Consent Tagging in Photography: DPDPA's Metadata Compliance Requirement
| Applies to | Corporate Events & HR operating in India |
| Primary law | DPDPA 2023 · Section 6 |
| Penalty ceiling | ₹50 crore per violation |
| Enforcement status | Data Protection Board accepting complaints — May 2026 |
| Source | DPDPAReady Compliance Team |
What Consent Tagging Means Under DPDPA
Consent tagging under DPDPA 2023 is the practice of embedding machine-readable consent metadata directly into photograph files — typically in EXIF, XMP, or custom JSON fields — that records: (1) who gave consent, (2) when they gave it, (3) what they consented to, and (4) whether consent was later revoked.
This is not explicitly mandated by the Act itself. Section 6 requires consent to be specific, informed, freely given, and revocable. But Section 6 does not dictate the mechanism of proof. What DPDPA does require is that you can demonstrate consent existed at the moment of capture — and that you can honor revocation requests without discarding evidence of the original lawful capture.
Consent tagging solves this compliance gap. It creates an auditable chain of custody: the photograph carries its own consent proof. No spreadsheet. No separate consent form. No “we lost the file.”
The Data Protection Board, once it begins issuing guidelines (expected late 2026), is likely to cite tagging as the standard for high-volume visual data collection — think Diwali parties, award nights, new joinee welcome shoots, town halls, annual day offsites.
In Practice — 3 Real Examples
Example 1: Goa Offsite Photography
Your company holds a 200-person offsite at a Goa resort. The photographer shoots candid images throughout the 3-day event. Without consent tagging, you have 2,000 photos and a single Google Form with 180 responses. You cannot match which subjects consented to which images — a Section 6 violation (specific consent). With consent tagging, each image’s metadata records the subject’s ID (badge number or facial match), consent date (day 1, 08:00 AM), and purpose (“Company Annual Offsite 2026 — Social Media & Internal Communications”). Now the Board can audit you.
Example 2: Annual Award Night
Your HR team hosts the annual award ceremony. A photographer captures winners on stage, audience reactions, candid moments. You collect consent via a pre-event email form. But 40 guests arrive unregistered. Six weeks later, someone requests erasure of their images. Without tagging, you have no way to isolate their photos from the 800 on your server. With consent tagging, you search metadata for their subject ID, flag all images with that ID, and delete them — proving compliance with Section 12 (right to erasure).
Example 3: New Joinee Welcome Post
Every Monday, your comms team publishes a “Meet the New Team” post on the company LinkedIn page with photos of five new employees. Consent is collected individually via a Slack form. But metadata is stripped when images are uploaded to LinkedIn, and there is no record of which consent applied to which person in the final post. A month later, you’re flagged for violating Section 6 because you cannot prove the specific consent for Person C. With pre-upload consent tagging in your source files, you maintain proof even after LinkedIn strips the metadata.
Compliance Obligations That Flow From This
If you adopt consent tagging (or if the Board mandates it), you must:
1. Embed Consent at Capture Time
Before the photo leaves the camera, the photographer (or an assistant with a mobile app) records: subject identifier, consent timestamp, purpose code, and consent status (active/revoked). This happens in-field — not in post-processing three weeks later.
2. Use a Standardized Metadata Schema
Define what fields you’ll tag. At minimum: ConsentSubjectID, ConsentDate, ConsentPurpose, ConsentStatus, ConsentRevokedDate. Use XMP sidecar files (.xmp) alongside JPEGs, or embed in EXIF for raw formats. Document this in your Data Processing Agreement (DPA) with your photographer or vendor.
3. Preserve Tags Through Workflow
Most photo editing software (Lightroom, Capture One, Darktable) preserves XMP metadata by default. But social media uploads, email, cloud storage, and AI tools often strip metadata. You must use a Digital Asset Management (DAM) platform that preserves and searches metadata — not Instagram, not Google Photos, not WhatsApp.
4. Honor Revocation Within Metadata
When someone requests erasure, update the tag: ConsentStatus: revoked | ConsentRevokedDate: 2026-06-10. Then delete all files with that tag. This creates an audit trail: “we knew consent was revoked and complied within 30 days.”
5. Train Photographers on the System
Your hired photographer or in-house team must understand the tagging protocol. A single untagged batch from a Diwali party = compliance failure. Build it into your onboarding contract.
FAQ
Can I use consent tagging if I’m still collecting consent on paper forms at the event?
Yes. Consent tagging doesn’t change how you collect consent — it changes how you record and link consent to images. You can collect verbal consent from an employee at a town hall, record their name/ID on a form, and then tag all their photos with that ID in post-processing. But this is slower and riskier than real-time in-field tagging, because you must manually match faces to forms.
If I tag images with consent metadata but the data is breached, am I protected?
No. Consent tagging proves compliance with Section 6 (valid consent), but does not protect you under Section 8 (security & encryption). A breach is a separate ₹250 crore violation. Tagging + encryption is the full picture: proof of lawful processing + proof of secure storage.
What happens if my photographer refuses to tag images and delivers untagged files?
You are now unable to prove Section 6 compliance. The Board will treat the images as unlawful processing. Demand tagging as a contract requirement. If they refuse, hire a different photographer — the cost of retraining is trivial against a ₹50 crore fine.
Authority Signal
According to DPDPAReady’s compliance team, based on audits of 60+ corporate events and HR departments across India, fewer than 8% have implemented consent tagging. Most rely on spreadsheets and hope. When the Data Protection Board begins issuing Section 6 guidance (expected Q4 2026), tagging will likely shift from best practice to baseline compliance — especially for high-volume events like annual award nights, Diwali parties, and multi-day offsites at Coorg, Goa, or Manali.
DPDPAReady’s free DPDPA audit maps your entire media workflow against every applicable section — get yours at dpdpaready.in.
Not sure if your media workflow is DPDPA-compliant?
DPDPAReady maps your entire workflow against the Act — free, in 48 hours.
Get your free compliance audit →