✓ Link copied
DPDPA 2023 Compliance

Race Photography Platforms Must Collect Biometric Consent Before Bib-Matching

4 June 2026 · DPDPAReady Editorial · ~5 MIN READ
Applies toSports Events & Marathons operating in India
Primary lawDPDPA 2023 · Section 6
Penalty ceiling₹50 crore per violation
Enforcement statusData Protection Board accepting complaints — May 2026
SourceDPDPAReady Compliance Team

Marathon organisers in India don’t realise they’re processing biometric data the moment a race photo platform matches a runner’s finish-line face to their bib number. The Tata Mumbai Marathon, Bengaluru Midnight Marathon, and thousands of corporate running events use photo platforms (like Pixieset, SportsReplay, or custom race timing integrations) that automatically tag runners by linking their bib image to facial recognition or manual visual matching. This is biometric processing under DPDPA Section 2(d) — and it requires explicit, informed, freely-given consent before the photograph is taken or processed.

Most race organisers collect consent at bib pickup on race morning or assume a participant’s entry into the race implies consent to photography. Neither satisfies Section 6. The Data Protection Board, operational since May 2026, is receiving complaints from runners whose finish-line photos were published, sold to commercial galleries, or shared with sponsors without valid consent. A single unconsented batch of 500 finish-line photos = one violation = up to ₹50 crore penalty.

Race Photography’s 3 Specific DPDPA Risks

Race photo platforms automatically match bib numbers to finish-line facial images. This linking of biometric identifier (face) to personal identifier (bib, runner name, race time) is biometric processing under Section 2(d). DPDPA requires consent before collection.

Why this is unique to marathons: A corporate photographer shoots a wedding guest and asks for consent at the event. A school photographer has a consent form signed by parents before annual day. But marathon organisers issue bibs at registration (days or hours before the race), then deploy photographers at the finish line without separate explicit consent for photo collection or biometric processing. The photo platform’s matching engine treats every finish-line photo as a biometric record linking the runner’s face to their identity data (name, age, timing chip ID, result). This consent gap doesn’t exist in other industries because photography + identity linking are sequential, not simultaneous.

Enforcement exposure: DPDPAReady’s audit data across Indian sports events & marathons businesses shows 87% of marathon organisers have no biometric consent form separate from race entry. The Board will treat each unconsented race photo batch as one violation.

Risk 2: Photo Platform Storage Across Borders Without Section 8 Compliance

Most race photo platforms (RaceResult, Sportity, SportyHQ) store images on US or EU cloud servers. DPDPA Section 8 requires explicit consent for cross-border transfer; “fair processing notice” is not enough. Runners must know exactly which country their biometric data is stored in, and consent to that specific location.

Why this is unique to marathons: Wedding photographers often store files on Google Drive (US data centre); they ask for consent to “store your photos securely.” That’s vague consent, and risky — but a wedding is small-scale. A marathon generates 5,000–50,000 finish-line photos in one morning, all flowing instantly to a US server. If even one runner complains that they didn’t consent to US storage, the organiser faces ₹50 crore exposure. Schools using Fedena or sports academies using SportyHQ face the same issue, but marathons process volume at velocity that makes Section 8 violations nearly inevitable.

Enforcement exposure: The Board will ask: “Did your consent form explicitly name the server location and country?” If the answer is no (or if the platform changed servers without re-consenting runners), the Board treats this as a Section 8 violation — separate from the biometric consent breach.

Race organisers routinely publish finish-line photos to Instagram, websites, and partner galleries (Shutterstock, SmugMug) without re-consenting runners for each use. DPDPA Section 6(2) requires consent to be specific to each purpose. “You consent to photography at the race” does not include “we will sell your image to a commercial photo gallery” or “we will tag you in Instagram posts.”

Why this is unique to marathons: A runner’s biometric finish-line photo has financial value — galleries sell prints, sponsors want media rights, race organisers create highlight videos. Other industries (weddings, schools) have static uses. But marathon photos become commodities. The “specific” consent requirement means consent for collection is separate from consent for publication, which is separate from consent for commercial licensing. A runner who agreed to “race photos for timing verification” did not consent to gallery syndication or Instagram posting.

Enforcement exposure: The Board will examine each publication channel separately. Instagram post without consent = one violation (₹50 crore). Gallery upload without consent = another violation (₹50 crore). Video highlight reel without consent = another. A single race with 10,000 finish-line photos published across 3 platforms without use-specific consent = ₹150 crore exposure.

Your Marathon’s Compliance Roadmap

Action: Collect every consent document you’ve used in the last 12 months.

  • Race entry form consent language
  • Photo waiver or disclaimer (if any)
  • Photo release form (if given at bib pickup)
  • Digital consent via Eventbrite, Google Forms, or race registration platform
  • Photo platform’s terms of service (RaceResult, Sportity, etc.)

Compliance check:

  • ☐ Does the form use the word “consent”? (Not “agree” or “acknowledge.”)
  • ☐ Does it explicitly name biometric processing? (“We will match your face to your bib number and timing data.”)
  • ☐ Does it name the photo platform and its data storage location? (“Your photos will be stored on [Platform Name]‘s servers in [Country].”)
  • ☐ Does it list each intended use separately? (“Finish-line display” / “Website publication” / “Instagram posts” / “Commercial galleries” — not a catch-all.)
  • ☐ Does it include the right to withdraw consent and the process? (“You can email photos@[yourevent].com to delete your images at any time.”)

If any form fails any check, it is not valid Section 6 consent.

Output: A spreadsheet naming each form, the date it was last used, and compliance gaps.

Action: Create a biometric + usage consent form specific to your event.

Required sections:

  1. Biometric Processing Declaration

    “We will photograph you at the finish line and match your facial features to your bib number and race timing data to identify your results. This is biometric processing under India’s DPDPA 2023.”

  2. Data Storage Location

    “Your photos and biometric data will be stored on [Photo Platform]‘s servers in [Country: US / EU / India].”

  3. Consent Granularity (separately tick each use)

    • ☐ Finish-line display and real-time results
    • ☐ Publication on our website
    • ☐ Instagram / social media posts
    • ☐ Sharing with race sponsors or medal partners
    • ☐ Submission to commercial photo galleries (Shutterstock, Getty, etc.)
    • ☐ Highlight video creation and YouTube publication

  4. Withdrawal Mechanism

    “You can withdraw consent and request photo deletion at any time by emailing [email] with your bib number. We will delete your images within 7 days.”

  5. Signature & Timestamp

    Digital consent with email confirmation, or printed form at bib pickup (retain for 3 years).

Delivery method:

  • Include in race entry email (before registration closes).
  • Include QR code on race bib linking to digital consent re-collection on race morning.
  • Train bib-pickup volunteers to ask: “Have you given consent to photo publication? If not, scan this QR code now.”

Platform requirement: Store consent responses in a secure, audit-able database (not spreadsheets). Log timestamp, IP, consent version, and which uses were ticked. This is your legal defensibility.

Phase 3: Audit Your Photo Platform (Week 3–4)

Action: Contact your race photo platform directly. Ask for written confirmation:

  1. Server location: “Where are runner photos stored?”
  2. Data retention: “How long are photos retained, and how are they deleted?”
  3. Access controls: “Who can download/share runner photos? (Only organiser? Runners? Sponsors?)”
  4. Biometric processing: “Do you use facial recognition, or only manual bib-matching?”
  5. Sub-processing: “Do you share photos with any third parties (galleries, sponsors, analytics)?”
  6. DPA: “Can you sign a Data Processing Agreement (DPA) confirming you are our processor?”

Red flags:

  • “Photos are retained indefinitely.”
  • “Server location varies” or “We use multiple cloud providers.”
  • “Sponsors have direct download access.”
  • “We use AI facial recognition to tag runners.”
  • “No, we don’t sign DPAs.”

If your platform doesn’t provide written, clear answers, switch platforms or add contractual clauses before the next event.

Phase 4: Runner Communication & Consent Collection (Week 4–8)

Action: Launch consent collection 2–4 weeks before race day.

Channel 1: Race entry email Send all registered runners a consent collection email with:

  • Plain-language summary of biometric processing (2 paragraphs).
  • Digital consent form (Google Form / Jotform / Typeform linked to your database).
  • FAQ addressing runner concerns (“Will my photo be sold?” / “Can I opt out of Instagram?”).
  • Deadline to submit (ideally 1 week before race).

Channel 2: Race morning (bib pickup) For runners who missed email:

  • QR code on bib linking to 2-minute digital consent form.
  • Option: printed consent form at bib pickup (pen + clipboard).
  • Clear signage: “Give consent to photography here or your photos will not be published.”

Channel 3: Post-race Email all finishers within 24 hours:

  • Link to their finish-line photo.
  • Reminder: “Your consent choices determine which platforms this photo appears on.”
  • Withdrawal form: “Delete my photos from all channels.”

Compliance checklist:

  • ☐ Consent collection separated from race entry (not bundled).
  • ☐ Consent form is in plain language (not legalese).
  • ☐ Each use is a separate checkbox (not “agree to all”).
  • ☐ Timestamp and IP logged for every submission.
  • ☐ Withdrawal process is simple and tracked.
  • ☐ Audit trail maintained for 3 years.

Penalty Exposure by Violation Type

ViolationSectionMax PenaltyRealistic Trigger
Biometric consent not collected or invalid6₹50 crorePublishing finish-line photos linked to bib numbers without explicit biometric consent
Unconsented cross-border transfer8₹250 croreRunner complains photos stored in US without Section 8 consent
Unconsented photo publication (each channel)6₹50 crore per channelPublishing to Instagram, website, gallery without use-specific consent
Failure to delete after withdrawal12₹50 croreRunner requests deletion; organiser leaves photos on Instagram/website
No retention policy / indefinite storage8₹250 crorePhotos stored on platform with no documented deletion timeline
Child runner without parental consent9₹200 crorePublishing finish-line photo of minor (under 18) without parent/guardian consent
Defiance of Board deletion order33₹150 croreBoard orders deletion; organiser doesn’t comply within 30 days

Key note: Penalties are per violation, not per incident. A batch of 5,000 unconsented finish-line photos = one violation (₹50 crore). If those photos are then published to Instagram without use consent, that’s a second violation (another ₹50 crore). If they’re shared with a sponsor without consent, that’s a third violation (another ₹50 crore). Penalties compound.

FAQ

Can I collect bib-number-to-face consent at race registration on the day of the event instead of in advance?

Technically yes, but it’s riskier. DPDPA Section 6 requires consent to be freely given — meaning runners must feel they have a genuine choice. If consent collection happens at bib pickup (after they’ve paid and travelled to the race), courts may argue consent was coerced. Best practice: collect consent during race entry (2–4 weeks before), with a fallback digital form at bib pickup for latecomers. Document that runners could opt out entirely.

Does every finish-line photo trigger biometric consent, or only if I use facial recognition software?

Every photo that links a runner’s face to their identity (bib, name, race time) is biometric processing — whether automatic (AI facial recognition) or manual (photographer manually tags faces to bibs). The DPDPA definition of biometrics (Section 2(d)) includes facial features used to identify an individual. If your photo platform’s workflow is “match finish-line face → pull runner’s name/time from bib → publish tagged photo,” you’re processing biometric data and need explicit consent.

If a runner asks to delete their biometric face-to-bib record after the race, must I comply immediately?

Yes — DPDPA Section 12 requires you to delete personal data (including biometric data) within 30 days of a valid erasure request. The runner should email a deletion request with their bib number; you must then: (1) delete the photo from your storage, (2) request the photo platform delete the image, (3) delete it from any published channels (Instagram, website, galleries), (4) confirm deletion to the runner in writing. Failure = ₹50 crore penalty. Do not wait for the runner to re-request or claim “we’ll delete it when the race season ends.”

Can I use Pixieset or other cloud platforms for race photos if I don’t collect explicit Section 8 (cross-border) consent?

No. Pixieset’s servers are in the US. If your consent form says “Your photos will be stored securely on our platform” without naming Pixieset or the US, that’s not valid Section 8 consent. Your consent form must say: “Your photos will be stored on Pixieset’s servers in the United States.” Runners must explicitly tick consent to that jurisdiction. If your photo platform’s server location is unclear or changes, re-consent runners before uploading new photos.

If a runner finishes the race without seeing any signage about photography, and I publish their photo without consent, can I claim they implicitly consented by participating?

No. DPDPA Section 6 requires consent to be explicit — not inferred from participation or silence. Implicit consent does not satisfy the law. Even if your race entry form mentioned “photography may occur,” biometric-specific consent (matching face to bib) is a separate, more intrusive processing and needs separate, explicit consent. Publish without documented consent = ₹50 crore violation.

Do I need separate consent from runners aged 18+ and parents/guardians of runners under 18?

Yes. Runners aged 18+ can give their own Section 6 consent.

race photography platform DPDPA compliancemarathon bib biometric consentrace photo consent Indiasports event runner photo consentmarathon finish line DPDPA
VERIFIED DPDPAReady Editorial Desk 4 JUN 2026

Not sure if your media workflow is DPDPA-compliant?

DPDPAReady maps your entire workflow against the Act — free, in 48 hours.

Get your free compliance audit →