DPDPA Compliance for Hotels, Restaurants & Hospitality Venues
From CCTV at the lobby to the wedding reel on Instagram, every guest face is personal data. DPDPA enforcement is live in 2026 — here's what hotels, banquet halls and restaurants must fix now.
Hospitality venues sit on a goldmine of personal data: ID proofs at check-in, CCTV of every corridor, banquet photographers capturing 800 guests at a sangeet, influencers tagging your rooftop bar, and marketing reposting UGC every weekend. DPDPA 2023 treats each face, name and phone number as personal data. The 2025 Rules make consent, purpose limitation and breach reporting mandatory from 2026, with penalties up to Rs 250 crore. This page is the hospitality-specific brief: front-desk consent, guest photos in marketing, influencer joint-controller risk, and CCTV practices that will get you fined.
Critical sections for Hotels, Restaurants & Hospitality
Your DPDPA obligations
Notice & Consent at Check-in
Every registration card, Wi-Fi captive portal and loyalty signup must show a clear notice in English plus an Indian language, listing exact purposes (billing, FRRO reporting, marketing). Separate tick-boxes for marketing — no pre-ticked boxes.
Purpose Limitation on Guest Photos
Photos taken at a banquet or restaurant for the event album cannot be reused on your Instagram, brochure or OTA listing without fresh, specific consent from every identifiable guest.
CCTV Notices in Public Areas
Visible signage at lobby, corridors, parking and F&B outlets stating CCTV is active, retention (typically 30 days), purpose, and Data Fiduciary contact. Cameras banned in rooms, washrooms, spa changing areas.
UGC Reposting Rights
A guest tagging your hotel is not consent to repost. Obtain explicit written approval (DM confirmation with screenshot archived) before reposting any UGC featuring identifiable persons.
Influencer & Photographer Contracts
Influencers and wedding photographers become Data Processors. Mandatory written contract specifying purpose, retention, deletion timelines, and prohibition on independent reuse of guest imagery.
Children's Data (Kids Clubs, Family Stays)
Verifiable parental consent before processing any data of guests under 18 — kids-club photos, birthday reels, family-stay testimonials. No behavioural tracking or targeted ads to minors.
Breach Notification to DPB
Report any personal data breach (lost registration cards, hacked PMS, leaked CCTV) to the Data Protection Board and affected guests without delay. 72-hour internal SOP recommended.
Retention & Erasure
Delete guest data once purpose is fulfilled — typically 1 year post-checkout for billing, 30 days for CCTV, immediate for declined bookings. Document the schedule.
Common violation scenarios
5-star hotel reposts a couple's wedding reel from the property's Instagram handle without written consent from the bride, groom or 400 tagged guests
Up to Rs 200 crore
Banquet hall's hired photographer uploads full sangeet album to a public Google Drive link shared in WhatsApp groups; guests' faces leaked
Up to Rs 250 crore (breach without safeguards)
Resort installs CCTV in spa changing area or pool cabanas without notice; footage stored for 90+ days on unsecured DVR
Up to Rs 150 crore
Restaurant chain uses guest check-in phone numbers from the reservation app to run WhatsApp promo blasts without separate marketing consent
Up to Rs 50 crore
Influencer collab shoot at rooftop bar captures unrelated diners in frame; reel goes viral with diners identifiable; no consent obtained
Up to Rs 100 crore
Hotel kids-club posts birthday party photos of a 7-year-old on its Instagram without verifiable parental consent
Up to Rs 200 crore
PMS breach exposes 50,000 guest records (passport, Aadhaar copies, card last-4); not reported to DPB within reasonable time
Up to Rs 250 crore
Industry-specific risks
- Wedding & MICE photography where 100s of identifiable guests appear in frames later used in venue brochures, OTA listings and social handles
- CCTV overreach — cameras in spa, salon, pool changing rooms or staff dorms — and retention beyond 30 days on unsecured NVRs
- Wi-Fi captive portals harvesting mobile numbers and Aadhaar for 'KYC' then sold to marketing agencies
- Influencer barter deals where the influencer films other guests without their knowledge, and UGC reposting culture assuming a tag equals consent
- Third-party contractors (event photographers, DJ video teams, drone operators) acting as undeclared Data Processors
- Loyalty programmes profiling guest preferences (allergies, religion via meal choice, room-share patterns) without explicit consent for sensitive inferences
Consent capture checklist
- Bilingual notice on registration card / digital check-in covering all processing purposes
- Separate, unticked opt-in for marketing communications (email, SMS, WhatsApp)
- CCTV signage at every entry point with purpose, retention and contact
- Photographer & videographer contracts with DPDPA processor clauses and deletion timelines
- Event-day signage at banquets: 'Photography in progress — speak to event manager to opt out'
- Written UGC repost approval workflow (DM confirmation, screenshot archived for 3 years)
- Verifiable parental consent flow for any guest under 18
- Influencer collab brief prohibiting capture of non-consenting third parties
- Guest rights portal: access, correction, erasure, grievance redressal contact
- Documented retention schedule per data category (PMS, CCTV, marketing, loyalty)
→ Generate a bilingual DPDPA consent form for Hotels, Restaurants & Hospitality
Frequently asked questions
Can we keep using photos from last year's New Year gala on our website?
Only if you have documented consent from every identifiable guest for that specific use. If not, take them down or blur faces before DPDPA enforcement kicks in. Legacy 'we always did this' is not a defence under Section 6.
A guest tagged our hotel in a beautiful reel. Can we repost it?
No, not without explicit written permission. A tag is a mention, not a licence. Send a DM, get written 'yes I consent to repost on @yourhotel for marketing', archive the screenshot. Reposting without this can trigger Section 6 penalties up to Rs 200 crore.
Do CCTV cameras in the lobby need guest consent?
Consent isn't required for legitimate security use, but notice is mandatory under Section 5. You need visible signage stating cameras are active, purpose, retention period and Data Fiduciary contact. Cameras in private areas (rooms, washrooms, spa) are prohibited regardless of notice.
Our wedding photographer is independent — are we still liable?
Yes. The moment they shoot on your premises for your client, you are the Data Fiduciary and they are your Data Processor under Section 8(2). You need a written contract specifying purpose, security, retention and deletion. If they leak photos, the venue is jointly liable.
What about influencer shoots where other diners appear in the background?
Identifiable third parties in frame need consent. Either shoot in closed sessions, blur background faces, or have staff request on-the-spot consent. Viral reels with unconsented diners have direct exposure under Section 6 — up to Rs 100 crore.
How long can we keep guest data after checkout?
Only as long as the purpose lasts. Billing and tax records per IT Act; PMS profile data 1 year unless guest opts into loyalty; CCTV 30 days max; declined-booking data deleted immediately. Document this in a retention policy — Section 8(7) requires it.
What's the first thing a 50-room boutique hotel should do this quarter?
Three things: (1) update registration card and Wi-Fi portal with DPDPA notice and marketing opt-in, (2) install CCTV signage and audit camera locations, (3) issue photographer/influencer contract addenda. These close ~70% of your exposure.
Get a Hotels, Restaurants & Hospitality-specific compliance audit
Free 48-hour DPDPAReady audit — we map your exact workflow against every applicable Section and ship the consent forms, retention schedules, and breach playbooks you need.
Get your free audit →Article reviewed against DPDPA 2023, Schedule, and DPDPA Rules 2025.