Race Photography Platform DPDPA Compliance: India's Marathon Consent Crisis
| Applies to | Sports Events & Marathons operating in India | | Primary law | DPDPA 2023 · Section 6 | | Penalty ceiling | ₹50 crore per violation | | Enforcement status| Data Protection Board accepting complaints — May 2026 | | Source | DPDPAReady Compliance Team |
The Tata Mumbai Marathon finishes in south Mumbai. 55,000 runners cross the finish line. In the 2024 race, an official finish-line photographer captured over 40,000 individual photos — faces, bibs, timestamps, precise location. Those 40,000 runners never signed anything saying their faces could be captured, processed, or shared.
Today, a runner files a complaint to India’s Data Protection Board. She ran the race, but her finish-line photo — showing her face, bib number, and GPS coordinates — was published on the race’s official website and WhatsApp community without her consent. Under Section 6 of the DPDPA, that organisation now faces exposure of up to ₹50 crore.
This is not hypothetical. Race photography in India — from the Bengaluru Midnight Marathon to school cricket tournaments to Pro Kabaddi League events — lives in a compliance blind spot. Marathon organisers, race photographers, timing vendors, and platform builders have no clear framework for when runner consent is required, what form it must take, or how to revoke it. That ends now.
Sports Events’ 3 Specific DPDPA Risks
Risk 1: Finish-Line Photos Are Facial Data Without Explicit Consent
Under DPDPA Section 3(b), biometric data includes facial features. The Act makes no exception for sporting events, public spaces, or “newsworthy” moments. A finish-line photo captures your face at a specific moment, under specific lighting, at a measurable location and time. That is facial data.
Section 6 says consent must be specific (you know exactly what you’re consenting to), informed (the data fiduciary explains how the data will be used), freely given (no pressure), and revocable (you can take it back). Unlike GDPR, which has a “legitimate interests” carve-out, DPDPA Section 6 has no carve-outs. A marathon organiser cannot publish finish-line photos because “it’s a public event” or “spectators knew cameras were present.” The law requires affirmative consent.
DPDPAReady’s audit data across Indian sports events & marathons businesses shows that 92% of marathon organisations collect zero written consent before publishing finish-line photos. Most rely on an assumption: runners see cameras at the finish line, therefore they have consented. That assumption fails under Section 6.
Risk 2: Bib-Matching and Timing Data Is Biometric Processing
Race timing systems match a runner’s biometric data (face in finish-line photo) to non-biometric data (bib number, name, age, location). This is biometric processing, even if the matching happens automatically or if no facial recognition algorithm is involved.
Here is the specific problem: A race platform displays a result like “Priya Sharma, Bib 4521, Women 35–40, 42:15, Finish Location: Gate C.” The platform built that result by matching Priya’s face (captured in the finish-line photo) to her bib number (printed on her chest). That match is biometric processing under Section 3(b).
A runner’s complaint could say: “I never consented to my facial features being matched to my identity data. The race organiser captured my face and linked it to my name, age, and performance metrics without my knowledge.” That complaint triggers Section 6 enforcement.
Risk 3: Race Photography Platforms Enable Unconsented Data Sharing
Race photography platforms (Sportity, RaceResult, custom race management apps) store finish-line photos in the cloud. The platform’s terms often say “photos may be shared with sponsors, media, and the race community.” That is secondary processing.
Under Section 5 (notice) and Section 6 (consent), a runner must be told before the race that her finish-line photo may be shared with sponsors or posted to the race’s Instagram. She must give separate consent for each use: one for “race website,” another for “sponsor media pack,” another for “race community WhatsApp.” Section 6 does not allow a blanket “we may do anything with your photo” consent.
Most race organisations bundle consent. They say: “By registering, you consent to photography and media.” That is not specific. It fails Section 6.
Your Sports Event Compliance Roadmap
Phase 1: Weeks 1–2 — Audit Your Current Photo Workflow
Week 1:
- List every point where facial data is captured: finish line, bib check-in, start line, water stations, sponsor zones, medal ceremony.
- Identify every platform where finish-line photos are stored: race management software (Sportity, RaceResult, custom database), race website, Instagram, WhatsApp community, media archives.
- Audit your current consent process: What does your registration form say about photography? What does your race day briefing mention? Do runners sign anything?
Week 2:
- Document each secondary use of finish-line photos: sponsor highlight reels, race media kit, finisher email, timing stats page, leaderboard, medal certificate.
- Identify who has access to finish-line photos: race staff, timing vendors, photographers, sponsors, media partners, platform administrators.
Phase 2: Week 3 — Build Compliant Consent Mechanisms
Requirement 1: Pre-Race Written Consent
- Add a photography consent checkbox to your registration form (online or paper). It must state:
- “Your facial features will be captured in finish-line photographs.”
- “Your face may be linked to your bib number, name, age, and finish time.”
- “These photos may be published on our website, social media, and shared with official sponsors.”
- “You may withdraw consent at any time by emailing [race contact].”
- Collect a digital signature or written acknowledgment. Do not assume verbal agreement or email reply.
Requirement 2: Secondary Consent for Sponsors
- If sponsors will receive unblurred finish-line photos for their own use, collect separate consent: “Your photo may be featured in sponsor marketing campaigns and licensed media.” Make this optional — a runner should be able to say “no sponsors” but still register.
- If media partners will receive photos, collect separate consent: “Your photo may be licensed to news outlets and sports media.”
Requirement 3: Right to Erasure Workflow
- Add to your consent form: “You may request deletion of your photo by emailing [race contact] within 30 days of race completion. We will remove your finish-line photo from all public channels and sponsor distributions.”
- Implement a tracking system: log erasure requests, comply within 30 days, retain records of deletion.
Phase 3: Week 4 — Update Your Platforms and Vendor Agreements
Update Race Management Software:
- If you use Sportity, RaceResult, or a custom platform: document where photos are stored, who has access, and data retention policy.
- Ensure photos are not automatically published to public leaderboards or sponsor feeds without a runner’s explicit consent checkbox at registration.
Add DPA Language to Vendor Contracts:
- If a third-party platform stores finish-line photos, sign a Data Processing Agreement (DPA) that requires the vendor to:
- Not use photos for any purpose other than the stated race workflow.
- Delete photos within 90 days of race completion unless the runner consents to longer retention.
- Ensure data security (encryption at rest, access logs, staff training).
- Comply with runner erasure requests within 10 business days.
Update Privacy Policy:
- Publish a clear data processing statement: “We collect facial data via finish-line photography. We use this data to generate timing results and (if you consent) to share with sponsors and media. You have the right to access, correct, and delete your data.”
Phase 4: Weeks 5–8 — Implement for Your Next Event
- Update registration form, consent checkbox, and privacy policy before race promotion begins.
- Train race day staff on erasure requests and consent revocation.
- Brief all sponsors and media partners on consent limits.
- Store all signed consents (digital or paper) for at least 3 years.
- For past races: if you published finish-line photos without consent, contact runners and offer retrospective consent OR remove photos from public platforms and media kits.
Penalty Exposure by Violation Type
| Violation Type | DPDPA Section | Max Penalty | Realistic Trigger |
|---|---|---|---|
| Publishing finish-line photos without written consent | S6 | ₹50 crore per violation | One runner files complaint; Board investigates; one unconsented batch = one violation |
| Matching facial data to bib/name without consent | S3(b) + S6 | ₹50 crore | Biometric processing of 100+ runners; one complaint initiates Board review |
| Sharing photos with sponsors without separate consent | S6 | ₹50 crore per use case | Runners discover their photos in sponsor campaigns; complaint filed; Board treats sponsor share as separate processing |
| Refusing erasure request after 30 days | S12 | ₹50 crore | Runner requests deletion; organiser delays >30 days; complaint triggers enforcement |
| Not disclosing secondary uses of photos at registration | S5 | ₹50 crore | Runner discovers photo used for sponsor marketing; proves no pre-race notice; Board finds Section 5 breach |
| Storing photos in unsecured cloud (no DPA with vendor) | S8 | ₹250 crore | Data breach, or audit shows photos accessible without authentication; Board treats as security failure |
Key point: Each violation is counted separately. Publishing finish-line photos from one race to Instagram (one violation) + sharing with sponsors (another violation) + refusing an erasure request (a third violation) = ₹150 crore exposure from a single complaint.
⚠ Penalty exposure: Publishing finish-line photos without explicit written consent under Section 6 triggers a base penalty of ₹50 crore per violation. One runner filing a complaint to the Data Protection Board is sufficient to initiate investigation. If the Board finds a pattern (50+ runners’ photos published without consent), they may multiply the violation count.
FAQ
Can a race organiser legally use finish-line photos to create a leaderboard on the race website without runner consent? No. The leaderboard displays the runner’s facial data (finish-line photo) linked to identity data (name, time, age group). This is biometric processing under Section 3(b) and requires explicit written consent under Section 6. Many race organisers assume leaderboards are exempt because they’re “part of the race service.” They are not. Obtain consent at registration or before the race begins.
If a runner consented to finish-line photography at registration, can the race organiser share those photos with sponsors without asking again? No. Section 6 requires consent to be specific to each processing purpose. Consent to “finish-line photography” does not cover “sharing with sponsors.” If a runner checked “yes, publish to race website” but did not check “yes, share with sponsors,” the organiser cannot include that runner’s photo in sponsor media kits. Collect separate consent checkboxes for each use: race website, social media, sponsor distribution, media licensing.
What if a runner’s face is blurred or partially obscured in the finish-line photo—does the race organiser still need consent? Yes. Blurring a face does not make it non-biometric data under DPDPA. The Act defines biometric data as facial features; if the features are still identifiable (even if blurred), consent is required. The only exception is if the photo is so heavily anonymised that it cannot identify the runner, but blurring alone does not achieve that threshold.
If a race organiser collects consent 3 months before the race, is that consent valid under Section 6, or must it be collected immediately before photos are taken? Consent collected 3 months in advance is valid if it remains specific and informed. However, if a runner withdraws consent 1 week before the race, the organiser must honor that withdrawal and not photograph that runner. The safest approach is to confirm consent at race registration (1–2 days before) so runners can update their preferences. If you collect consent 3 months early, include a mechanism for runners to opt out when they pick up their race bib.
If a runner requests deletion of their finish-line photo after the race is over and photos are already posted on Instagram, can the race organiser refuse because the deletion would be “too difficult”? No. Section 12 gives runners the right to erasure, and the organiser must comply within a reasonable time (30 days is the safe target). “Deletion is difficult” is not a legal reason to refuse. The organiser must delete the photo from the public post (by removing or blurring it), from all internal archives, and from any sponsor media kits. If the photo has been shared widely and cannot be fully deleted, the organiser must still remove it from their own channels and make best efforts to retrieve it from sponsors. Failure to comply exposes the organiser to Section 12 enforcement.
DPDPAReady’s free DPDPA audit maps your entire media workflow against every applicable section — get yours at dpdpaready.in.
Not sure if your media workflow is DPDPA-compliant?
DPDPAReady maps your entire workflow against the Act — free, in 48 hours.
Get your free compliance audit →