Overview
Unacademy is a leading online learning platform serving competitive exam aspirants (UPSC, IIT-JEE, NEET, CAT). Users invest hundreds of hours preparing for career-defining exams, generating detailed behavioral data about their ambitions, struggles, study patterns, and exam readiness. Many users are minors preparing for JEE/NEET.
DPDP Readiness: Section-by-Section Analysis
Section 6 — Consent & Notice 🔴
Unacademy collects learning data under standard terms acceptance:
- Live class attendance and participation
- Question attempt patterns and scores
- Study time and topic focus areas
- Chat messages during live classes
- Career goal declarations (UPSC, IIT, NEET, etc.)
DPDP concern: Career ambition data is deeply personal — a student’s UPSC preparation reveals their life goals. Combined with performance data, it creates a profile of aspirations, capabilities, and struggles.
Section 7 — Certain Legitimate Uses ⚠️
Core educational delivery is legitimate. However:
- Performance data used for upselling premium plans
- Learning struggle patterns used for targeted course recommendations
- Career goal data used for cross-platform marketing
Section 8 — Obligations of Data Fiduciary ⚠️
Standard security for an EdTech platform. No mention of:
- Extra security for minor students’ data
- Protection of career ambition data
- Controls on educator access to student performance data
Section 9 — Data Retention 🔴
No timelines for:
- Live class recordings (students’ faces, voices, questions)
- Exam attempt history and score patterns
- Career goal declarations
- Study behavior patterns
- Chat logs from live sessions
Question: If a student prepares for IIT-JEE for 2 years but doesn’t clear it, how long is their “failure” data retained?
DPDP Section 9 — Children’s Data ⚠️
Many IIT-JEE and NEET aspirants are 16-17 years old. Under DPDP Section 9:
- Verifiable parental consent needed for minors
- No behavioral monitoring of children
- No targeted advertising to children
Unacademy’s learning analytics for minor students potentially violates all three provisions.
Section 11 — Rights of Data Principal 🔴
- No mechanism to delete learning history while keeping subscription
- No data portability for learning records
- No transparency on performance-based profiling
- No nomination rights
Section 12 — Right of Grievance Redressal ⚠️
Basic grievance mechanism. No DPB pathway.
Section 16 — Cross-Border Data Transfer ⚠️
Cloud infrastructure may involve international data processing. Student performance data should ideally be processed domestically.
Risk Assessment
| Category | Risk Level | Potential Impact |
|---|---|---|
| Regulatory fine | High | Up to ₹250 Cr |
| Children’s data (JEE/NEET aspirants) | Critical | Section 9 specific requirements unmet |
| Career ambition data | High | Reveals deeply personal life goals |
| Performance data retention | High | Exam failure data retained indefinitely |
| Learning behavior monitoring | High | Under DPDP, may constitute behavioral monitoring |
Recommendations
- Implement age-gated DPDP compliance — Verify age, apply Section 9 protections for minors
- Define performance data retention — “Active student: data retained; 6 months post-subscription: learning data anonymized; 1 year: deleted”
- Add career goal data protections — Users should control whether their exam preparation goals are used beyond the platform
- Build student data dashboard — Show students what data is collected and allow selective deletion
- Separate educational analytics from commercial use — Firewall between learning data and marketing/upsell
How Does Your Policy Compare?
Take the free 60-second DPDP Audit to check your own company’s liability under the DPDP Act — 16 quick questions, instant risk report.
Analysis conducted by DPDP Consulting, a Meridian Bridge Strategy initiative. For a comprehensive compliance roadmap, book a free consultation.