Wedding Photography Privacy Notices Under DPDPA Section 5: India's Mehendi-to-Reception Compliance Gap

Applies to	Wedding Photography operating in India
Primary law	DPDPA 2023 · Section 5
Penalty ceiling	₹50 crore per violation
Enforcement status	Data Protection Board accepting complaints — May 2026
Source	DPDPAReady Compliance Team

The Problem: You’re Collecting Guest Faces Before You Disclose What You’ll Do With Them

Under Section 5 of the DPDPA, you must give guests a written notice before you collect their personal data — including their faces, mehendi henna, baraat processional footage, and sangeet video. This notice must disclose who you are, what data you’re collecting, how long you’ll keep it, who else gets access (your album designer, Canvera printing partner, Instagram manager), and whether you’ll use it for portfolio work or licensing.

Most Indian wedding photographers skip this step. They shoot the mehendi, the haldi, the baraat, and the reception, then upload candids to Instagram or Pixieset galleries weeks later — without ever telling guests in writing what was going to happen to their images. Under DPDPA enforcement, this is a violation per batch of guests, per event, and penalties start at ₹50 crore.

A compliant Section 5 notice must contain 7 mandatory disclosures — not just consent, but transparency about how your business actually processes visual personal data.

---

What a Compliant Privacy Notice Must Include (Section 5)

Your notice must be in writing and must cover these elements:

• Your name, contact details, and role. You must identify yourself as the “data controller” — the photographer or studio collecting and deciding how to use the images. If you’re a freelancer, that’s you. If you’re part of a studio, the studio is the controller.

• What personal data you’re collecting and from whom. Be specific: “faces and identifiable features of all mehendi guests and baraatis,” “henna-covered hands,” “sangeet performance footage,” “baraat procession.” Don’t just say “photos.” Guest faces are biometric personal data under DPDPA; vague language won’t help if challenged.

• The lawful basis for collection. For weddings, this is almost always consent — you need permission from each guest (or their parent if under 18). Say: “Collected on the basis of your consent, obtained via this notice.”

• How long you’ll store the images. Example: “Mehendi and sangeet footage will be deleted 12 months after the wedding. Portfolio images will be retained for 5 years.” Be realistic. If you plan to keep wedding images in your cloud drive forever, say so — but you must delete on request (Section 12 right to erasure).

• Who else gets access to the images. This includes: album designers (Canvera, Artifact Uprising), cloud storage (Google Drive, Dropbox), Instagram/Facebook, Pinterest boards, WhatsApp family group sharing, your printer, your website developer. List every third party who will see the images.

• Whether you use images for portfolio, licensing, or commercial purposes. If you repost guest photos to your Instagram portfolio, your website, or sell images to wedding magazines or stock platforms, you must disclose this separately. Many guests don’t know their mehendi photos end up on your Pinterest board.

• The guest’s rights under DPDPA. They can ask you to delete their images (Section 12), correct them (Section 11), and obtain a copy of what you hold (Section 10). Include your process for handling these requests — e.g., “Email deletion requests to photographer@yourstudio.in with the wedding date and images to be deleted. Deletion will be completed within 30 days.”

---

The Template: Copy, Customize, Deploy

Use this template. Fill in the bracketed fields with your business details. Print or email it to guests before shooting — mehendi day, haldi, sangeet, baraat setup, or reception entry.

PHOTOGRAPHY PRIVACY NOTICE — WEDDING EVENT

Photographer/Studio: [Your name or studio name] Contact: [Email and phone number] Date of Event: [e.g., Mehendi on 15 June 2026; Baraat on 17 June 2026] Couple’s Names: [Names of bride/groom/couple]

1. WHO WE ARE We are [Your Studio Name], a photography business based in [City]. We collect and process your photographs and video footage during this wedding event. We are the “data controller” — we decide what happens with your images.

2. WHAT WE COLLECT We will capture and store:

• Your face, identifiable features, and expressions
• Your hands, mehendi, henna, jewelry, and attire
• Your voice in video footage (if any)
• Your location within the venue

This applies to all guests, baraatis, family members, and event attendees present during photography.

3. WHY WE COLLECT IT We collect your images to:

• Create wedding albums and prints for the couple
• Deliver digital copies via [Pixieset/Google Drive/OneDrive/etc.]
• Post selected images to [Instagram/Facebook/Pinterest/website — list all platforms]

[If applicable: We may also license professional images to wedding magazines, online directories, or stock photography platforms.]

4. HOW LONG WE KEEP YOUR IMAGES

• Couple’s album and prints: [e.g., 5 years] from the wedding date, unless you request deletion earlier
• Portfolio images on our website/Instagram: [e.g., 5 years], unless you request removal
• Backup drives and cloud storage: [e.g., 7 years] for archival purposes
• Licensed images: Retained for the duration of the license agreement

After the retention period, all images of you will be permanently deleted, unless you have requested we keep them or we have a legal obligation to retain them.

5. WHO ELSE SEES YOUR IMAGES Your images may be shared with:

• The couple (bride/groom and their family)
• Album designers and printers ([e.g., Canvera, Artifact Uprising, local printers in Delhi])
• Cloud storage providers ([e.g., Google Drive, Dropbox, Pixieset])
• Social media platforms ([e.g., Instagram, Facebook, Pinterest])
• Our website host and developer
• [Any other third parties: e.g., wedding planners, event coordinators, magazine publishers]

These third parties process your data on our instructions and are bound by confidentiality agreements.

6. YOUR RIGHTS You have the right to:

• Delete your images: Contact us within [e.g., 12 months] of the wedding to request deletion of all images containing you. We will delete images from our devices, cloud storage, and ask third parties to do the same. Deletion requests must include the wedding date and specific images or event (e.g., “mehendi” or “baraat”).
• Correct your data: If your images are mislabeled or if metadata is inaccurate, ask us to correct it.
• Obtain a copy: Request a copy of all images we hold of you in digital format.
• Object to portfolio/licensing use: If you do not consent to your images being posted on our Instagram, website, or licensed to third parties, tell us in writing before the event.

7. HOW TO EXERCISE YOUR RIGHTS Email your request to [Your email] with the subject line “[Wedding Date] — [Your Name] — [Request Type: Delete/Copy/Correct]” and include the wedding date and event name (e.g., mehendi, sangeet, baraat, reception).

We will respond within 30 days.

8. YOUR CONSENT By providing your images or allowing us to photograph you at this event, you consent to the collection, storage, and use of your images as described above. If you do not consent to portfolio posting or licensing, you must notify us in writing before the event begins.

9. QUESTIONS OR CONCERNS If you have concerns about how we use your images, contact us at [Email]. If you believe we have violated your rights under India’s Digital Personal Data Protection Act, 2023, you can lodge a complaint with the Data Protection Board at [www.dataprotectionboard.in] (once live).

---

I acknowledge that I have read and understood this privacy notice.

Guest Name (Print): _________________________________

Guest Signature: ___________________________________

Date: ______________________________________________

Phone Number (for deletion requests): _______________

Check box if you do NOT consent to: ☐ Portfolio posting (Instagram, website, Pinterest) ☐ Licensing to wedding magazines or platforms ☐ Cloud storage backup beyond 12 months ☐ Sharing with wedding planners or coordinators

---

How to Deploy This Notice

Before the event:

• Print or email this notice to all guests at least 3–5 days before mehendi or the first event. Include it in the wedding invitation, a WhatsApp group message, or hand it out at the mehendi venue.
• For events like baraat where walk-in guests arrive without notice, keep printed copies at the entry point and ask guests to sign before photography starts.
• If you photograph guests without their signature, you lose your Section 5 compliance — the data Protection Board will treat this as collection without notice.

At the event:

• Ensure you have a signed or digitally acknowledged copy from each guest. A WhatsApp message saying “I agree” or a Google Form response counts as written consent, but keep records linked to the guest’s name or phone number.
• If a guest refuses to sign or says “no portfolio posting,” respect that — photograph them only for the couple’s album and do not post their images anywhere else.

After the event:

• Store signed notices in a folder labeled with the wedding couple’s name and date. Keep them for at least 12 months.
• If a guest requests deletion, cross-reference their name against the signed notice, delete all images from your devices and cloud drives, and notify any third parties (designers, cloud hosts) to do the same. Document the deletion in writing.
• If you breach this obligation and a guest complains to the Data Protection Board, you won’t have proof of deletion — expect a fine.

---

What Happens Without This Notice

Scenario 1: You skip the notice and post mehendi photos to Instagram. A guest sees her face on your Instagram portfolio two weeks after the event. She never agreed to portfolio posting. She files a complaint with the Data Protection Board alleging violation of Section 5 (no notice) and Section 6 (no consent for processing). The Board finds that you collected and processed her biometric data (her face) without prior written disclosure. Penalty: ₹50 crore for the Section 5 violation, plus ₹50 crore for the Section 6 violation = ₹100 crore across two violations.

Scenario 2: You give a notice but it’s vague. Your notice says “Photos will be used for portfolio purposes.” A guest consents thinking “portfolio” means your private albums. You instead license 50 mehendi photos to a wedding magazine for commercial use. The guest finds her face in the magazine and files a complaint. The Board says your notice was inadequate disclosure — you didn’t clearly state that images would be licensed to third parties. Penalty: ₹50 crore for inadequate Section 5 disclosure.

Scenario 3: You collect a notice but don’t retain it. A guest requests deletion of all her images. You comply and delete from your devices, but you can’t prove you obtained consent before the event because your notice records are disorganized. The guest files a complaint alleging you collected her data illegally (no proof of notice). Without documentation, you can’t defend yourself. Penalty: ₹50 crore.

⚠️ Each of these scenarios is one violation. If you shoot 5 weddings in a year and skip notices at all 5, the Board can treat this as 5 separate violations across multiple guests. Penalties do not cap at one amount — they multiply by incident. Under DPDPA Section 5 alone, you are liable for ₹50 crore per violation.

---

FAQ: Section 5 Notices for Wedding Photography

Can I collect the privacy notice at the event itself, or must it be before mehendi? Section 5 requires notice before collection begins. If you photograph a guest before they’ve read and acknowledged the notice, you’ve violated Section 5. For mehendi and sangeet, deliver the notice in the invitation or 3–5 days prior. For baraat and reception guests who walk in unannounced, post the notice at the entry point and have them sign or acknowledge via WhatsApp before photography starts. If you can’t obtain notice in time, do not photograph that guest.

If the couple consents to photography, can I assume all guests have consented? No. The couple’s consent covers their images only. Each guest — baraatis, family members, friends — must individually consent. Under Section 5, you must provide notice to each person whose personal data you collect. If you photograph a baraati without giving him a privacy notice, that’s a separate violation for that individual. Couples often assume “if the bride and groom said yes, everyone consents” — this is legally incorrect and a common DPDPA trap.

What if I collect consent via a Google Form sent through WhatsApp but don’t link responses to actual images? Written consent via Google Form is valid if it clearly references the wedding event, guest name, and the specific terms of processing. However, if you can’t later prove that a particular image corresponds to a particular consent response, you’re vulnerable. Best practice: number your consent responses, ask guests to note their number on the back of a printed form, or photograph their signed consent alongside a photo of them. This creates a traceable link between consent and images.

If a guest says “no portfolio posting” but I post their mehendi photo to Instagram anyway, what’s my exposure? You’ve violated Section 5 (you didn’t disclose your actual intended use — you told them “no portfolio” but did it anyway), Section 6 (no valid consent for processing beyond the album), and Section 12 (failure to honor an erasure-equivalent request — they asked you not to process for that purpose). A single photo posted could trigger three separate violation findings. Penalty exposure: ₹150 crore across three violations.

---

DPDPAReady’s Template Library deploys consent forms, privacy notices, and DPA agreements for your industry in 48 hours — start at dpdpaready.in.