Verbal Consent for Photography Under DPDPA: Why It Won't Hold Up in India

You’ve just finished shooting a 300-person wedding in Delhi. The bride’s mother leans over and says, “Use whatever photos you want for your portfolio — I’m giving you permission right now.” You nod, shake her hand, and start uploading to Instagram three days later. Under DPDPA 2023, that handshake is worthless. The consent wasn’t documented. It didn’t specify what you’d do with the data. It wasn’t given in writing or via a traceable digital format. And when the Data Protection Board receives a complaint from one of the 200+ identifiable wedding guests whose faces are now on your public feed, you have zero proof that anyone consented to anything.

This is the gap that catches most Indian photographers, event companies, and corporate communicators: verbal consent feels real in the moment but holds no weight under Section 6 of the DPDPA 2023. Section 6 sets out when consent is required and what form it must take. And India’s enforcement timeline — rules expected by late 2025, with the Data Protection Board fully operational through 2026–2027 — means you’re not protected by obscurity anymore.

What Section 6 Actually Requires (And What You’re Probably Doing Wrong)

Section 6 of DPDPA 2023 says consent must be:

1. In writing or by other means capable of being recorded (i.e. not verbal)
2. Freely given, specific, informed, and unambiguous
3. Obtained before or at the time of collection (not retrospectively)
4. For a specified, explicit, and lawful purpose

Most photographers in India currently operate under assumptions from the pre-DPDPA era:

• “I’ll mention consent in my standard contract” (not specific enough — the contract doesn’t link to the actual data being collected)
• “Clients know I use photos for marketing” (not documented; not informed at the point of collection)
• “Wedding invites typically allow the photographer to take pictures” (implied consent isn’t consent under DPDPA)
• “I’ll get written permission after the shoot” (too late — Section 6 requires consent before or at collection)

The critical word in Section 6 is “specified”. You must tell the data principal — in this case, every identifiable person in the frame — exactly what you plan to do with their image data:

• Will it go on your website portfolio?
• Will it be used in Instagram marketing?
• Will it be shared with the wedding planner or venue for their promotions?
• Will it be licensed to stock photography sites?
• How long will you keep it?
• Who else will see it?

A blanket statement like “I may use photos for business purposes” is not specific. A signed contract between you and the bride that says “Photography services for the wedding event on [date]” does not constitute consent from the 200 guests whose biometric identifiers you’re collecting.

How to Actually Get Valid Consent: The Compliant Workflow

Here’s the only framework that holds up under DPDPA scrutiny:

Step 1: Create a photography-specific consent notice. This is not part of your service contract. This is a separate document that each identifiable person (or their guardian if under 18) signs before the shoot. The notice must include:

• What personal data you’re collecting (photographs containing their face, possibly name)
• Why you’re collecting it (event documentation, your portfolio, social media marketing)
• How long you’ll keep it (in months/years)
• Who will see it (public on Instagram, private on your website, sent to the client only)
• Their rights (erasure, access, objection — see Section 18 of DPDPA)
• How to contact you if they want to withdraw consent

Step 2: Obtain written consent before the shoot starts. “Written” under DPDPA means pen-on-paper, or a digital record you can produce later: an email, a WhatsApp message, a form submission, a checkbox on a digital waiver. The key is traceability. If you can’t produce the consent record in the next five years when a complaint lands on the Data Protection Board’s desk, it didn’t happen.

For events with 100+ people (weddings, corporate offsites, marathons), a practical workflow:

• Post a QR code at the entrance linking to a Google Form or Typeform
• Include the consent notice text in the form
• Require a checkbox: “I consent to my photograph being taken and used as described above”
• Collect email addresses for proof of consent
• Repeat for different consent purposes (e.g., one form for venue photography, another for social media use)

Step 3: Store consent records separately from the images themselves. Use Google Drive, OneDrive, or a cloud service with access logs. Name the folder with the event date and client name. Export the form responses as a CSV. If you’re audited, you produce the folder and the data principal’s email address — proof they consented, and proof of what they consented to.

Step 4: Honor withdrawal requests within the deadline. Section 18 gives data principals the right to withdraw consent at any time. When they ask you to delete their photos, you have 30 days to acknowledge the request and a reasonable time to actually delete them (typically interpreted as 90 days maximum). Keep a log of every withdrawal. Document which photos were deleted and when.

Step 5: Update consent if you change how you use the images. You got consent to use photos on your website in 2026. In 2027, you want to license them to a stock site. You cannot do that without fresh, specific consent. This is why the initial consent notice must be detailed: if you’re vague about future uses, you’ll be re-consenting constantly.

The Real Cost of “They Verbally Said Yes”

A mid-size event company with 50 events per year, no consent records, and a history of uploading client photos to Instagram without asking faces one of three scenarios:

Scenario A: Single erasure request, ignored. A wedding guest sends an email asking you to delete their photo. You don’t respond. The Data Protection Board receives their complaint. Under Section 12 of DPDPA, you can be fined up to ₹50 crore for failing to honor a data principal’s rights. Realistically, the Board might assess ₹5–15 lakh as a penalty for a small vendor, but the legal defence costs alone will exceed ₹2–5 lakh.

Scenario B: Unauthorized sharing (e.g., licensing photos without new consent). You sell event photos to a stock site without re-consenting the people in them. A data principal files a complaint alleging you disclosed their data for a purpose they never agreed to. Section 6 violation + unauthorized processing under Section 2(h) = up to ₹50 crore in penalties, plus reputational damage.

Scenario C: Children in photos (school events, kids’ sports days, dance recitals). DPDPA is stricter for data of children (under 18). You need parental consent in writing, and the consent must be even more explicit about uses. Section 9 penalties for non-compliance with child data rules: up to ₹200 crore.

⚠ DPDPA Section 6 Penalty Trigger: Failure to obtain valid, documented, specific consent before collecting and processing personal data (including photographs). Penalty: up to ₹50 crore. The Data Protection Board can initiate proceedings on a complaint from any individual whose consent was not properly obtained — including people in the background of your shots who had no idea you were collecting their biometric data.

Practical Examples: How This Works in Real Indian Workflows

Wedding Photography (most common case): You’re hired by the groom’s family. Before the mehendi, sangeet, or main event, you distribute a QR code or physical form saying: “I consent to have my photograph taken. These photos will be used for [client’s album only / client’s album + photographer’s Instagram portfolio / client’s album + portfolio + wedding vendor recommendations].” Guests check the box that matches their comfort level. You photograph only the people who consented. Anyone who says “no consent, please” stays off your feed.

Corporate Event (team building, annual day, awards): The HR manager is your client. You send them a consent template to distribute to employees 48 hours before the event. The form says: “I consent to photographs being taken for [company intranet only / company intranet + LinkedIn company page / company intranet + external marketing].” Not all employees consent to external use. Your Instagram post features only the consenting faces, or you blur the others. You keep the signed forms for 5 years.

School Yearbook (high-risk context): The principal wants a photo of every student. You obtain written parental consent for each child. The consent specifies: yearbook publication, school website, social media (or not). You do not use school photos for your commercial portfolio without separate consent. Breach here could trigger Section 9 penalties exceeding ₹50 crore because children are involved.

Marathon/Sports Event (mass gathering): 500 runners register. Before race day, every runner gets a consent email: “Your race photos will be available in a private gallery for 90 days, and you can purchase prints. Faster participants’ finish-line photos may appear in our Instagram marketing. Do you consent?” Runners opt in or out. Your photographer captures everyone, but only publishes the consenting runners’ images on social channels.

FAQ: Real Questions Indian Photographers Are Asking

Q: Does DPDPA apply to candid photos I take at a private party or wedding?

A: Yes. The moment someone’s identifiable face is in a digital photograph you control, that’s personal data under Section 2(h). DPDPA applies. Venue, event size, or your friendship with the host doesn’t change this. You need consent.

Q: If my client (the bride, the company, the school) signed a contract saying I can use photos, do I have consent from all the people in the photos?

A: No. The client’s signature is a business agreement. It is not consent from the data principals (the 200 wedding guests, 100 employees, 500 students). Each person whose face appears needs their own documented consent for each specific use you’re planning.

Q: What if someone verbally told me during the shoot “Sure, you can use my photo”?

A: That’s not valid under Section 6. You have no proof it happened, no record of what uses they consented to, and no way to demonstrate consent to the Data Protection Board if someone complains. Document everything in writing before the shoot.

Q: Can I post photos on Instagram if I got verbal permission from the event organizer?

A: Only if the event organizer is the data principal for all identifiable faces in the image. In a wedding, that’s wrong — the guests are the data principals. In a corporate event, employees are. In a school photo, students (and parents if under 18) are. The organizer’s permission doesn’t bind anyone else.

Q: How long do I have to keep consent records after the shoot?

A: DPDPA doesn’t set a fixed retention period for consent documentation, but Section 8 allows complaints to be filed at any time. Best practice: keep consent records for as long as you keep the images, plus 3–5 years. If you delete an image, delete the corresponding consent record.

---

The gap between what feels legal and what is legal under DPDPA has already cost Indian photographers thousands in legal consultation fees and reputational damage. The Data Protection Board’s enforcement window is here. Your wedding photos, corporate team shots, and yearbook images are all personal data now. The only defense is documented consent—collected before the shutter clicks, specific about what you’ll do, and traceable five years from now.

DPDPAReady’s free photography compliance audit maps your entire shoot-to-publish workflow against Section 6 requirements and flags consent gaps in 48 hours — get yours here.