✓ Link copied
DPDPA 2023 Compliance

DPDPA Consent for Event Photos: What You Must Do Before Clicking

6 May 2026 · DPDPAReady Editorial · ~5 MIN READ

You’ve just wrapped a 400-person corporate offsite in Gurugram. 3,000 photos. Half go on the company LinkedIn. Some land in the CEO’s WhatsApp group. A few end up in a vendor’s portfolio. Under DPDPA 2023, every single one of those identifiable faces is personal data — and none of that distribution had a consent notice. Section 7 of the Act requires you to collect explicit consent before you process it.

The stakes are real. A data principal (attendee) can file a complaint with the Data Protection Board if their photo was published without consent. The Board can order penalties up to ₹50 crore under Section 12 for violations of Section 7. Enforcement is live now. The rules are finalised. The Board is taking complaints. This is no longer “compliance someday” — it’s “compliance this month.”

What DPDPA Section 7 Actually Requires

Section 7 of the Digital Personal Data Protection Act 2023 states that you must obtain consent before you collect personal data. For event photographers, this means:

  1. Before the event starts, you must provide a consent notice in writing (email, printed form, or digital format accepted by the attendee).

  2. The notice must clearly state:

    • Why you’re collecting photos (purpose: event documentation, portfolio building, marketing, social media, sponsor reports, etc.)
    • Who is collecting the data (your name/business, your photographer partner, the event organiser, the client)
    • How long you’ll store the photos (6 months? 1 year? Indefinitely?)
    • Who else will see the photos (LinkedIn, Instagram, client portfolios, third-party vendors, sponsors)
    • How to withdraw consent (email address, form link, specific process)

  3. The attendee must actively consent — no pre-ticked boxes, no silence equals agreement. DPDPA requires affirmative consent.

  4. You cannot condition event entry on photo consent. A guest who says “no photos of me” cannot be denied access or charged extra.

Most photographers skip this entirely. They assume that because they’re hired by the event organiser, they can use photos however they want. Wrong. The organiser can consent for operational photos (for event documentation). Individual attendees must separately consent for any use beyond that — especially marketing, social media, or portfolio use.

Your Compliant Workflow: Step-by-Step

Step 1: Create a DPDPA consent notice template (2 weeks)

Your notice must be:

  • Written in simple English or the attendee’s preferred language
  • Specific about photo use (not “event-related purposes” — say “LinkedIn post, company website, client portfolio”)
  • Clear about storage duration and deletion process
  • Signed or digitally accepted by the attendee

Example structure:

“We will photograph you at [Event Name] on [Date]. Your photo may be used for: (a) internal event documentation, (b) our Instagram/LinkedIn posts, (c) client case studies. We’ll store your photo for 2 years, then delete it on request. You can withdraw consent anytime by emailing [email]. Consent is optional — you can still attend without being photographed.”

Step 2: Distribute and collect consent (4–6 weeks before event)

For a wedding or corporate event:

  • Email the consent notice to all confirmed attendees with an acceptance link (Google Form, Typeform, etc.)
  • For on-site guests, provide a printed consent form at check-in. Offer a “no photos” wristband or sticker.
  • For livestreamed or recorded events, add a second consent item: “May we record you on video?”
  • Keep records. The Data Protection Board will ask for proof. “I assumed it was fine” won’t work.

For marathon races or large public events:

  • Post consent notices on race bibs, event websites, and printed programs
  • Use registration forms to collect consent (add a checkbox: “I consent to photos for marketing and social media”)
  • Have staff at the finish line offer a photo-free zone for those who didn’t consent

Step 3: Document who consented and how (ongoing)

Create a simple log:

  • Attendee name / event / consent date / which uses were permitted / how consent was collected

Store this for at least 3 years. If the Data Protection Board investigates a complaint, this is your evidence.

Step 4: Tailor your photo use to consent given (critical)

  • Did someone consent only to “internal event documentation”? Don’t post their photo on Instagram.
  • Did someone consent to “portfolio use” but not “social media”? Don’t tag them on LinkedIn.
  • Did someone not consent at all? Blur or crop them out of group shots. Easier to do at the event than in post.

This last step is where most photographers fail. They collect consent, then post everything on Instagram anyway. Section 7 violation. Complaint filed. Investigation opened.

Related: If you run a corporate HR team posting employee photos on LinkedIn, the consent requirements are stricter — see Employee Photos on LinkedIn: India’s Biggest Hidden DPDPA Risk.

Related: Need a ready-to-use consent form with a checklist? DPDPA Consent Form: The Template Photographers Actually Need.

What the Data Protection Board Will Find

Here’s the escalation:

Section 7 Violation (Lack of Consent)

  • Tier 1 (Minor): Up to ₹10 lakh for isolated breaches of consent rules
  • Tier 2 (Major): Up to ₹50 crore if the breach affects large numbers of data principals or is systematic

A mid-size event photographer with 100 events per year, zero consent records, and one data principal filing a complaint for unauthorised LinkedIn posting could face ₹50 crore in penalties under Section 12(2).

DPDPA Section 7 Penalty: Failure to collect or maintain consent before collecting personal data can result in fines up to ₹50 crore. The Data Protection Board can initiate proceedings on a complaint from any data principal — including a wedding guest who didn’t see a consent notice before their photo was published.

Children’s photos (under 18) carry a separate ₹200 crore ceiling under Section 9. A school’s annual sports day without parental consent? Much steeper risk.

Why the numbers are realistic: The Board doesn’t fine based on intent. It fines based on violation type and scale. If 50 event attendees file complaints about the same unauthorised photo use by the same photographer, that’s one systematic violation, not 50 separate ones. The penalty is still up to ₹50 crore.

Actual enforcement trajectory: As of May 2026, the Board has opened complaint registrations. First investigations are targeting high-profile breaches (large corporates, platforms, schools). By late 2026 and into 2027, enforcement will widen to include photographers and event organisers.

FAQ

Does DPDPA apply to personal photos I take at a private party?

Yes, if you plan to do anything with them beyond the party itself. The moment you upload a guest’s face to your portfolio, Instagram, or a client’s website, that guest’s image becomes processed personal data. Section 7 applies. You need consent.

What counts as a valid consent notice for event photography under DPDPA?

A notice must specify: (1) purpose of collection (e.g., “LinkedIn marketing”), (2) who is collecting (your name), (3) storage duration, (4) who else will see the photos, and (5) how to withdraw consent. It must be given before the event, and the attendee must actively accept it — silence or inaction is not consent under DPDPA.

Is the event organiser or the photographer responsible for collecting DPDPA consent?

Both. The event organiser is the primary data fiduciary — they commissioned the event and control how attendee data is used. The photographer is a data processor working on their behalf. In practice: the organiser should collect consent from attendees as part of event registration, and the photographer should confirm what consents are in place before distributing photos to third parties. If the organiser skips consent, the photographer cannot use those images for portfolio or marketing purposes regardless.

What is the difference between “event documentation” consent and “marketing use” consent under DPDPA?

They are legally separate purposes under Section 7. “Event documentation” covers photos delivered to the organiser or client for internal use (recap decks, attendance records, internal communications). “Marketing use” covers any publication visible to people outside the event — Instagram posts, the photographer’s website, sponsor reports, press releases. Even if an attendee signed a general consent form, that doesn’t cover marketing unless marketing was explicitly listed as a purpose. If it wasn’t, posting their photo publicly requires fresh consent.

The compliance path is clear: collect consent in writing before the event, keep records, respect what each person consented to, and respond to erasure requests on time. It costs a few hours of setup per event and near-zero additional expense. Ignoring it costs ₹50 crore.

DPDPAReady’s free audit maps your entire photography workflow against DPDPA requirements in 48 hours — including your consent templates, storage practices, and third-party sharing. Get yours at dpdpaready.in.

DPDPA 2023 consent requirements for event photographers Indiaevent photography consent notice DPDPAphotographer data protection compliance Indiawedding photography DPDPA consentevent organiser personal data India
VERIFIED DPDPAReady Editorial Desk 6 MAY 2026

Not sure if your media workflow is DPDPA-compliant?

DPDPAReady maps your entire workflow against the Act — free, in 48 hours.

Get your free compliance audit →