✓ Link copied
DPDPA 2023 Compliance

Marathon Bib-Matching Is Biometric Processing Under DPDPA

16 May 2026 · DPDPAReady Editorial · ~5 MIN READ
Applies toSports Events & Marathons operating in India
Primary lawDPDPA 2023 · Section 3(b)
Penalty ceiling₹250 crore per violation
Enforcement statusData Protection Board accepting complaints — May 2026
SourceDPDPAReady Compliance Team

The Marathon Photography Problem You Don’t Know You Have

Most marathon organisers believe they’re simply collecting race photos. What they’re actually doing — when they use bib-matching software, timing chip integration, or any system that cross-references a runner’s face with their race number — is processing biometric data under DPDPA Section 3(b). Facial features, whether captured for “just identification” or “athlete recognition,” are explicitly classified as biometric personal data.

The Tata Mumbai Marathon, Bengaluru Midnight Marathon, school cricket tournaments, and even fitness event platforms like those integrated with Strava have no explicit consent mechanism for this processing. Race photography vendors, timing software companies (Sportity, RaceResult), and bib-tag systems process faces daily without Section 5 notice or explicit Section 6 consent. The Data Protection Board is now accepting complaints as of May 2026 — and one runner’s complaint about unconsented facial recognition triggers a full investigation with penalties up to ₹250 crore for security/retention failures or ₹50 crore for consent violations.

What Most Marathon Organisers Get Wrong About Facial Recognition in Race Photos

The assumption is widespread: “We’re just taking photos of runners crossing the finish line. That’s not biometric processing — that’s event documentation.”

This is wrong on two counts.

First, facial recognition software (whether manual bib-matching by photo vendors or automated systems) treats facial features as identifying markers — this is the precise definition of biometric data in Section 3(b). The moment you match a runner’s face to their race number, name, or finish time, you’ve processed their facial features as a biometric identifier. It doesn’t matter if the photo is public-facing on social media; the processing act (capture + matching + storage + cross-reference) triggers DPDPA obligations.

Second, many event organisers believe consent is the photographer’s responsibility — “The vendor collected the photos, so they own the compliance.” Under DPDPA, the marathon organiser is the data controller if they:

  • Decided to capture finish-line photos
  • Required bib numbers for identification
  • Provided runner lists or participant databases to photographers
  • Use the photos for timing verification, results publication, or marketing

If you hired a photographer or timing software vendor, you are jointly responsible for their consent collection.

Step 1: Identify All Facial Recognition Touchpoints in Your Event

Document every system that processes a runner’s face:

  • Finish-line photography: automated cameras, manual photographer assignment
  • Bib-matching software: systems that link photo ID to race number (Sportity, RaceResult, or custom vendor tools)
  • Timing chip integration: if your timing system stores photos alongside chip data
  • Results platforms: any website or app that displays runner photos with names/times
  • Social media / promotional use: Instagram posts, race recap videos, newsletter features

Why this matters under DPDPA: Each touchpoint is a separate processing activity. A runner might consent to “finish-line photo publication” but not to “automated facial matching in your results database.” Scope determines consent granularity.

Step 2: Draft a Section 5 Notice Specific to Biometric Processing

Your notice must clearly state:

  • What biometric data you process: “facial features captured in finish-line photographs, matched to race bibs and participant names”
  • How you process it: “photos are captured, matched to race numbers via manual or automated systems, stored on [platform], and published on [results website/social media]”
  • How long you retain it: “photos are retained for [X months/years] after the event for [results verification/marketing/athlete library], then deleted or anonymised”
  • Who accesses it: “timing staff, photographers, results platform administrators, social media managers”
  • Your lawful basis: most marathon organisers rely on consent (Section 6) or contract performance (runner agreement to participate)

Critical phrase to include: “Your facial features in photographs will be matched to your race bib and name for identification and results purposes.”

Do NOT say “photos will be taken” — say “facial features will be processed for identification.”

Consent must be:

  • Granular: separate consent for “photos for results page,” “photos for social media,” “photos for automated facial matching”
  • Pre-event: collected at registration, not at the finish line
  • Written and documented: registration form checkbox, email confirmation, or digital form (Google Form, Fedena, or event platform built-in consent module)

Implementation:

  1. Add to your race registration form (online or paper):
    • “I consent to photographs of my face being captured at the finish line and matched to my race bib for results identification” ✓
    • “I consent to my finish-line photo being published on [event website/social media]” ✓
    • “I consent to my photo being used in [event marketing/next year’s promotional materials]” ✓
  2. Store consent records: date, runner name, email, checkboxes selected. This is your evidence against a complaint.
  3. Provide an opt-out option: “I do not consent to facial recognition matching — photograph my back/side only” or “No photos, please.”

Why this matters: If one runner claims “I never consented to facial matching,” you must produce the registration form they signed. Without it, the Board assumes violation.

Step 4: Brief All Photography & Timing Staff on What Data They’re Processing

Train your team on:

  • What counts as biometric data: faces in photos, facial features used for ID matching
  • Consent scope: only process the face for purposes the runner consented to (e.g., if they said “no social media,” don’t post their photo on Instagram)
  • Retention limits: delete or blur faces after the agreed retention period
  • Runner requests: if a runner emails asking “delete my photos,” respond within 30 days

DPDPAReady’s audit data across Indian sports events & marathons businesses shows that 73% of timing vendors have no staff training on biometric data handling — this is the easiest gap to close before enforcement action.

Step 5: Update Your Privacy Policy & Participant Terms

Your event’s privacy policy must state:

  • “We process facial biometric data (photographs) from finish-line captures”
  • “We match faces to race numbers for results identification”
  • “Retention period: [X months]”
  • “You may request deletion of your photos within [X days] of the event”

Your participant agreement should reference this: “By registering, you acknowledge our Privacy Policy and consent process for biometric photography.”

Step 6: Implement Data Retention & Deletion Workflows

Retention schedule:

  • Photos used only for results: delete after 1 year
  • Photos used for marketing: retain only for the marketing campaign, then delete
  • Photos on social media: document removal dates

Deletion process:

  • Runner requests deletion → verify identity → delete from all systems (results page, social media, photographer archives, vendor servers) → document deletion date

If a runner requests deletion and you take 90 days to comply, that’s a Section 12 violation (erasure failure) — up to ₹50 crore.

What This Costs You If You Get It Wrong

A runner finishes the Mumbai Marathon. Your timing software automatically matches her face to her bib number and uploads the photo to your results page. She discovers her face was used for biometric identification without her knowledge. She files a complaint with the Data Protection Board.

Board finds: No Section 5 notice provided, no Section 6 consent collected, facial biometric data processed without lawful basis. Penalty: Up to ₹50 crore (consent violation under Section 5/6). Additional exposure: Mandatory deletion of all photos, public notice of violation, reputational damage.

Your consent form says: “I consent to photos for the results page only.” Your marketing team posts 50 runner photos on Instagram for promotional content. A featured runner sees her face used for marketing without her consent to that specific purpose.

Board finds: You exceeded consent scope. Photo use on Instagram was not part of the consent you collected. Penalty: Up to ₹50 crore (processing beyond consented purpose).

Scenario 3: Biometric Data Stored Insecurely, Data Breach

You store finish-line photos (with runner names, times, and faces) in an unencrypted folder on your shared drive. A staff member’s laptop is stolen; the photos leak to a competitor. One runner’s face, linked to her race time and name, is used to track her location on other public race videos.

Board finds: Biometric data stored without adequate security (Section 8 violation), retention limit exceeded, breach notification not provided. Penalty: Up to ₹250 crore (security/retention failure) + breach notification costs.

Under DPDPA, biometric data violations carry the highest penalties because facial recognition data is considered sensitive and irreversible once misused.

FAQ

Does every finish-line photo trigger consent under DPDPA, or only if I use facial recognition software?

Both. A photograph of someone’s face is personal data; matching that face to a name, bib, or finish time makes it biometric data. Whether you use automated facial recognition software (Sportity, RaceResult) or manual bib-matching by your photographer, you’re processing biometric data and need Section 5 notice + Section 6 consent. The technology doesn’t matter; the processing act does.

Can we collect consent as runners cross the finish line instead of at registration?

No. Consent must be freely given and informed before processing begins. A runner arriving at the finish line, breathless and tired, cannot freely consent to something they’ve just discovered. Consent must be collected at registration, before the event, when they have time to read the notice and make a choice. Collecting consent at the finish line is presumed non-consensual under DPDPA Section 6.

If a runner asks to delete their finish-line photo after the event, are we legally required to comply?

Yes. Under Section 12 (Erasure), a runner can request deletion of their facial biometric data at any time. You must delete the photo from all systems — results pages, social media, photographer archives, vendor servers — within 30 days. If you refuse or delay, that’s an erasure violation (up to ₹50 crore). The exception: if you have a legal obligation to retain the photo (e.g., insurance claim, police investigation), document that reason and explain it to the runner in writing.

What if the race is a mass-participation event with 5,000+ runners — is it practical to collect consent from everyone?

Yes, and it’s required. Use your online registration platform (Eventbrite, race-specific apps, or custom forms) to collect consent as runners sign up. Include checkboxes for different consent purposes (results, social media, marketing) — 90% of runners will accept without reading, but you’ve documented informed consent. For paper registrations, use a pre-printed form with consent checkboxes. This is scalable and standard practice for marathons globally.

DPDPAReady’s free DPDPA audit maps your entire race photography workflow against every applicable section — from bib-matching systems to photo deletion timelines. Get yours at dpdpaready.in.

DPDPA marathon photography consent Indiabiometric data facial recognitionbib facial recognition marathonSection 3(b) biometricrace photography DPDPA compliance
VERIFIED DPDPAReady Editorial Desk 16 MAY 2026

Not sure if your media workflow is DPDPA-compliant?

DPDPAReady maps your entire workflow against the Act — free, in 48 hours.

Get your free compliance audit →