Section 4 Notice Checklist for Trade Shows: 12 Mandatory Details for Visitor Registration
| Applies to | Trade Show Organizers & Exhibition Management Companies operating in India |
| Primary law | DPDPA 2023 · Section 4 |
| Penalty ceiling | ₹150 crore per violation |
| Enforcement status | Data Protection Board accepting complaints — 2026-06 |
| Source | DPDPAReady Compliance Team |
What’s at Stake When You Skip the Notice
A Delhi-based exhibition organizer collected 8,000 visitor registrations for their annual tech trade show without providing a pre-collection notice. Three months later, a visitor filed a complaint citing Section 4 DPDPA. The organizer faced a corrective notice from the Data Protection Board and ₹50 lakh in remediation costs. The mistake: no notice, no consent validation, no compliance proof.
Section 4 of the Digital Personal Data Protection Act, 2023 mandates that your organization provide clear, prior notice before collecting any personal data from trade show visitors. Miss this, and you’re in violation—regardless of whether you later process the data fairly.
Section 4: The Exact Legal Requirement
Section 4: Purposes and grounds for processing personal data
A data fiduciary shall not process personal data other than for the purposes and grounds specified in the notice provided to the data subject.
This is the foundation. Your notice must specify the purpose (e.g., “registration for TechExpo Delhi 2026”), and all data collection must fall within that declared purpose.
Why Trade Shows Are High-Risk Under Section 4
Trade show organizers typically:
- Collect data at physical registration booths (in-person capture)
- Use digital forms (online registrations weeks before the event)
- Share attendee lists with exhibitors (third-party recipients)
- Retain data for post-event surveys and marketing
Each of these triggers Section 4 compliance gaps:
- Physical registration: Visitors often sign a form or scan a badge without reading a notice. Section 4 requires a notice before collection, not during or after.
- Third-party sharing: If you plan to share the attendee list with exhibitors, your pre-collection notice must disclose this upfront.
- Retention for follow-up: If you’ll use registration data for post-event surveys or future event marketing, your notice must name this purpose at the point of collection.
The 12-Point Section 4 Pre-Collection Notice Checklist for Trade Shows
Before you collect a single visitor registration, your notice must include all 12 of these elements. Omit even one, and you risk a Section 4 breach.
Pre-Collection Notice Template (Fill in the blanks)
TRADE SHOW VISITOR DATA COLLECTION NOTICE
(Compliant with Section 4, DPDPA 2023)
Event Name: [Event name, e.g., “TechExpo Delhi 2026”]
Event Date: [Date range]
Organizer Name: [Your organization/company name]
Organizer Contact: [Email and phone]
1. Purpose of Collection
We collect your personal data for the sole purpose of: [Primary purpose—e.g., “registering you as a visitor, managing event logistics, and providing event updates”]
2. What Data We Collect
We collect the following personal data from you:
- Full name
- Email address
- Phone number
- Company/organization name
- Job title
- Dietary preferences (if applicable for catering)
- Other: [specify, e.g., “attendance preferences”]
3. Legal Ground for Collection
We collect this data because:
- You have given us explicit consent to register for the event
- We have a legitimate interest in managing the event safely and effectively
- We are required by law or contract to do so (specify if applicable)
4. Duration of Data Retention
Your personal data will be retained for: [e.g., “90 days after the event concludes, unless you opt into our mailing list, in which case retention is 12 months or until you unsubscribe”]
5. Recipients (Third Parties) of Your Data
Your data may be shared with:
- Event logistics partner (transportation, catering): [Name, if known]
- Exhibitors participating in the event (attendee lists may be provided): [Yes/No]
- Photographers/media for event coverage: [Yes/No]
- Post-event survey tools or mailing platforms: [Specify vendors, e.g., “MailChimp”]
- Other: [specify]
6. Your Rights
Under the DPDPA, you have the right to:
- Request access to your personal data
- Request correction of inaccurate data
- Request erasure of your data (except where we have a legal obligation to retain it)
- Withdraw consent at any time by emailing [compliance email]
7. Contact for Grievances
If you have concerns about how we handle your data, contact:
Data Protection Officer: [Name]
Email: [Email]
Phone: [Phone]
Address: [Office address]
8. How We Protect Your Data
We implement [describe security measures—e.g., “encrypted forms, password-protected databases, restricted staff access, annual security audits”]
9. Automated Decision-Making
We do [ ] / do not [✓] use your personal data for automated decision-making (e.g., algorithmic badge assignment, session recommendations)
10. Cross-Border Data Transfer
Your data will [ ] / will not [✓] be transferred outside India. If yes, specify destinations and safeguards: [e.g., “Data may be shared with our US-based registration platform, which complies with standard contractual clauses”]
11. Children’s Data
If you are under 18, parental/guardian consent is required. Registrants under 18 must provide: [ ] Parental email confirmation
12. Policy Updates
We may update this notice. Changes take effect [e.g., “14 days after posting”]. Continued participation means acceptance of the updated terms.
Visitor Acknowledgment:
By registering, I confirm I have read and understood this notice. [ ] I consent to the collection and use of my data as described above.
Signature / Digital Acceptance:
[Checkbox or e-signature field]
How to Deploy This Notice in Compliance
For In-Person Registration (Physical Booths)
- Print the notice on registration forms — Full notice above the signature line, font size minimum 10pt.
- Require active acknowledgment — Checkboxes or signature, not passive reading.
- Staff training — Train registration staff to confirm attendees have read the notice before data collection.
- Audio option — For accessibility, QR code linking to an audio version of the notice.
For Online Registration (Web / Mobile Forms)
- Display before the form — Show the full notice before any data entry field.
- Mandatory checkbox — “I have read and agree to the data collection notice” must be checked before the submit button unlocks.
- Layered notice — Link to a full policy page; the form itself can summarize key points.
- Timestamp the consent — Log when and how the visitor accepted the notice.
For Digital Badge Check-In (QR / NFC Scans)
- Pre-event email — Send the notice 7–10 days before the event; require confirmation of receipt.
- On-device notice — If checking in via mobile app, display notice on the check-in screen with a mandatory tap-to-confirm.
- Physical printout at booth — Print the notice and have check-in staff point attendees to it.
Common Section 4 Pitfalls and How to Avoid Them
| Pitfall | Risk | Fix |
|---|---|---|
| No notice (assume attendees know why you’re collecting) | Section 4 violation, ₹150 crore exposure | Deploy notice template above before any collection |
| Generic notice (“We collect data”) without event-specific purpose | Violation—notice must state exact purpose | Name the event, dates, and specific uses |
| Silent third-party sharing (pass attendee list to exhibitors without prior disclosure) | Section 4 violation + breach of data subject rights | Add exhibitor sharing explicitly to notice |
| Notice buried in T&Cs (12-page terms, notice hidden on page 8) | Likely unenforceable—notice must be clear and prominent | One-page, plain language, checkbox-based |
| Consent conflated with notice (notice says “we will collect” instead of “we are asking permission”) | Weak legal position if challenged | Notice is mandatory; consent is the attendee’s response |
| No timestamp on consent (can’t prove when notice was shown) | Compliance audit failure | Log acceptance time, form hash, IP address |
Section 4 Compliance Timeline for Your Next Trade Show
- T-60 Days: Audit your current data collection process. Identify all purposes, recipients, and retention windows.
- T-45 Days: Draft your event-specific notice using the template above. Have legal counsel review.
- T-30 Days: Deploy notice on registration pages and print on physical forms. Train staff.
- T-14 Days: Send pre-event email with notice to all pre-registered attendees; request confirmation.
- T-7 Days: Perform mock registration test. Confirm notice displays, consent is captured, and timestamp logs are working.
- Event Day: Verify all registration staff reference the notice.
- T+30 Days: Retain copies of all notices shown, timestamps of consent, and any attendee data access requests.
Frequently Asked Questions
Q: Do I need Section 4 notice if visitors are just walking into the event without pre-registration?
A: Yes. Even walk-in attendees who provide data (name, company, email at the door) must receive notice before you collect their details. A printed notice at the registration desk, a verbal summary from your staff, or a QR code linking to the full policy all satisfy this requirement. However, the notice must be shown before data is collected, not after badge printing.
Q: Can I use the same notice for all attendee types (visitors, exhibitors, speakers)?
A: Not entirely. Exhibitors and speakers may have different data uses (e.g., payment processing for exhibitors, speaker honorariums for speakers). Your notice must specify who the data subject is and what purposes apply to them. You can use a template with conditional sections (e.g., “If registering as an exhibitor, your data will also be used for invoice and contract processing”).
Q: What if I want to share the attendee list with my email marketing vendor after the event?
A: This must be disclosed in the Section 4 notice before registration. Include the specific purpose (“post-event surveys and promotional emails for future events”) and the vendor name (if known) or category (e.g., “third-party email marketing platform”). If a visitor doesn’t accept this, you cannot use their data for marketing without a separate, new notice and consent.
Q: Section 4 says “specified in the notice”—does that mean I must list every single purpose in one sentence?
A: No. Your notice can be structured with separate sections (Purpose, Retention, Recipients). However, each purpose must be explicit and unambiguous. Vague language like “event operations and related activities” is not sufficient; it should be “event registration, catering logistics, speaker coordination, and post-event feedback surveys.” If you discover a new purpose after the notice was published, you must collect fresh consent for that new purpose.
Q: If a visitor refuses to accept the Section 4 notice, can I still collect their data?
A: No. If they don’t consent, you cannot collect their data under that notice. However, you have two options: (1) Deploy a modified notice stating only the data fields and purposes they agree to, or (2) Explain that certain data (e.g., email for event logistics) is mandatory and that declining the notice means they cannot register. Document their choice in your consent logs.
Not sure if your media workflow is DPDPA-compliant?
DPDPAReady maps your entire workflow against the Act — free, in 48 hours.
Get your free compliance audit →