Section 4 Legal Grounds: How Wedding Photographers Can Collect Client Data Lawfully
| Applies to | Wedding Photographers & Photography Studios operating in India |
| Primary law | DPDPA 2023 · Section 4 |
| Penalty ceiling | up to ₹150 crore per violation |
| Enforcement status | Data Protection Board accepting complaints — 2026-06 |
| Source | DPDPAReady Compliance Team |
Section 4: The Legal Foundation for Wedding Photography Data Processing
When a couple books you for their wedding, they hand over their phone number, email, their parents’ names, preferred dates, venue details, guest list size, and sometimes dietary restrictions. Under the DPDPA 2023, none of that data can be collected or stored without a lawful basis—and that basis must come from Section 4 of the DPDPA.
Section 4 is the gatekeeper. It specifies the precise legal grounds that make your data collection lawful. If you collect wedding client data without establishing one of these grounds first, you’re in breach—regardless of how secure your systems are or how transparently you’ve explained your Privacy Policy. Breaches of Section 4 can result in penalties up to ₹150 crore.
What Section 4 Actually Says
The Act specifies:
“A fiduciary shall not process personal data unless it has obtained the prior informed consent of the individual, or: (a) the processing is necessary for the fiduciary to perform a function authorised or required to be performed by law; (b) the processing is necessary for the fiduciary to exercise or perform any duty imposed, conferred, or required to be conferred or imposed by law; (c) the processing is necessary for employment-related obligations; (d) the processing is necessary for the vital interests of the individual; (e) the processing is in respect of an individual who is a member of, or is seeking membership in, a professional or trade association; (f) the processing is necessary for compliance with any order, decree, or judgment of any court or other judicial authority; (g) the processing is in relation to any debt owed by the individual; (h) the processing relates to personal data which has previously been made available or is otherwise in the public domain; or (i) such other grounds as may be prescribed.”
For wedding photographers, most data collection will rely on either prior informed consent or Section 4(c) employment-related grounds (if you’re storing employee data) or Section 4(i) grounds prescribed later (if the government creates safe-harbor rules for specific industries).
6 Steps to Establish Legal Grounds Under Section 4
Step 1: Identify Which Legal Ground Applies
Before you collect any data from a couple, ask: Which Section 4 ground justifies this collection?
- Couple’s name, phone, email, wedding date → Prior informed consent (most common)
- Photographer’s employee records → Section 4(c) employment grounds
- Family members’ names (to address invites) → Prior informed consent from the couple
- Guest dietary restrictions → Prior informed consent
- Payment card details → Prior informed consent (or payment processor’s basis)
Document this decision. For wedding photography, prior informed consent is the primary ground.
Step 2: Obtain and Document Prior Informed Consent
“Prior informed consent” is not just a checkbox on your website. Section 4 requires the consent to be:
- Prior: Given before you collect the data, not after the booking is confirmed
- Informed: The individual must know what data you’re collecting, why, and how long you’ll keep it
- Explicit: They must actively agree (no pre-ticked boxes, no silence-as-consent)
Action: Before collecting data, display a clear data collection notice that specifies:
- Which data you collect (name, email, phone, family members’ names, photos/videos)
- Why you’re collecting it (wedding photography, editing, future marketing with fresh consent)
- How long you’ll retain it
- Who you might share it with (editor, album printing company, cloud storage)
Obtain affirmative consent—a checkbox, a signature on the booking form, or digital agreement.
Step 3: Create a Record of Grounds for Each Data Category
Don’t collect all data under one “consent” button. Break it down by purpose:
| Data Category | Legal Ground | Retention Period | Basis Document |
|---|---|---|---|
| Client name, phone, email, wedding date | Prior consent (Section 4) | 3 years or until wedding delivered | Signed booking form |
| Wedding venue details, guest count | Prior consent (Section 4) | 3 years | Booking form consent clause |
| Family members’ names | Prior consent (Section 4) | 3 years | Separate invite-list consent |
| Photos/videos of clients and venue | Prior consent (Section 4) | 7 years (copyright + portfolio) | Separate photo/video release |
| Payment information | Prior consent + processor basis | Transaction period + 7 years | Booking form + processor agreement |
This table becomes your Grounds for Processing register. Keep it updated and auditable.
Step 4: Communicate Grounds to Clients Upfront
Your booking form, contract, or email should state:
“We collect your name, phone, email, and wedding date under your prior informed consent (Section 4, DPDPA 2023). We retain this data for 3 years to deliver your wedding photography services, provide customer support, and (if you consent separately) share anniversary or referral offers. You may request deletion anytime.”
Explicit, clear, no legalese needed—just plain language that explains the ground and the purpose.
Step 5: Store Consent Records Securely
If a DPDP Authority inspector asks, “Show us your legal ground for processing Couple X’s phone number,” you must produce the record. Keep:
- Signed booking forms with consent clauses
- Screenshots of consent checkboxes (with timestamp)
- Email confirmations where the client consented
- Any data-collection notices you provided before collecting data
These become your proof that you established Section 4 grounds before processing.
Step 6: Update Grounds When Processing Purposes Change
A common mistake: A photographer collects a couple’s email for wedding delivery, then two years later uses that email to send them holiday-season photography offers without fresh consent.
This is a breach of Section 4. The original ground (wedding delivery) does not extend to marketing. New processing purpose = new Section 4 ground required.
Action: Before using stored data for a new purpose (marketing, portfolio publication, referral requests), obtain fresh consent or establish a different Section 4 ground.
Common Legal Grounds Wedding Photographers Can Use
Prior Informed Consent (Section 4, Default)
When: Every time you need to collect data beyond what’s absolutely necessary for the wedding delivery service.
How: Explicit, documented consent from the couple before collecting data.
Example: “We’ll store your contact details to deliver your wedding album, share proofs, and (if you consent separately) send you anniversary reminders. Consent? [Yes / No]“
Legitimate Interest (Section 4(i), If Prescribed Later)
The government may later prescribe “legitimate interest” as a ground under Section 4(i). If it does, photographers might rely on it for:
- Storing past clients’ contact details to send print-offer campaigns (if couples have a genuine relationship with you and their privacy interests are balanced)
Caution: Prescribed grounds are not yet available as of June 2026. Do not claim “legitimate interest” now—only use grounds listed explicitly in Section 4.
Employment Grounds (Section 4(c), For Employees Only)
If you’re a photography studio with employee photographers, you can collect employee data under Section 4(c) for:
- Payroll, tax filings, employment contracts, leave records
- Do NOT confuse this with client data—your employees’ grounds are separate from your couples’ grounds.
Frequently Asked Questions
Q: I already collected dozens of couples’ phone numbers without a Section 4 ground. Am I in violation?
A: If you collected the data before June 11, 2026 (DPDPA enforcement date), you’re technically not liable for that historical data—the Act does not apply retroactively. However, going forward, you must establish a Section 4 ground before collecting new data. If enforcement centers on data collected after June 11, 2026, the lack of a Section 4 ground is a violation. Minimize exposure: obtain retroactive consent from past couples if you plan to retain and process their data beyond the original purpose.
Q: Can I use my Privacy Policy alone as proof of Section 4 grounds?
A: No. A Privacy Policy describes your practices; it does not establish a legal ground for processing. You need an affirmative consent mechanism (signed form, checkbox, email confirmation) that shows the individual explicitly agreed to let you process their data under that specific ground, at that specific time. A privacy policy is necessary but not sufficient under Section 4.
Q: My booking form says “I agree to your Privacy Policy.” Is that prior informed consent under Section 4?
A: Only if your Privacy Policy clearly states: (1) what data you’re collecting (name, phone, email, photos, etc.); (2) why (wedding delivery, editing, future marketing); (3) for how long; and (4) to whom you’ll share it. And only if the couple explicitly ticks a box or signs a line saying they consent after reading this information. A generic “I agree to the Privacy Policy” checkbox, without clear prior disclosure of data use, is not compliant with Section 4’s “informed consent” requirement.
Q: If a couple asks me not to retain their data after the wedding, do I have to delete it?
A: Not immediately. Section 4 grounds allow retention as long as necessary for the purpose. For wedding photography, “necessary” typically means: (1) 3 years for after-sales service (reprints, edits, album updates); or (2) 7 years if you retain photos for copyright/portfolio purposes (Section 17 governs copyright separately). However, if the couple explicitly requests deletion and you have no further legitimate need, you should delete or anonymize their personal data. If you retain their email for future marketing, that’s a new purpose and requires new Section 4 grounds (fresh consent).
Q: What if a venue coordinator or event planner sends me guest lists with names and phone numbers? Do I need Section 4 grounds for that data?
A: Yes. Even if a third party provided the data, you are now the “fiduciary” processing it. You must establish a Section 4 ground before using it. Best practice: inform the coordinator that you can only use guest-list data if couples or guests have consented to you holding their contact details. Get a signed statement from the coordinator confirming they obtained consent from couples to share guest lists with you. Or, obtain fresh consent from each couple explicitly authorizing you to receive and store guest-list data. Alternatively, ask the coordinator to handle guest communications directly—you store only the couple’s own contact details (obtained separately with their consent).
Q: Our payment processor stores the couple’s card details. Do I need Section 4 grounds for that?
A: Technically yes—but responsibility is shared. Your payment processor (e.g., Razorpay, Stripe) is a separate fiduciary with its own Section 4 grounds (usually contractual relationship and its own privacy policy). You, the photographer, process the transaction data (amount, date, couple’s name, card last 4 digits) and must establish a Section 4 ground for that. Most photographers satisfy this via “prior informed consent”—the couple agrees to pay you, which implicitly grants consent to process payment data. Still, explicitly state in your booking terms: “We collect payment information under your consent to complete your booking.” This removes ambiguity and documents your Section 4 ground clearly.
Not sure if your media workflow is DPDPA-compliant?
DPDPAReady maps your entire workflow against the Act — free, in 48 hours.
Get your free compliance audit →