✓ Link copied
DPDPA 2023 Compliance

Wedding Photography & Section 4 DPDPA: Consent vs Legitimate Interest

Applies toWedding Photographers & Studios operating in India
Primary lawDPDPA 2023 · Section 4
Penalty ceilingup to ₹150 crore per violation
Enforcement statusData Protection Board accepting complaints — 2026-07
SourceDPDPAReady Compliance Team

The Wedding Day Problem

A wedding photographer Arjun shoots a 2-day event for the Sharmas. Over those two days, he captures 5,000+ photographs: the couple’s portraits, the bride’s family, the groom’s relatives, 200+ guests at the reception, candid moments, ceremony footage, behind-the-scenes clips. By nightfall, he has personal data from hundreds of people—faces, sometimes names via tags, locations, timestamps. The critical question: On what legal ground under Section 4 DPDPA can Arjun process all this data? Consent from the couple, yes. But from the 200 guests photographed without being asked first? That’s where most Indian wedding studios fall out of compliance—and it costs them dearly.

What Section 4 Actually Permits

The DPDPA 2023 Section 4 establishes the only circumstances under which a data fiduciary—your studio—may lawfully process personal data at all. There is no free pass. Every photograph containing a face, every guest name in a file, every location coordinate must sit on one of five legal grounds. Processing without a ground is not a gray area; it is a violation.

Verbatim Section 4 DPDPA:

A data fiduciary may process personal data only where such processing is necessary for, and directly related to, the specified purposes for which such personal data has been collected, and only where such processing is in accordance with the grounds of processing specified in sub-sections (2) to (6).

The Act then specifies these grounds:

  • (a) With the consent of the data principal
  • (b) For performance of a contract to which the data principal is a party
  • (c) For compliance with legal obligations
  • (d) To protect vital interests of the data principal or another person
  • (e) For purposes of legitimate interests pursued by the data fiduciary or a third party

Wedding studios realistically use two: consent and legitimate interest.

The requirement: Explicit, informed, clear, written consent from the person in the photograph. The data principal (the person) must agree before or during processing. Consent is not assumed; it is documented. The data principal can revoke it anytime.

How this works in wedding photography:

Your booking contract includes a consent clause. The couple signs:

“I hereby consent to [Studio Name] processing my photographs, images, and videos for: (1) professional editing and final delivery; (2) secure 2-year cloud backup; (3) display in our portfolio and on our website; (4) sharing with family via private link; (5) use in Instagram reels and marketing materials. I understand I may withdraw this consent in writing at any time.”

This is consent-based processing under Section 4(a). The couple signed; the studio has grounds to process their data.

For guests at the reception:

This is harder. You did not ask 200 guests individually for permission. Do you need it? Under Section 4(a), technically yes—if you intend to publish guest photos. But in practice, studios handle this via venue signage combined with legitimate interest (discussed below). A printed sign at the entrance—“Professional photography in progress. By entering, you consent to image capture and event documentation.”—serves as constructive notice. Combined with legitimate interest reasoning (guests at a public event, aware of photography), this withstands scrutiny.

For marketing use:

Separate consent is cleaner. Many studios ask past clients: “May we feature your wedding in our Instagram portfolio?” Explicit checkbox. Documented consent for that specific use. If the couple says no, you do not post those photos.

Risks if ignored:

No consent, but you process the data anyway. Section 8 violation = up to ₹150 crore penalty per violation.

Duration:

Consent-based processing lasts as long as the consent form specifies. “2-year retention” means delete after 2 years, unless the couple extends or re-consents. Consent can be revoked at any time.


Path 2: Legitimate Interest-Based Processing

The requirement:

No explicit consent needed. But you must document a business reason for processing, and that reason must outweigh the person’s privacy interest. This is a balancing test. If a court (or the DPA, India’s data protection authority) later audits you, you must show: “My business need (X) is greater than the individual’s privacy harm (Y).”

Key constraint: You cannot process sensitive personal data—biometric data, health information, caste, religion, sexual orientation—on legitimate interest alone. Sensitive data requires consent (Section 9). A guest’s face in a photo is not technically “sensitive,” but it is personal data.

How this works in wedding photography:

After the event, Arjun stores the 5,000 guest photos in a password-protected, encrypted folder on secure cloud storage. No guest consented. Is this lawful? Yes, under Section 4(e) legitimate interest:

  • Arjun’s interest: Business records (proof of work completed), IP protection (ownership of the photographs), portfolio backing, dispute resolution (if a guest later claims photos were never taken), and technical backup.
  • Guest’s interest: Privacy—their likeness is stored.
  • Balancing: Arjun’s interest prevails because: (a) guests attended a professional event where photography was the primary purpose, (b) data is securely stored and not shared, (c) retention is time-limited (2–3 years), and (d) guests had reasonable notice.

Legitimate interest processing is lawful.

But it breaks if:

You identify all 200 guests by name, extract their phone numbers from the invite list, and email them unsolicited wedding-photography discounts. Now your interest (commercial solicitation) collides head-on with their interest (unsolicited contact). The balance flips. Section 6 violation (unlawful processing under legitimate interest) = up to ₹150 crore.

Duration:

Legitimate interest processing continues as long as the interest exists. If you retain guest photos “for 10 years just in case they might become useful,” there is no current legitimate interest—only speculative hope. Courts reject this. Retain only as long as the need persists: 2–3 years for business records is defensible; 10 years is not.


Side-by-Side Comparison

AspectConsent-Based (Section 4(a))Legitimate Interest (Section 4(e))
Requires PermissionYes, explicit consent from data principalNo, but must document business reason
Best ForMain couple, portfolio display, marketing, deliveryEvent documentation, business records, IP proof, backup
ProofDated, signed consent formWritten balancing test: interest > harm
Sensitive Data (Biometric)AllowedNOT allowed; requires consent
RevocationData principal can revoke anytime; must deleteNo revocation; must stop if interest disappears
DurationAs stated in consent formAs long as interest remains; then delete
ExampleCouple signs: “I consent to portfolio use”Studio stores guest photos for 2-year business records
Penalty Risk₹150 crore if no consent obtained₹150 crore if balancing fails (interest clearly weaker than harm)

Practical Roadmap: Which Ground Applies Where

Client couple’s portraits: Section 4(a) consent + Section 4(b) contractual (service delivery). Couple signs booking form consenting to editing, delivery, portfolio. Legally airtight.

Guest candid shots (face visible, identifiable): Section 4(e) legitimate interest. Documented reasoning: guests at professional event, reasonable notice (signage, couple’s awareness), secure 2-year retention, no onward sharing, privacy-by-design. Balances.

Employee/staff photos (receptionist, assistant, second shooter): Section 4(b) contractual + Section 4(a) consent. Employment agreement includes consent to process employee photos (ID, payroll records, appearance in studio materials). Simpler because they are not third parties.

Before/after edits (before-edits are works in progress): Section 4(b) contractual (part of the service). Couple consents to editing by signing; edits are intermediate steps. Unfinished edits stored until delivery; then delete the unfinal versions (unless couple asks for retention).

Backup of raw files (unedited, no client yet): Section 4(e) legitimate interest. Business operations, IP protection, disaster recovery. Retain as long as legally or operationally necessary.

Sending past clients a newsletter: Section 4(a) consent ONLY. If the booking form has an opt-in checkbox (“Email me studio updates”), you have consent; send freely. If no checkbox, do not email. Sending unsolicited emails to past clients = unlawful processing (Section 8) = up to ₹150 crore. Many studios wrongly assume past clients are a free mailing list. They are not.

Using a guest’s photo in an advertisement without asking: Section 4(a) consent required. If the guest did not consent to advertising use specifically, you cannot use that photo in an ad. Section 8 violation.


The ₹150 Crore Risk: Real Numbers

One Section 4 violation—processing guest data without grounds—triggers a Section 8 or Section 6 penalty. The DPDPA cap for consent/grounds violations is ₹150 crore per violation. A studio processing photos of 100 guests without grounds could theoretically face 100 violations = ₹15,000 crore liability (though courts may consolidate). Indian studios have already faced ₹5–50 crore penalties under similar data protection regimes; ₹150 crore sets the ceiling.

Even a single egregious breach—say, sharing wedding guest data with a third party without consent—costs ₹150 crore.


Your Compliance Checklist

  • Booking contract includes consent clause naming all intended uses: editing, delivery, portfolio, marketing, cloud backup, with 2–3 year retention stated
  • Venue signage (printed or digital) posted at entry: “Professional photography in progress; by attending, you agree to image capture for event documentation”
  • Legitimate interest statement on file for guest data: “Business records, IP protection, 2-year retention; guests at professional event with notice; interest > privacy harm”
  • Marketing emails sent only to past couples who opted in (checkbox on booking form); unsubscribe link included
  • Data retention policy documented: “Client photos: 3 years or until deletion requested. Guest photos: 2 years or until legitimacy expires. Sensitive biometric data: consent-only, no legitimate interest.”
  • Privacy notice (Section 5) posted on website and booking link, listing: data types collected, Section 4 grounds, retention periods, data principal rights
  • Annual deletion of data older than retention period; do not keep “just in case”

Frequently Asked Questions

Q: I took a photo of a guest without asking. They didn’t sign anything. Can I put it on Instagram?

A: Only if: (1) the couple’s booking consent includes permission to post guest photos on Instagram, OR (2) you have documented legitimate interest (brief retention, no guest ID, event-context only). If the guest is clearly identifiable and you have no legal ground, delete the post. Unlawful processing under Section 4 = Section 8 violation = up to ₹150 crore penalty. The risk is not worth the Instagram engagement.

Q: How long can I legally keep wedding guest photos?

A: Under Section 4, retention is tied to the legal ground. Consent-based: as long as consent lasts (usually until couple’s consent is withdrawn). Legitimate interest-based: as long as the legitimate interest persists. For guest photos, 2–3 years is standard (business records, IP proof). Beyond 3 years, the “legitimate interest” weakens—photos are old, unlikely to be useful, and the privacy harm of retention outweighs studio need. Delete after 3 years unless the couple specifically requests archival.

Q: A past client asks me to delete her wedding photos. Must I?

A: Yes. Under Section 18 DPDPA (right to erasure), a data principal can request deletion anytime. If the photos are consent-based and the couple consents, delete. If based on legitimate interest, the right to erasure still applies—delete unless you have a legal obligation to retain (e.g., court order, GST audit). Refusing without grounds = Section 12 violation = up to ₹150 crore. If you have 10 years of archived wedding photos and a past client suddenly asks for erasure, you must delete them (or risk huge penalties).

Q: Can I send email newsletters to past clients without asking first?

A: No. Newsletter email addresses are personal data. Sending unsolicited emails = unlawful processing (Section 8) unless you have documented consent (opt-in checkbox on booking form). Many studios assume past clients are fair game for marketing. They are not. Either: (1) add an opt-in checkbox to the booking form going forward (“Email me updates”), or (2) send a one-time email asking retroactive consent (“Would you like to receive studio updates?”), or (3) do not email. Default: assume you need consent.

Q: Is there an exception for “artistic” or “creative” use?

A: No. Section 4 does not carve out artistic or creative processing. A photo portfolio is still processing of personal data. You need either: (1) consent from everyone identifiable in the photo, OR (2) documented legitimate interest with a written balancing test showing your business interest (portfolio credibility, IP protection) outweighs privacy harm (limited access, secure storage, time-bound retention). The balancing statement is your legal shield. Without it, you are exposed to Section 6 violations.

wedding photographer DPDPA complianceSection 4 grounds personal data processingconsent vs legitimate interest DPDPAguest photos personal data liabilitywedding photography data protection IndiaDPDPA processing grounds wedding studiowedding photographer data breach penalty
VERIFIED DPDPAReady Editorial Desk 8 JUL 2026

Not sure if your media workflow is DPDPA-compliant?

DPDPAReady maps your entire workflow against the Act — free, in 48 hours.

Get your free compliance audit →