.

What the policy says: “Your information may be stored and processed in any country where we have facilities or where we engage service providers.” and “BYJU’S may transfer information to different locations outside of Your country.”

DPDP requirement (Section 16): Cross-border data transfer is only permitted to countries or territories notified by the Central Government. Specific safeguards must be in place.

Gap: BYJU’S blanket statement for cross-border transfer is highly problematic. It does not identify permitted countries or the specific mechanisms ensuring data protection in those jurisdictions.

Risk Assessment

CategoryRisk LevelPotential Impact
Regulatory fineHighUp to ₹250 Cr per instance under DPDP
Children’s data (Sec 23)CriticalMajor fines, reputational damage, parental backlash
Consent complianceHighBundled consent invalidation affects all users
Data retentionCriticalNo deletion timelines for sensitive learning data = significant exposure
Cross-border transferHighUnauthorised transfer of personal data
Data principal rightsMediumIncomplete rights framework needs update

Recommendations

  1. Implement verifiable parental consent: For all child users, introduce robust mechanisms (e.g., unique ID checks, small payment verification) to confirm parental consent for data processing and use.
  2. Granular & layered consent: Break down consent into specific purposes (e.g., core service, analytics, marketing) allowing users (or parents) to choose.
  3. Define specific retention periods: Clearly state how long different categories of data (e.g., academic performance, financial, marketing) are retained and when they are automatically deleted.
  4. Update for DPDP Act 2023: Explicitly reference the DPDP Act and map policy sections to its provisions.
  5. Detail Data Principal rights: Clearly outline the process for exercising rights like access, correction, erasure, and nomination, including timelines and escalation paths to the Data Protection Board.
  6. Specify cross-border transfers: List the exact countries where data may be transferred and the legal basis/safeguards for such transfers, aligned with the Central Government’s notified list.

How Does Your Policy Compare?

Not sure if your company’s privacy policy has similar gaps? Run a free instant check:

🔍 Run Your Free DPDP Audit →

Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.

Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.

Fix these compliance gaps today.

Book 1:1 Consultation
📞 Free Consultation