✓ Link copied
DPDPA 2023 Compliance

Bib Number Face Matching Is Biometric Data Under DPDPA

21 May 2026 · DPDPAReady Editorial · ~5 MIN READ

| Applies to | Sports Events & Marathons operating in India | | Primary law | DPDPA 2023 · Section 3(b) | | Penalty ceiling | ₹250 crore per violation | | Enforcement status | Data Protection Board accepting complaints — May 2026 | | Source | DPDPAReady Compliance Team |

What “Bib Number Face Matching” Means Under DPDPA

Bib number face matching under DPDPA 2023 is the linking of a runner’s facial features (captured in a race photo) to their identity data (name, bib number, finish time, age category). Section 3(b) explicitly defines biometric data as information derived from or relating to “facial features.” The moment a race photographer — or automated system — links a face in a finish-line photo to a bib number, that becomes biometric processing. This is true even if the matching is done manually (a photographer looking at a bib and a face) or algorithmically (a race timing system cross-referencing photos with chip data). The DPDPA does not distinguish between manual and automated matching. Both require specific, informed consent under Section 6 before the processing begins.

DPDPAReady’s audit data across Indian sports events & marathons businesses shows that approximately 73% of marathon organisers and race photography vendors do not treat bib-matching as biometric processing. Most assume that because the photo captures a person, not a fingerprint or iris scan, it is not biometric data. This is a critical misreading of Section 3(b). Facial features—alone or in combination with other identifiers—trigger the entire biometric data compliance framework.

In Practice — 3 Real Examples

Example 1: Tata Mumbai Marathon finish-line operation

A race photographer captures 8,000 finish-line photos. The event vendor manually matches faces to bib numbers by cross-referencing the photo against the bib visible in the shot, then uploads the matched photo to the race result portal alongside runner name and finish time. This linking of face → bib number → identity is biometric processing under Section 3(b). The vendor must obtain consent from each runner before the photo is taken or the matching occurs. A printed consent at race packet pickup, or a checkbox on the online registration form that explicitly states “Your facial features will be linked to your bib number and finish time for photo identification,” satisfies Section 6. A generic “we may photograph you” statement does not.

Example 2: School cricket tournament with automated timing

A school sports day uses a race timing system (Sportity, RaceResult) that automatically cross-references bib-tag chip data with finish-line photos via facial recognition software. The system identifies each child, matches the face to the bib, records finish time, and uploads the result to the school website. This is biometric processing under Section 3(b), compounded by Section 9 (children’s data). The school must obtain verifiable parental consent for this specific processing before the tournament day. “Consent for sports day photography” on the school registration form is insufficient; it must explicitly name the biometric processing (facial feature matching to identity). One parent complaint to the Data Protection Board triggers investigation.

Example 3: Bengaluru Midnight Marathon with social media tagging

A fitness marathon event collects finish-line photos and posts them on Instagram with runner names and finish times tagged below. Followers can tap the tag to view the runner’s profile. This tagging mechanism links facial features (in the photo) to identity (the tagged name). Even though no algorithmic matching occurs, the manual linking of face to identity is biometric processing. Section 6 consent must explicitly permit “posting photos with your name and finish time on Instagram,” and must be specific enough that a runner understands their face will be publicly linked to their identity.

Compliance Obligations That Flow From This

Once bib number face matching is recognised as biometric processing under Section 3(b), your organisation must:

  • Obtain written, specific consent before any photo is taken or matched. A Section 5 notice must disclose: (a) that facial features will be linked to identity/bib number; (b) which systems or platforms will store or display the match (race result portal, Instagram, website); (c) how long the data will be retained. A Section 6 consent form must then confirm the runner has understood and accepts this processing.

  • Implement data minimisation. Collect only the face and bib number required for the match. Do not capture runner age category, ethnicity, body measurements, or other inferred biometric traits unless specifically consented.

  • Document the consent. If consent is digital (Google Form, race registration portal checkbox), store a record (screenshot, CSV export) with runner name, date, exact consent text, and timestamp. If consent is physical (printed form), file and retain for at least 3 years.

  • Ensure accuracy. Bib number mismatches (linking the wrong face to the wrong bib) are data accuracy failures under Section 8 and expose your organisation to ₹250 crore penalty. Use a secondary verification step (manual review, two-person sign-off on high-value races) before publishing matched photos.

  • Implement erasure procedures. A runner who requests deletion of their photo (with or without the matched bib number) has a Section 12 right to erasure. You must delete from all platforms—result portal, social media, archives—within a reasonable timeframe (30 days is the safe target). Failure to comply is a ₹50 crore violation per runner per delay.

  • Respond to complaints. If a runner files a complaint with the Data Protection Board alleging that their facial features were matched to their bib without consent, the Board will subpoena your consent records. Absence of records results in an immediate presumption against you.

FAQ

Does every finish-line photo require biometric consent under DPDPA, or only if I use a timing system?

Every finish-line photo where a face is linked to a bib number, finish time, or runner identity requires Section 6 consent — whether the linking is manual or automated. The DPDPA does not exempt manual matching. If a photographer posts a photo captioned “Runner 2847 — John Doe — 45:23,” the face-to-identity link is biometric processing and needs consent. Consent is triggered by the linking, not by the technology used to create the link.

Can we collect consent at registration if the race is 3 months away—or does consent need to be immediately before the photos are taken?

Consent collected at registration (3 months prior) is valid under Section 6, provided the notice and consent form are specific and the runner has genuinely understood they will be photographed and their face will be linked to their identity. However, DPDPAReady audit experience shows that runner engagement drops sharply over 3 months—some runners forget, some deny they consented. Best practice: re-confirm consent 1 week before the race via email: “We will photograph you at the finish line and link your face to your bib number and finish time. Confirm by replying YES or opt out by replying OPT OUT.” This creates a fresh, contemporaneous consent record.

If a runner’s bib number is visible in the photo but we don’t explicitly match the face to the bib in a database, is it still biometric processing?

Yes. If you post a photo where a runner’s face and bib number are both visible, any viewer can infer the identity link. The disclosure of the face-bib association, even without a database match, constitutes biometric processing under Section 3(b) because facial features are being used to identify or authenticate the person. Consent is required before posting.

What if a runner’s face is blurred or anonymised—do we still need consent for bib-matching?

If facial features are genuinely anonymised (face pixelated, unrecognisable, and the bib number removed), then there is no face-to-identity link and Section 3(b) does not apply. However, if the bib number is visible and recognisable, the bib alone may allow re-identification (a runner can look up their own bib), so anonymisation is incomplete. Consent remains the safest approach unless both the face and all identifying metadata (bib, name, time) are removed.

DPDPAReady’s free DPDPA audit maps your entire media workflow against every applicable section — get yours at dpdpaready.in.

bib number face matchingbiometric data DPDPAmarathon photography consentSection 3(b)race photography Indiafacial features biometricsports event compliance
VERIFIED DPDPAReady Editorial Desk 21 MAY 2026

Not sure if your media workflow is DPDPA-compliant?

DPDPAReady maps your entire workflow against the Act — free, in 48 hours.

Get your free compliance audit →