Industry Hub · Retail Brands, Studios & Media Houses

DPDPA Compliance for Retail Brands, Studios & Media Houses

Model releases, stock libraries, customer CRMs, loyalty data, and editorial archives are all "personal data" under DPDPA. Section 17 journalism exemption is narrower than you think.

If you run a D2C brand, retail chain, ad agency, photo or film studio, or news/media house in India, DPDPA 2023 changes how you handle every shoot release, loyalty signup, in-store CCTV feed, and archive of customer photos. Enforcement is live in 2026 and the Data Protection Board can levy penalties up to Rs 250 crore per instance. The Section 17(2)(b) journalism exemption is not yet notified, and even when notified will not cover marketing, branded content, or commercial stock libraries.

Critical sections for Retail Brands, Studios & Media Houses

Section 6 — Consent must be free, specific, informed, unconditional, unambiguous, and withdrawable. Old talent release forms with 'in perpetuity, all media now known or hereafter invented' language likely fail.Section 8(7) — Erasure obligation. Studios and media houses cannot hoard raw RAW files, contact sheets, and B-roll forever without a documented retention purpose.Section 9 — Children's data. Catalogue shoots, fashion week coverage of minors, and influencer kid-content require verifiable parental consent; behavioural advertising to minors is prohibited.Section 10 — Significant Data Fiduciary obligations. Large D2C brands, quick-commerce, and pan-India retail chains will likely be notified as SDFs with DPO, DPIA, and audit duties.Section 17(2)(b) — Journalism exemption is narrow, conditional, and not yet notified. Do not assume your branded content arm qualifies.Section 33 — Penalties up to Rs 250 crore for security failures, Rs 200 crore for breach notification failures, Rs 200 crore for children's data violations.

Your DPDPA obligations

Itemised consent for model releases and UGC

Every model release, influencer contract, and user-generated-content reshare must capture purpose-specific, withdrawable consent in clear language — old blanket releases are not valid notice under DPDPA.

Section 6(1), Section 5

Purge stock and archive libraries of stale personal data

Photo studios and media houses holding decade-old shoot archives must either re-consent subjects, anonymise faces, or delete — retention without lawful purpose is a violation.

Section 8(7)

Loyalty programme and CRM consent refresh

Retail chains running loyalty apps, WhatsApp broadcasts, and SMS marketing must obtain fresh DPDPA-compliant consent — pre-2024 opt-ins from PoS terminals are not grandfathered.

Section 6(1), Section 7

Children's data in campaigns and shoots

Any campaign, catalogue shoot, or editorial featuring under-18 talent requires verifiable parental consent and a ban on behavioural tracking or targeted advertising to that child.

Section 9

Consent Manager integration for high-volume D2C

Brands processing data of significant numbers of Data Principals may be classified as Significant Data Fiduciaries — triggering DPO appointment, DPIA, and independent audits.

Section 10

Breach notification for CRM, e-comm, and shoot leaks

Leaked customer databases, exposed cloud buckets of raw shoot files, or stolen agency laptops must be reported to the Data Protection Board and affected persons without delay.

Section 8(6)

Section 17 journalism exemption boundaries

News organisations get a narrow research/journalism exemption — it does NOT cover branded content, sponsored posts, native advertising, archive monetisation, or photo-syndication sales.

Section 17(2)(b)

Common violation scenarios

D2C skincare brand uses a 2022 model's campaign photo in a 2026 Instagram reel without refreshing consent; the model issues withdrawal notice and the brand keeps using the image.

Up to Rs 50 crore

Section 6(6), Section 8(4)

Retail chain's loyalty database (1.2 cr customers) leaks via an unsecured AWS S3 bucket; breach disclosed only after a journalist publishes the story.

Up to Rs 250 crore

Section 8(5), Section 8(6)

Photo studio sells a 2018 wedding shoot to a stock library; couple never consented to commercial syndication.

Up to Rs 50 crore

Section 6(1), Section 7

Ad agency runs a kidswear campaign with minors; no verifiable parental consent, plus retargeting pixel fires on under-13 audiences.

Up to Rs 200 crore

Section 9(1), Section 9(3)

News house monetises a 20-year photo archive containing identifiable private citizens via paid licensing portal — claims Section 17 journalism exemption.

Up to Rs 50 crore

Section 17(2)(b) misuse, Section 8(7)

Quick-commerce brand WhatsApps promotional offers to customers who opted in only for order updates.

Up to Rs 50 crore

Section 7(a), Section 6(1)

Industry-specific risks

Legacy talent and model release forms drafted under the IT Act 2000 / SPDI Rules 2011 do not meet DPDPA's specific-purpose, withdrawable-consent standard — every active campaign asset is exposed.
Cloud-stored RAW shoot archives (Frame.io, Dropbox, Google Drive, on-prem NAS) often contain identifiable faces, location metadata, and minors — and have no retention policy.
Influencer and UGC reshares without written grant of rights AND DPDPA notice create dual exposure: IP infringement plus data principal complaint.
CCTV in flagship stores and studio premises is biometric-adjacent personal data — needs signage, purpose limitation, and a defined retention window (typically 30-90 days).
Editorial archives, morgue files, and photo libraries at news houses contain decades of personal data that predates any consent regime — Section 17 will not blanket-cover monetisation.
Programmatic ad stacks (DSP/DMP/CDP) used by agencies create cross-border transfers and shared-fiduciary relationships that most contracts do not currently address.

Consent capture checklist

Rewrite model release / talent contract templates with itemised purposes (print, digital, OOH, social, archive, resale) and a withdrawal mechanism
Map every customer-data system: PoS, loyalty app, e-comm, CRM, WhatsApp Business, email ESP, ad pixels, CDP — and document lawful basis for each
Audit all stock and archive libraries; tag assets by consent status (consented / re-consent needed / anonymise / delete)
Implement a Data Principal rights portal (access, correction, erasure, grievance) with response SLAs
Appoint a Data Protection Officer or grievance officer and publish contact details on the website and app
Refresh children's-data workflows: parental verification, no behavioural ads, separate consent log for under-18 talent and audiences
Run a Data Protection Impact Assessment (DPIA) for any AI-generated imagery, face-swap, or synthetic-talent pipeline
Update vendor contracts (agency, studio, retoucher, cloud, courier, KYC vendor) with DPDPA data-processor clauses and breach-notification timelines

→ Generate a bilingual DPDPA consent form for Retail Brands, Studios & Media Houses

Frequently asked questions

Does the Section 17 journalism exemption cover my media house's commercial photo archive sales?

No. Section 17(2)(b) is a narrow research/journalism carve-out and is not yet notified. Even once notified, it will not cover commercial licensing, stock syndication, branded content, sponsored editorial, or archive monetisation. Treat those revenue streams as fully in scope for DPDPA.

Are old model release forms signed before 2024 still valid?

Almost certainly not for new uses. DPDPA requires specific, informed, withdrawable consent for each stated purpose. Blanket 'all media in perpetuity' language fails the specificity test. Re-paper your top revenue-generating assets first, then work backwards through the archive.

We're a D2C brand with 30 lakh customers — are we a Significant Data Fiduciary?

Possibly. The Central Government will notify SDFs based on volume and sensitivity of data, risk to data principals, and impact on sovereignty. Quick-commerce, pan-India retail, and large beauty/fashion D2C brands are leading candidates. Plan for DPO, DPIA, and annual audit obligations even before formal notification.

What's the penalty if an agency loses a client's customer list?

Up to Rs 250 crore for failure to take reasonable security safeguards. The client (Data Fiduciary) remains liable to data principals even though the agency (Data Processor) caused the breach — which is why processor contracts must include indemnity and breach-notification clauses.

Can we keep using behavioural retargeting pixels in kidswear campaigns?

No. Section 9(3) prohibits tracking, behavioural monitoring, and targeted advertising directed at children. Suppress under-18 audiences in your DSP, disable lookalike modelling on child-data seeds, and document the suppression for audit.

What's the first thing a retail chain should fix?

Loyalty programme consent. PoS-collected phone numbers used for SMS/WhatsApp marketing are the single highest-volume exposure surface. Roll out a re-consent flow with itemised purposes (transactional vs marketing), and stop syncing to ESPs/CRMs anyone who doesn't re-opt-in.

Get a Retail Brands, Studios & Media Houses-specific compliance audit

Free 48-hour DPDPAReady audit — we map your exact workflow against every applicable Section and ship the consent forms, retention schedules, and breach playbooks you need.

Get your free audit →

VERIFIED • DPDPAReady Editorial Desk • 20 JUN 2026

Article reviewed against DPDPA 2023, Schedule, and DPDPA Rules 2025.