DPDPA 2023 Compliance

School Yearbook Photos Are Biometric Data Under DPDPA — Here's the Compliance Gap

12 June 2026 · DPDPAReady Editorial · ~5 MIN READ


Applies to	Schools & Educational Institutions operating in India
Primary law	DPDPA 2023 · Section 9
Penalty ceiling	₹200 crore per violation
Enforcement status	Data Protection Board accepting complaints — May 2026
Source	DPDPAReady Compliance Team

The Yearbook Liability Schools Don’t See Coming

Your school’s annual yearbook contains thousands of facial images of children. Under the Digital Personal Data Protection Act 2023 (DPDPA), each child’s photograph is biometric personal data — not just a picture. Section 9 requires verifiable parental consent before the camera shutter closes, not after the yearbook is printed.

Most Indian schools — CBSE, ICSE, and state board institutions alike — collect this consent through a single generic form signed at admission or a hastily circulated WhatsApp message from the principal. Neither satisfies DPDPA’s definition of “verifiable parental consent.” When the Data Protection Board begins enforcement (live since May 2026), schools will face penalties up to ₹200 crore per violation — meaning each unconsented yearbook batch, each sports day photo set, each annual day livestream becomes a separate violation. A school with 500 children in a yearbook, each photographed without explicit written consent, faces exposure of ₹100 billion across violations in theory, though realistic assessments by DPDPAReady’s audit teams suggest enforcement will cluster around institutional patterns rather than per-child calculations.

School Photography’s 3 Specific DPDPA Risks

Yearbook photographs, annual day candids, sports day bib-matching, inter-house competition shots — all contain facial biometric data. DPDPA Section 9(1) states: “No fiduciary shall process the personal data of a child unless the parent or guardian of the child has given verifiable consent.”

The word “verifiable” means the school must produce proof that consent was collected before processing. A verbal agreement, a retroactive email, or a signature on a general admission form does not satisfy this standard. Schools typically fail here:

Annual yearbook rounds: Photographers shoot hundreds of images in a single day. Consent forms signed weeks or months earlier are not “verifiable” for that specific shoot unless timestamped and photo-linked.
Candid event photography: Sports day relay races, inter-house competitions, Republic Day parade rehearsals — these are often shot without any pre-event consent collection. “Students and parents knew photos would be taken” is not legal documentation.
Posthumous consent: Many schools collect consent after yearbook photography is complete, then print it anyway. This is a direct Section 9 violation.

Realistic trigger for penalty: A parent files a complaint that their child’s facial data appears in the yearbook without their personal written consent (not a blanket school form). The Data Protection Board requests the school’s consent records. The school produces a single page signed at admission; the Board determines the school cannot prove consent was collected for that specific yearbook batch. Penalty issued: ₹50–200 crore, depending on the volume of children affected and whether the school is a repeat offender.

Section 9(2) explicitly forbids schools from engaging in “any activity which involves tracking, behavioral profiling, or automated decision-making of the personal data of a child.” Many schools unknowingly violate this through:

School apps (Fedena, Edupro, Juno): If the app includes features that flag, score, or predict student behavior based on attendance, assignment submission, or social interactions, this is automated decision-making. Yearbook data fed into these systems to cross-reference student performance is profiling.
YouTube livestreams of annual day, sports day, inter-house competitions: If the school uses analytics to track which children are watched repeatedly, which videos get paused at specific children’s performances, or uses this data to create “star student” profiles for future opportunities, this triggers Section 9(2).
WhatsApp parent groups + yearbook distribution: Schools often share yearbook PDFs via WhatsApp groups, then monitor who downloads, shares, or forwards the file. This metadata is behavioral data tied to children’s images.

Realistic trigger for penalty: A parent notices their child’s sports day photo is tagged in the school’s internal performance-tracking spreadsheet (shared between teachers via the school app). The child’s image is linked to their athletic score, used to identify “high-performing” students for sponsorship. The parent complains that the school is profiling their child using biometric data. The Board finds that the school never collected consent for this specific use (performance ranking), only for “yearbook photography.” Separate violation under Section 9(2).

Risk 3: Retention & Erasure Defaults in School Management Systems

Section 8 requires schools to delete children’s images after the “purpose is fulfilled.” For a yearbook, this means:

After the yearbook is printed and distributed (typically 12 months after the shoot)
After the child graduates or transfers schools

Section 12 gives children (via parents) the right to request erasure. Schools fail here because:

School management system backups: Fedena, Edupro, and Juno store images in cloud backups that schools never configure for automatic deletion. A child’s image remains in the system backup 5 years after graduation.
School website archives: Annual day videos, sports day photos, inter-house competition results posted on the school website remain indexed by Google even after the school intends to take them down.
No audit trail: Schools don’t document what happened when a parent requested erasure. Did the school delete from the yearbook database? The website? The school app? The WhatsApp group? Without this trail, the school can’t prove compliance with Section 12.

Realistic trigger for penalty: A student graduates in 2025. In 2028, they request erasure of all photos from their time at school. The school deletes the yearbook PDF from the website but leaves the image in the Fedena cloud backup, the Google Photos shared drive used by teachers, and a 2024 “10-year school memories” video posted on YouTube. The student’s parent files a Board complaint citing incomplete erasure. The Board finds the school failed Section 12 obligations. Penalty: up to ₹50 crore for erasure failure.

Your School’s 4-Week Compliance Roadmap

Week 1: Audit Current State

Day 1–2: Map all image sources

Where are yearbook photos stored? (School photographer’s hard drive, cloud folder, school app, website, YouTube, WhatsApp, Google Drive, printed yearbooks)
Which systems access child photos? (Fedena, Edupro, Juno, school website CMS, email, shared drives, local machines)
Who has access? (IT staff, teachers, photographers, parents, vendors)

Day 3–4: Collect existing consent

Retrieve all yearbook, annual day, sports day, inter-house competition, Republic Day parade consent forms from the past 3 years.
Check the admission form — does it include photography consent? If yes, does it specify what photography and for what purposes?
List any children for whom no written consent exists.

Day 5: Retention audit

When were the oldest yearbook photos taken? Are they still stored anywhere?
Have you ever deleted a batch of photos? Can you prove it?
How many graduates’ images are still in active systems?

Deliverable: A one-page spreadsheet listing all storage locations, retention timelines, and consent gaps.

Day 1–2: Draft new consent form Must include:

Child’s name, age, date of consent collection
Specific purpose(s): “yearbook photography only” OR “yearbook + annual day livestream” (not blanket “school events”)
What media will be created: “printed yearbook” OR “school website” OR “YouTube livestream”
How long will images be kept: e.g., “12 months after yearbook is printed”
Right to refuse or withdraw consent (must be honored)
Parent/guardian signature with date and time
School’s signature (authorized staff member, not just administrator stamp)

Day 3: Design consent collection schedule

Yearbook: Consent forms distributed 2 weeks before shoot day. Collect by Day 10. Shoot on Day 15. Document which consent forms were received.
Annual day / sports day / inter-house competitions: Consent forms sent to parents 3 weeks in advance. Collect at least 1 week before the event.
Republic Day parade: Consent during the academic year, not day-of.
Livestreams: Separate consent question: “Do you consent to live video broadcast on YouTube?” (Many parents will say no to livestream but yes to yearbook.)

Day 4–5: Establish retention & deletion SOP

For yearbook: Delete all raw photos 12 months after final yearbook is delivered to students.
For annual day / sports day candids not used in yearbook: Delete after 6 months (or per your school’s stated retention policy).
For graduation/transfer: Parent requests erasure → delete from all systems (app, website, backups, school drives, teacher emails) within 15 days.
Maintain a deletion log: Date, child name, image batch, deletion method, staff member who executed deletion.

Deliverable: Signed consent form template + retention schedule poster (for staff room).

Week 3: Implement & Communicate

Day 1–2: Train staff

Photography rules: “Do not shoot until you have verified written consent for this child.”
For sports day / inter-house competitions: Teachers must cross-check the consent list before uploading candids to the school app.
WhatsApp rules: “Do not share yearbook PDFs or event photos in parent groups without confirming consent has been collected for all children in the image.”

Day 3–4: Notify parents

Send a letter to all parents explaining the new consent process. Frame it as “protecting your child’s privacy” (not “the school is now legally required to”).
Distribute new consent forms for the upcoming yearbook / annual day / sports day.
Set a clear deadline for form submission (at least 10 days before the event).

Day 5: Update school website & app

If the school website contains old yearbook photos or sports day images without a clear retention statement, add a footer: “These images are archived and will be deleted by [date].”
In Fedena / Edupro / Juno: Configure any auto-backup or archival settings to exclude children’s images after 12 months, or manually delete them on schedule.

Deliverable: Staff training slides + parent letter + updated website privacy notice.

Week 4: Document & Audit Closure

Day 1–2: Create consent & retention register

Spreadsheet: Child name, DOB, event (yearbook/annual day/sports day), date consent collected, parent signature, retention end date, deletion date (when applicable).
This register is your proof of compliance if the Board ever audits.

Day 3–4: Deletion execution (for out-of-retention images)

Delete yearbook photos older than 12 months from all systems.
Delete annual day / sports day photos older than 6 months.
Document each deletion with timestamps.

Day 5: Compliance checklist sign-off

Principal / school management sign-off on the new process.
File a copy of the signed checklist with the consent forms and deletion logs.

Deliverable: Consent & retention register + deletion log + Principal sign-off.

Penalty Exposure by Violation Type

Violation	DPDPA Section	Max Penalty	Realistic Trigger
No verifiable parental consent for yearbook photos	9(1)	₹200 crore	Yearbook printed & distributed without written consent from parents. Per unconsented batch = per violation.
Consent form signed at admission, but not specific to yearbook event	9(1)	₹50–200 crore	Blanket consent form does not list “yearbook photography” explicitly. Parent disputes consent for this specific use.
Behavioral profiling via yearbook data (e.g., cross-referencing photos with school app performance scores)	9(2)	₹200 crore	School uses child’s image linked to performance metrics without separate consent for profiling.
Livestreaming annual day / sports day without explicit consent for video broadcast	9(1)	₹50–200 crore	Parent consented to in-person photography but not YouTube livestream. Separate consent required.
Yearbook photos retained beyond stated retention period (e.g., >12 months)	8	₹250 crore	School fails to delete yearbook photos from cloud storage after retention period. Applies to Section 8 (security & storage).
Parent requests erasure; school deletes from website but not from app/backup	12	₹50 crore	Partial deletion is not deletion. All copies (app, backup, teacher emails, shared drives) must be removed.
School shares yearbook PDF in WhatsApp parent group without documenting consent for all children in images	6 (notice) + 9(1)	₹50–200 crore	Sharing personal data without proof of consent is a separate violation from the original photography.
No deletion log; cannot prove yearbook photos were deleted after retention period	8 + 12	₹50–250 crore	Absence of deletion documentation is treated as failure to delete. Board may presume data still retained.

FAQ: School Yearbook & DPDPA

Can we collect yearbook consent through a Google Form sent to parents via WhatsApp? Yes, if you retain proof: the Google Form submission timestamp, the parent’s email address (matches school records), and a clear statement in the form (“I consent to photography for the 2026 yearbook only”). However, written or digital consent is acceptable under Section 9 — but you must store the form response as evidence. If the parent claims they never saw the WhatsApp message, or their account was accessed by someone else, a paper form with a physical signature is stronger proof.

If a parent consents to yearbook photography but not to annual day livestream, and we accidentally post a sports day video that includes their child on YouTube, are we liable? Yes. The parent’s consent is specific to yearbook. Publishing the child’s video on YouTube is a different purpose and a different medium. This is a Section 9 violation — processing personal data of a child without verifiable consent for that specific use. Liability is strict; the fact that it was “accidental” does not remove the violation. Practical exposure: ₹50–200 crore if the Board finds the school failed to implement consent-checking before uploading videos.

Do we need fresh consent every year for the yearbook, or can we collect multi-year consent at admission? Fresh consent for each event is safest. A blanket multi-year consent (“my child may be photographed at any school event during their time here”) does not satisfy Section 9’s specificity requirement. If a parent signed this in 2024 and you use it for the 2026 yearbook, the Board may challenge whether the parent understood they were consenting to yearbook photography 2 years later. Best practice: Consent form distributed 2–3 weeks before each yearbook shoot, specific to that year’s yearbook.

If a student turns 18 during their final year, can we collect yearbook consent directly from the student instead of the parent? Legally, no. DPDPA Section 9 applies to anyone under 18 years old. If the student is 18 at the time of the shoot, you may collect consent directly from the student. If they are 17 at the time of shooting but will turn 18

school yearbook DPDPA compliance Indiachildren's data DPDPA Section 9school photo consent forms Indiaparental consent school photographyDPDPA school compliance checklist

VERIFIED • DPDPAReady Editorial Desk • 12 JUN 2026

Not sure if your media workflow is DPDPA-compliant?

DPDPAReady maps your entire workflow against the Act — free, in 48 hours.

Get your free compliance audit →