Student data, course completion tracking, and payment records — online education has real GDPR obligations that course creators and platform operators must address.
Online learning has exploded. Tens of millions of people take courses through platforms like Teachable, Thinkific, Kajabi, and Podia — and millions more buy directly from independent course creators selling through their own websites.
But digital education means digital data collection. And most course creators and e-learning platform operators are significantly underestimating their GDPR obligations.
Why E-Learning Platforms Face Real GDPR Exposure
The average e-learning platform collects a remarkable amount of personal data. Student names, email addresses, and payment details are the obvious ones. But the tracking goes much deeper: which videos students watched and for how long, which quiz questions they got wrong, how often they logged in, what device they used, where they were located when they accessed a lesson, and whether they completed the course.
This behavioural data — sometimes called learning analytics — is personal data under GDPR. It relates to identifiable individuals and reveals details about their cognitive engagement, learning pace, and educational performance.
GDPR applies to any e-learning platform or course creator that:
- Has students or customers based in the European Union or UK
- Operates from within the EU/UK, regardless of where students are located
Data E-Learning Platforms Actually Collect
Account and identity data: Full name, email address, username, profile photo, country, timezone, language preferences.
Enrolment and progress data: Which courses a student purchased, when they enrolled, which modules they've completed, their completion percentage, last activity date.
Learning behaviour data: Video watch time (including which portions were rewatched or skipped), quiz attempt history and individual answers, assignment submissions, time spent per lesson, login frequency, session duration.
Payment and financial data: Credit card details (typically held by your payment processor), billing address, purchase history, refund history, subscription status.
Communication data: Support tickets, live chat logs, forum posts, comments on lessons, email open and click history.
Technical data: IP address, device type, browser, operating system, referral source.
Children's Courses — GDPR Article 8 and Parental Consent
If your platform offers courses aimed at children under 16 (or under 13 in some EU member states), GDPR Article 8 requires parental or guardian consent before you can process their personal data.
"Aimed at children" is interpreted broadly. A platform offering maths courses, coding lessons, language learning for kids, or homework help is clearly in scope.
What this means in practice:
- Age verification at registration
- A parental consent mechanism that is genuinely verifiable
- Additional care in how you use children's data — no behavioural advertising, strict limits on profiling
- Privacy notices written in child-appropriate language (required under GDPR Recital 58)
Learning Analytics: Consent vs. Legitimate Interest
Legitimate interest can apply to basic learning analytics that benefit the student directly: tracking completion so certificates can be issued, recording quiz scores so adaptive content can be served, or maintaining progress so students can resume where they left off.
Consent is required for:
- Behavioural tracking used to profile students for marketing purposes
- Sharing analytics data with third parties (including your platform provider)
- Using engagement data to make automated decisions with significant effects on the student
- Any tracking that isn't necessary for delivering the course itself
Platform Relationships: Teachable, Thinkific, Kajabi, Podia
You are the data controller. Your platform (Teachable, Thinkific, etc.) is your data processor.
GDPR Article 28 requires you to have a Data Processing Agreement (DPA) in place with every data processor. Most major platforms have these available — check their legal documentation.
Video Hosting: Consent for Embeds
When a student loads a lesson page with an embedded Vimeo or YouTube video, those platforms set their own cookies and collect their own data before the video is played. Under GDPR, loading third-party cookies without prior consent is a violation.
Use click-to-load video embeds that don't set cookies until the student actively clicks to play.
Certificates and Completion Data
If certificates include verification URLs, you're creating publicly accessible records linking a person's identity to their educational achievement. Disclose this clearly and give students control over certificate visibility where possible.
Community Features: Forums and Discord
Forum posts and comments are personal data. Discord integrations require particular attention — Discord is a US-based service that transfers data outside the EU, which must be disclosed to students.
Email Marketing and PECR
- Transactional emails (receipts, lesson access) don't require marketing consent
- Upsell sequences are marketing communications — PECR's soft opt-in rule may apply for UK-based students if conditions are met
- For EU students, get explicit marketing consent
Compliance Checklist
For solo course creators:
- Privacy policy naming your platform, email provider, payment processor, and video host
- Cookie consent banner blocking non-essential cookies
- DPA signed with your course platform
- Process for responding to data requests within 30 days
- Privacy-enhanced video embeds
For full e-learning platforms, add:
- Records of Processing Activities (RoPA)
- Age verification for children's courses
- Formal DSAR workflow with tracked deadlines
- Data retention schedules
- Privacy Impact Assessments for AI/adaptive learning features
Custodia scans your site in 60 seconds, identifies every tracker and third-party connection, and generates a compliant privacy policy from actual scan data. Scan your site free →
Plans start at $29/month.
Top comments (0)