Wedding Guest Photos Are Personal Data — India's DPDPA Consent Gap

The couple signed your contract. The 500 guests at their wedding did not. Under DPDPA 2023, that’s the problem.

Section 6 requires consent from each person whose face appears in a photo — not just the person who hired you. A standard photography agreement between you and your client gives you zero protection against a complaint from a guest, a baraati, the caterer, or the maasi who ended up in the background of 40 shots and never agreed to be in your Instagram portfolio. Every one of those identifiable faces is personal data under the Act. Processing it without consent is a Section 6 violation. The penalty: up to ₹50 crore. The trigger: a single complaint from any one of those guests to the Data Protection Board.

What DPDPA Says About Consent (And Why Your Current Approach Fails)

Section 6 of the Digital Personal Data Protection Act 2023 is clear: you cannot process personal data without the data principal’s prior, specific, informed consent. A photograph that captures someone’s face, however incidentally, is personal data. The guest at the wedding — not the couple — is the data principal for their own likeness.

Your current workflow probably looks like this:

1. Client books you
2. You shoot the event
3. You keep photos on Google Drive or a local hard drive
4. You share edited versions with the couple
5. You post a few on Instagram

At step 2, you’ve already violated Section 6, because 400 guests never consented to you collecting their biometric data (their face). At step 5, you’ve violated it again — sharing their data with the public (Instagram’s algorithm, your followers) without consent.

The couple’s consent to hire you is not consent from the guests for you to photograph them. This is the single biggest misunderstanding in Indian event photography right now.

The Consent Notice You Actually Need

A compliant DPDPA consent notice must contain these specific elements (Section 6 requires):

1. Your identity — your name, business registration (if you’re a proprietorship, state that), and contact details
2. The purpose — e.g., “to capture photos of you at [Event Name] on [Date] at [Venue]”
3. What data you’re collecting — biometric data (facial features), and explicitly state that photos will be stored digitally
4. Who you’ll share it with — e.g., “the event couple, potentially wedding album platforms like Pixieset, or our Instagram @[handle]” — be specific, not vague
5. How long you’ll keep it — “6 months on cloud storage, then permanently deleted” or “indefinitely on our portfolio” — choose one and commit
6. The right to withdraw — “You can ask us to delete your image anytime by emailing [address]. We will do so within 72 hours of receipt.”
7. Consequences of refusal — “If you don’t consent, we will not photograph you, and you may request to remain off-camera during the event”

This is not a privacy policy. It’s a one-page notice, in English and Hindi if more than 10% of expected guests are non-English speakers (good practice).

Step-by-Step: How to Collect Consent Before the Wedding

Step 1: Create two versions of your consent notice

• Digital version: A Google Form or Typeform that guests fill out on their phones. Ask: “Do you consent to being photographed?” and “Do you consent to us sharing your image on social media / wedding magazine submissions?” Make these two separate yes/no boxes — don’t combine them.
• Physical version: A single-page form printed at the wedding venue, signed by guests who don’t have smartphones. Keep these in a folder labeled “[Date] — [Wedding] — Consent Forms.”

Step 2: Distribute before the event starts Do this at the venue entry, or at least before the ceremony. You can say: “We’re shooting this wedding. Our photographer needs your consent to photograph you — here’s a quick form.” Most guests will consent. Some won’t. If they don’t, discreetly note which sections of the event they’re sitting in and avoid framing them.

Step 3: For unavoidable shots (crowd photos, ceremony background) If a guest is in the background of a group photo and didn’t fill the form, you have two options:

• Blur their face in the final image (technically you’re no longer processing their personal data)
• Don’t publish or share that image externally — keep it in the couple’s private gallery only

Step 4: Document everything Store consent forms (digital screenshots + physical signed copies) in a dedicated folder. Label it: “[Wedding Date] — [Couple Name] — Consent Records.” If the Data Protection Board ever asks, you need to produce these within 30 days.

Step 5: Honor withdrawal requests A guest messages you three months later: “Please delete my photos.” You have 72 hours to acknowledge the request and a “reasonable time” (typically interpreted as 2–4 weeks) to actually remove and certify deletion. Do it. Document that you did it. Confirmation email, file deletion log, timestamp.

What This Costs If One Guest Complains

This isn’t theoretical. The Data Protection Board (set up under Section 18) has power to fine you up to ₹50 crore per violation of Section 6.

Here’s a realistic scenario for a mid-size event photography business in India:

You: 200 weddings per year, 400 guests average, 2 years of operations. No consent records.

One guest from Wedding #47 (18 months ago) discovers their photo on your Instagram. They file a complaint with the Data Protection Board. The Board investigates and finds:

• 80,000 identifiable faces processed without consent (200 weddings × 400 guests)
• Shared on Instagram and third-party platforms without consent
• No deletion records when individuals asked you to remove images

The Board can fine you ₹50 crore × 80,000 violations = ₹4 lakh crore theoretically, though in practice they’ll issue a tiered fine based on severity and your business size.

Your professional reputation collapses. Couples stop booking you. Wedding magazines pull your portfolio. You can’t afford the fine or legal defense.

All of this is avoidable. A ₹50 consent form template, 10 minutes of wedding-day admin, and organized file-keeping cost you nothing. Not doing it could cost everything.

⚠ DPDPA Section 6 Penalty: Up to ₹50 crore per violation of consent requirements. The Data Protection Board can initiate proceedings on a complaint from any data principal (wedding guest) — even if you’re a one-person proprietorship.

FAQ: Your Specific Questions About Wedding Photography and DPDPA

Q: Do I need consent from every single guest, or just the couple?

A: Every single guest whose face is identifiable in your photos. The couple’s consent to hire you covers their own likeness, not their aunts, cousins, or the caterer. Section 6 requires consent from each data principal. No exceptions.

Q: What if a guest is in a group photo but I can’t see their face clearly — do I need their consent?

A: If their face is not identifiable (truly blurred, tiny, turned away), then technically it’s not personal data under DPDPA. But if there’s any reasonable chance someone could identify them using facial recognition software or human recognition, collect consent to be safe. When in doubt, blur or exclude.

Q: Can I use wedding photos for my portfolio / Instagram without asking permission again?

A: Only if your original consent notice said “We will share your image on our Instagram and in our professional portfolio.” If your consent form only said “We will photograph you,” then using photos for marketing is a new purpose — you need new consent from each person. Get written consent upfront about every channel where images might appear.

Q: How long can I keep wedding photos before I have to delete them?

A: As long as you stated in your consent notice. If you said “6 months,” delete them after 6 months. If you said “indefinitely,” you can keep them — but only if you had consent for that. If you have no consent notice, delete within a reasonable time (courts typically interpret this as 12 months for photos). Honor individual deletion requests within 72 hours of acknowledgment.

Q: If the couple gave me written permission to use their wedding photos, is that DPDPA compliance?

A: No. The couple’s permission is a copyright/contract matter. DPDPA compliance requires consent from the guests (data principals). The couple’s contract with you is separate from guests’ rights over their own image data. You need both: copyright permission from the couple, and image-data consent from guests.

---

Wedding photography under DPDPA 2023 requires a deliberate shift: consent is no longer optional, it’s structural. You need a form, a process, and record-keeping. The good news is that most couples and guests will consent if you ask — they’re used to it. The bad news is that enforcement is coming, and the Data Protection Board has made clear it will pursue violations aggressively starting in 2027.

DPDPAReady’s free photography compliance audit walks through your entire workflow — consent collection, storage, sharing, deletion — and flags gaps in 48 hours. Get yours here.