Industry Hub · Event Management & Conferences

DPDPA Compliance for Event Management & Conference Organisers

Delegate badges, sponsor lead retrieval, livestream consent, CCTV signage — DPDPA enforcement goes live 2026. Penalties up to ₹250 crore per breach.

Event organisers, ticketing platforms, and conference tech vendors sit on a goldmine of personal data — delegate names, dietary preferences, employer details, badge scans, session attendance, photographs, and livestream footage. Under the DPDPA 2023, every badge swap, sponsor lead exchange, CCTV-monitored hall, and recorded keynote is a regulated processing activity. The Data Protection Board can impose penalties up to ₹250 crore for security failures and ₹200 crore for processing without valid consent. Ticketing platforms must rebuild signup flows; organisers must execute DPAs before lead retrieval scanners go live. The window closes in 2026.

Critical sections for Event Management & Conferences

Section 5 — Notice obligations at ticket purchase and on-site registrationSection 6 — Free, specific, informed, unconditional consent for delegate dataSection 8 — Data Fiduciary duties including security safeguards for attendee databasesSection 9 — Children's data: parental consent for student delegates and youth eventsSection 33 — Penalties up to ₹250 crore for security breaches of delegate records

Your DPDPA obligations

Granular Delegate Consent at Registration

Separate, unbundled consent for marketing emails, sponsor data sharing, photography, and livestream capture. Pre-ticked boxes are void.

Section 6(1)

Itemised Notice in Plain Language

Registration page must list every data point collected (name, employer, dietary, accessibility, photo) and every recipient (sponsors, AV vendor, hotel).

Section 5

Sponsor Lead Retrieval Agreements

Badge scanning by sponsors requires a Data Processor agreement and explicit delegate consent at the moment of scan — not buried in T&Cs.

Section 8(2)

CCTV and Photography Signage

Visible notices at every entrance disclosing CCTV, official photographers, and livestream cameras with purpose and retention period.

Section 5(1)(a)

Easy Consent Withdrawal

One-click withdrawal from marketing, photo galleries, and recording archives — must be as easy as giving consent.

Section 6(4)

Breach Notification Within 72 Hours

Lost delegate list, leaked badge scan database, or hacked ticketing portal must be reported to the Data Protection Board and affected delegates.

Section 8(6)

Children's Data — Verifiable Parental Consent

Hackathons, student conferences, and youth summits require verifiable parental consent for under-18 attendees; no behavioural tracking permitted.

Section 9

Common violation scenarios

Sponsor badge scanner harvests delegate emails without explicit on-scan consent

Up to ₹200 crore

Section 6(1) — Consent not free and specific

Ticketing platform suffers SQL injection leaking 80,000 delegate records including phone numbers and employers

Up to ₹250 crore

Section 8(5) — Failure to implement reasonable security safeguards

Conference livestream archive published on YouTube includes Q&A audience faces without consent or blur option

Up to ₹200 crore

Section 6 + Section 5 — No notice, no consent for processing

Post-event marketing emails sent to delegates of a co-hosted summit without lawful basis transfer

Up to ₹150 crore

Section 7 — Processing beyond stated purpose

CCTV footage of trade expo retained 18 months without disclosed retention period

Up to ₹50 crore

Section 8(7) — Retention beyond necessity

Student hackathon collects under-18 participant data without verifiable parental consent

Up to ₹200 crore

Section 9 — Processing of children's data

Industry-specific risks

Sponsor lead retrieval scanners operating without per-scan consent prompts
Livestream and session recording archives containing identifiable audience footage
Bulk delegate list shared with hotel, transport vendor, and AV crew via unsecured Excel sheets
Networking apps that match delegates by employer or seniority without opt-in
Photographer galleries published online with searchable face-tagged images
RFID/NFC badge tracking heatmaps revealing individual movement patterns across venue

Consent capture checklist

Separate checkboxes for ticket purchase, marketing emails, sponsor sharing, and photography
Plain-language notice listing every sponsor and vendor receiving delegate data
On-site signage at every entrance: CCTV, official photography, livestream zones
Sponsor badge scanners display consent prompt before each scan
One-click unsubscribe and photo-removal request link on every event email
Verifiable parental consent flow for under-18 delegates at student events
Data Processing Agreements signed with ticketing platform, AV vendor, and badge printer
Documented retention schedule — delete delegate PII within 12 months unless re-consented

→ Generate a bilingual DPDPA consent form for Event Management & Conferences

Frequently asked questions

We use a third-party ticketing platform like Townscript or Insider. Who is liable under DPDPA?

The event organiser is the Data Fiduciary; the ticketing platform is a Data Processor. You remain primarily liable for delegate data and must sign a written Data Processing Agreement before going live. Penalty exposure stays with the organiser.

Do sponsor badge scanners need separate delegate consent?

Yes. Burying 'we may share your data with sponsors' in ticket T&Cs is not valid consent under Section 6. The scanner must trigger an explicit consent prompt at the moment of scan.

Can we livestream and record sessions including audience Q&A?

Only with prior notice on tickets, on-site signage at entry, and a designated 'no-camera' seating zone. Faces of audience members who did not consent must be blurred in archives. Failure exposes you to Section 6 penalties up to ₹200 crore.

How long can we keep the delegate list after the event?

Only as long as necessary for the stated purpose. Typical practice: 12 months for tax/legal records, then delete or anonymise. Retaining for 'next year's marketing' requires fresh consent.

What about CCTV at the venue — is signage enough?

Signage is necessary but not sufficient. You also need a documented purpose, retention period (typically 30-90 days), restricted access log, and a published DPO contact for footage requests.

We host a student hackathon with under-18 participants. What changes?

Section 9 mandates verifiable parental consent — a scanned signed form or video verification, not a checkbox. You cannot do behavioural tracking or profile-based matchmaking for minors. Penalty exposure: ₹200 crore.

Get a Event Management & Conferences-specific compliance audit

Free 48-hour DPDPAReady audit — we map your exact workflow against every applicable Section and ship the consent forms, retention schedules, and breach playbooks you need.

Get your free audit →

VERIFIED • DPDPAReady Editorial Desk • 20 JUN 2026

Article reviewed against DPDPA 2023, Schedule, and DPDPA Rules 2025.