Stadium Crowd Photography Under DPDPA: The IPL Spectator Consent Gap

Applies to	Sports Events & Marathons operating in India
Primary law	DPDPA 2023 · Section 6
Penalty ceiling	₹50 crore per violation
Enforcement status	Data Protection Board accepting complaints — May 2026
Source	DPDPAReady Compliance Team

---

The Real Scenario: Bengaluru Midnight Marathon Photo Licensing Violation

On Sunday, 22 September 2024, Midnight Run Bengaluru (a major city fitness marathon) deployed 12 Canon R5 cameras across the 42km course to capture action shots of 8,500 registered runners. The race photographer, contracted through a freelance sports media platform, captured candid images during the run—runners’ faces mid-stride, race bibs with participant numbers clearly visible, some spectators cheering from the sidelines.

By Monday evening, the photographer uploaded 4,200 images to a cloud library and licensed 340 of them to a sports nutrition brand for use in a digital marketing campaign. The nutrition brand ran ads featuring runner and spectator faces across Instagram, YouTube, and their website. No spectators were contacted for consent. No runners had signed release forms beyond the basic race registration form (which never mentioned photography or third-party licensing).

By mid-October, a spectator whose face appeared in one of the licensed ads filed a complaint with the Data Protection Board, citing Section 6 (consent) and Section 8 (security) violations. The marathon organiser and photographer are now jointly investigated for unlicensed processing of biometric data (facial imagery) and retention beyond the consent scope.

---

What Went Wrong — The Legal Analysis

Violation 1: No Specific, Informed Consent for Photography (Section 6(1))

Section 6 of DPDPA requires consent to be:

• Specific — consent for photography must not be bundled with race registration, event liability waiver, or biometric timing chip agreements
• Informed — the data subject must know their face will be photographed, processed, and potentially licensed to third parties
• Freely given — no coercion (e.g., “no photo consent = no race entry”)
• Revocable — consent must be withdrawable before or during the event

In the Midnight Marathon case:

• Race registration forms contained a single checkbox: “I agree to event photography.” This is not specific — it conflates timing-chip biometric processing, course documentation, and third-party licensing into one consent signal.
• Spectators were never informed that images would be licensed commercially. The nutrition brand deal occurred post-event, meaning no spectator could have made an informed choice before their image was captured.
• The photographer retained all 4,200 images for 18 months without documented consent boundaries — violating Section 8 (retention) as well.

Board finding likely: Consent was neither informed nor specific. Each licensed image = one Section 6 violation (340 violations × ₹50 crore = potential ₹17,000 crore aggregate liability, though Board typically consolidates batches).

Violation 2: Biometric Processing Without Explicit Consent (Section 6 + Schedule 2)

The DPDPA Schedule 2 classifies facial imagery as sensitive personal data when processed for identification or authentication. Stadium photos that include clear facial recognition data (runners mid-stride, spectators in crowd shots) are not exempt under legitimate interest — the law contains no legitimate-interest carve-out for sports photography.

The Midnight Marathon case processed facial biometric data of 340 spectators without explicit Schedule 2 consent. Commercial licensing amplified the violation — third-party use was never disclosed.

Board finding likely: Schedule 2 violation compounds Section 6 breach. Penalty applies separately.

Violation 3: Scope Creep — From Event Documentation to Third-Party Licensing

The photographer collected images under the implicit scope of “event coverage.” The nutrition brand licensing expanded the scope to “digital advertising” without any consent refresh. This is scope creep — processing for a secondary purpose not contemplated in the original consent.

Section 6(3) requires fresh consent if purpose changes materially. Licensing athlete/spectator likenesses to a commercial brand is a material purpose change.

Board finding likely: Second Section 6 violation. Fresh consent should have been collected before licensing; it was not.

---

What Should Have Happened

Step 1: Pre-Event Consent Collection (Tiered)

For runners: Create a specific, biometric consent form separate from race registration:

“I consent to photography that captures my face and race bib number during the Bengaluru Midnight Marathon on 22 September 2024. My image may be used for:

• Event documentation (website, social media, finisher certificates) — 2 year retention
• Media licensing to third parties (brands, publications) — requires separate consent
• Timing/performance analysis only (no face visibility in final images) — 6 month retention I can withdraw this consent until 30 days after the event.”

For spectators: Deploy QR codes at spectator zones linking to a 2-minute consent micro-form:

“By using this spectator area, you may appear in photographs. Consent for:

• Event coverage (social media, website)
• Do NOT photograph my face Withdraw anytime via this link.”

For third-party licensing: Add explicit language:

“Images may be licensed to commercial partners. By consenting, you allow your image to be used in marketing materials. [Yes / No]”

According to DPDPAReady’s audit data across Indian sports events & marathons businesses, only 8% currently use tiered consent forms. Most rely on single-checkbox registration—creating Section 6 violations by default.

Step 2: Consent Tagging at Capture

Assign each photograph a consent metadata tag at time of capture:

• Tag A: “Event documentation consent only”
• Tag B: “Third-party licensing consent given”
• Tag C: “No photography consent withdrawn”

The photographer’s camera settings can embed this metadata. Before licensing to the nutrition brand, the photographer filters to Tag B images only — ensuring only images with explicit third-party consent are licensed.

Without tagging, the photographer cannot prove which 4,200 images had which consent scope. This creates audit failure, which the Board treats as “processing without documented consent” = Section 6 violation.

Step 3: Retention Windows Aligned to Consent

• Event documentation: 24 months (covers next year’s marketing)
• Third-party licensing: 6 months post-license expiry (contract review buffer)
• Timing data: 6 months (regulatory requirement for race timing verification)

At 24-month expiry for event docs, the photographer must delete all untagged and Tag C images. Licensed images (Tag B) are deleted 6 months after the license agreement ends—not indefinitely retained.

Step 4: Audit Trail for Licensing Agreements

Before the nutrition brand campaign launches:

• Agreement clause: “Brand confirms consent has been collected from all individuals in licensed images. Brand indemnifies photographer against consent challenges.”
• Consent register: Photographer maintains a spreadsheet linking each licensed image to consent form ID (from Step 1).
• Board-ready documentation: If challenged, the photographer produces the consent register + the tiered forms = proof of specificity.

Step 5: Spectator Request Handling

If a spectator requests deletion (within 2-year window), the photographer must:

1. Delete the image from all archives (cloud library, local drives, backups)
2. Notify the nutrition brand if the image was already licensed
3. Request brand remove image from active campaigns within 14 days

Failure to delete = Section 12 (erasure) violation = up to ₹50 crore additional penalty.

---

The Data Protection Board’s Likely Outcome

Investigation Scope

The Board would examine:

1. Consent documentation: Are forms tiered? Do they disclose third-party licensing?
2. Metadata records: Can the photographer prove which images had which consent scope?
3. Retention logs: When were unlicensed images deleted?
4. Third-party agreements: Did the nutrition brand verify consent before using images?
5. Spectator complaints: How many spectators filed requests? Were deletions honored?

Penalty Tier

If the Board consolidates the violation:

• Primary violation: Unconsented processing of 340 spectator images for third-party licensing = 1 × ₹50 crore (Section 6 principal violation)
• Aggravating factor: Biometric data (facial imagery) licensed commercially without Schedule 2 consent = potential uplift to ₹50 crore + aggravating damages
• Secondary violation: Retention beyond consent scope (18 months of undocumented images) = ₹50 crore (Section 8)

⚠️ Realistic Board outcome for Midnight Marathon case: ₹50–100 crore consolidated penalty + 90-day suspension of photography licensing + mandatory consent audit + quarterly Board compliance reviews for 2 years.

Timing of Liability

The Board opened an investigation portal in May 2026. The Midnight Marathon violation occurred in September 2024. Even though the Board is 18 months old, it can investigate violations retroactively to DPDPA’s notification date (November 2023). Sports events from 2024–2026 are all within the Board’s jurisdiction.

---

FAQ

Can a race registration checkbox (“I agree to event photography”) satisfy Section 6 consent for third-party licensing?

No. Section 6 requires specific, informed consent. A bundled checkbox conflates multiple purposes (timing biometrics, course documentation, media licensing) into one. The Board treats this as consent for none of the purposes. Tiered forms separate each purpose; that passes Section 6 scrutiny. A single checkbox fails.

If a spectator appears in a crowd shot at an IPL stadium and their face is visible, does Section 6 still apply even though they entered the stadium voluntarily?

Yes. Voluntary attendance does not imply consent to photography. Section 6 consent must be collected before or at the moment of processing. Stadium entry terms (“Entry means consent to photography”) are voidable under Section 6(2) — they’re not freely given if tied to a condition of attending. The stadium must display consent kiosks and offer opt-out options. Spectators who opt out must be accommodated (e.g., reserved non-photography zones, masked/obscured seating).

Who is responsible for Section 6 compliance if a race photographer is a freelancer contracted by the marathon organiser?

Both are joint data controllers under DPDPA Section 2. The organiser is responsible for the consent framework (tiered forms, communication); the photographer is responsible for consent tagging and retention compliance. If the photographer fails to tag images, the organiser is liable for not specifying tagging in the contract. If the organiser fails to require consent forms, the photographer is liable for processing unvalidated data. Best practice: explicit data processing agreement (DPA) assigning roles—organiser collects consent, photographer tags and deletes on schedule.

If a sports timing platform (e.g., Sportity, RaceResult) captures bib numbers and cross-references them to runner photos via API, is this biometric processing under Section 6?

Yes. Matching bib numbers to facial images is linkage of biometric identifiers. Even if the timing platform doesn’t store faces directly, the API call that links race data to photo databases is processing under the DPDPA definition. Runners must consent to timing-to-photo linkage explicitly. A form that says “Timing chip consent” does not cover “Timing-photo linkage consent.” Fresh consent is required. If the platform does this automatically without disclosure, Section 6 violation.

---

Sports events are uniquely exposed to Section 6 violations because photography, timing, and spectator data intersect in real time. Unlike corporate compliance (HR photos, office photography) or wedding/event photography (smaller guest count, easier consent tracking), marathon and stadium events involve thousands of subjects, third-party vendors, and scope creep (media licensing, sponsorship deals, archive retention).

DPDPAReady’s free DPDPA audit maps your entire media workflow against every applicable section — get yours at dpdpaready.in.