PhysicsWallah has quietly forayed into the educational gaming space with the launch of a standalone app called ‘PW Games.’ However, the launch raises a bigger question for India’s edtech sector. Can platforms simply “assume” they have parental consent to collect and process a minor’s personal data and use it to fine-tune their systems?
It appears that PhysicsWallah is doing exactly that, potentially violating India’s Digital Personal Data Protection (DPDP) Rules, 2025.
The consent gap on PW Games: The platform’s privacy policy states that if a user is under 18, it is “assumed” that a parent or a legal guardian has consented to the collection and processing of a minor’s personal information, which may include:
The app may also collect usage information, including but not limited to:
The company says it does not sell or rent personal data to third parties, but it may share “limited” information with its partners, who aid the platform in —
The company uses the personal data collected to “provide access” to PW Games, personalise gameplay experience, track learning progress, improve games and platform features, and prevent fraud, misuse, and illegal activities.
While Rule 10 of DPDP Rules, 2025 requires data fiduciaries to obtain verifiable parental consent before collecting and processing a minor’s data, PW Games’ privacy policy does exactly the opposite of that, Malcolm Gomes, Chief Operating Officer at IDfy, told MediaNama.
“It assumes a parent agreed simply because someone registered, places no obligation on the platform to verify who that someone was, and makes no attempt to establish whether the consenting person actually understood what they were agreeing to and for what specific purpose,” he said.
A lawyer who did not wish to be named told MediaNama that edtech firms and their gaming-led products warrant greater scrutiny under DPDPA, given their target audience is primarily minors. PW Games is targeted for students from classes 3-10.
MediaNama has reached out to PhysicsWallah for a comment. The story will be updated if and when we receive a response.
PW Games Pro subscription will cost you Rs 299/month and unlock 50+ learning games and 12,000+ thinking and mental ability questions
The regulatory grey zone: The DPDP Rules, 2025 mandate that a data fiduciary must verify if the individual identifying as a parent is an adult through government-issued IDs like Aadhaar or a token from a Digital Locker Service Provider.
However, Aadhaar and the DigiLocker token mechanism, Gomes says, solve only half of the problem.
“What neither can do is confirm that this verified adult is the parent or lawful guardian of the specific child whose data is being processed. Those are two separate obligations, and the second one is where India’s digital infrastructure runs out of road,” the IDfy COO said.
The DPDPA carves out specific permissions for educational institutions, including the ability to process data for tracking a child’s location and behavioural monitoring, which would otherwise be restricted. However, this exemption only applies when tracking or monitoring is undertaken for educational activities or in the interests of a child’s safety.
“Tracking session behaviour to improve learning outcomes sits closer to the exemption. Tracking session behaviour to optimise engagement, reduce drop-off, or personalise content for retention sits in a
different category,” Gomes told MediaNama.
The issue of shared devices and self-declaration: A recent survey by Internet Matters suggested that one in three children in the UK were able to bypass age checks after the Online Safety Act came into force by using methods like entering fake birthdays and drawing facial hair. This is arguably the biggest loophole in India’s DPDP Act: children can simply lie about their age. The data protection law completely ignores the possibility of a minor self-declaring their age to portray themselves as an adult.
“In a country where one phone and one SIM often serve a whole family, asking a user to declare their own age does not really verify anything. The child has every reason not to say they are a child, and the device says ‘adult’ anyway. Self-declaration is not a safeguard,” Gomes said.
These concerns were also echoed by several participants in a recent MediaNama roundtable discussion titled ‘Age verification and restricting social media for children.’
A participant in the MediaNama event also said the problem was already visible during the pandemic, when schools required students to create Gmail accounts for Google Classroom. “Most of those were created with fake ages,” the speaker said, arguing that the ecosystem was already built around inaccurate age declarations.
What must platforms like PhysicsWallah do? India’s threshold under DPDP is 18, significantly stricter than Europe’s General Data Protection Regulation (GDPR), which allows member states to set the digital age of consent anywhere between 13 and 16. A Class 12 student, a 15-year-old on a tutoring app, and a teenager downloading a gaming platform are all legally children under Indian law, and none of their data can be processed without a parent’s verified sign, Gomes pointed out.
While digital platforms have traditionally relied on lighter-touch consent flows such as age declarations, account sign-up terms, or parental assumptions, under DPDP, parental consent cannot be treated as an assumption buried inside a signup flow, he argued.
“For children’s data, platforms need a verifiable and auditable consent process that can show who gave consent, whether that person was an identifiable adult, what purpose the consent was given for, and whether the consent can be withdrawn across systems. This is especially important for edtech and gaming-led products, where personalisation, behavioural analytics, engagement loops, and child safety concerns can overlap,” said IDfy’s COO.
According to Gomes, in order to genuinely meet the standard of verifiable parental consent under India’s DPDP Act, platforms must:
Concerns around dark patterns: Earlier this month, the Central Consumer Protection Authority (CCPA) imposed a fine of Rs 5 lakh on PhysicsWallah for violating the Dark Pattern Guidelines, 2023. It found that the platform was engaging in basket sneaking, confirm shaming, forced action, and interface interference. Our analysis found that some of these dark patterns may have already crept into PW Games.
The app’s description on the Google Play Store reads: “Start playing for free with optional premium plans.” However, the platform requires users to submit personal details, including mobile numbers, if they wish to access games advertised as “free.” These games remain inaccessible without this data submission; there is no true opt-out mechanism.
In its order against PhysicsWallah on June 1, 2026, CCPA noted: “In the present case, consumers intending to access educational content advertised as ‘free’ were compelled to disclose personal information and create accounts before access could be granted. The compulsory disclosure of personal information was therefore made a precondition for accessing the service originally intended by the consumer. Such practice impaired consumer autonomy and falls within the prohibited category of ‘Forced Action’ under the Guidelines.”
By using expressions such as “start playing for free” without adequately disclosing that access to games being advertised as free is conditional on disclosing personal information, is PW Games not engaging in forced action and thereby misleading consumers?
The concerns come against the backdrop of PhysicsWallah scrapping its plan to extend loans to students via its NBFC arm FinZ Finance. Earlier this month, it said it would instead partner with regulated third-party NBFCs for student financing. The move, it said, was aimed at reducing balance sheet exposure and credit risk.
Also read:
For You
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。