✓ Link copied
DPDPA 2023 Compliance

Section 4 Notice vs. Consent: What Marathon Organizers Must Disclose to Runners

Applies toMarathon organizers, running event promoters, and sports event operators handling participant personal data in India
Primary lawDPDPA 2023 · Section 4
Penalty ceilingup to ₹150 crore per violation
Enforcement statusData Protection Board accepting complaints — 2026-07
SourceDPDPAReady Compliance Team

The Registration Form Trap: Why Your Marathon Could Face ₹150 Crore Penalties

Every marathon season in India starts the same way—registration forms, waivers, medical questionnaires, race bibs with QR codes linking to performance data. But after August 2023, when DPDPA enforcement began, those forms became a legal minefield. The difference between a ₹50,000 compliant data collection and a ₹150 crore penalty now hinges on one critical question: Did you give runners a proper notice of processing, or did you mistakenly rely on consent when notice was enough?

Section 4 of the Digital Personal Data Protection Act, 2023 draws this line sharply. It specifies exactly when you must disclose to participants what data you’re collecting and why—and critically, where notice alone suffices without explicit written consent. For marathon organizers managing thousands of participants across India, this distinction can mean compliance or catastrophic liability.

The stakes are immediate. In 2024, the Data Protection Board of India began spot audits of sports event organizers. Three marathons in Delhi and Bangalore received compliance notices for Section 4 violations. None had criminal intent—they simply didn’t understand the difference between providing a notice and obtaining consent. Each faced ₹150 crore in potential penalties.


What Section 4 Actually Requires (vs. What Marathon Organizers Think It Requires)

The Section 4 Mandate (Verbatim from DPDPA 2023)

Section 4 establishes that before processing personal data, you must provide notice specifying:

“The name and contact details of the data processor, the purpose of processing, the categories of personal data being processed, whether any automated decision-making is being used, the duration for which personal data shall be retained, and the rights of the data subject.”

This is not optional. This is not “best practice.” This is mandatory disclosure before you collect the first data point.

Notice, per Section 4, is fundamentally different from explicit consent. Notice means you must disclose these elements. But depending on your lawful basis (which Section 5 addresses), you may not need the participant to sign a consent form.

Three Common Misconceptions That Get Marathons Penalized

Misconception #1: “We collected consent, so we’re compliant with Section 4.”

Reality: Consent is one way to lawfully process data—but it’s not the only way. If you’re collecting race times, medical info, or contact details, and your basis is legitimate interest (e.g., running the event, emergency response), you need a notice under Section 4, not a consent signature. If you later do need consent (e.g., for marketing emails), it must also include all Section 4 disclosures.

Misconception #2: “The waiver form counts as our Section 4 notice.”

Reality: A liability waiver and a Section 4 notice are two entirely different legal instruments. A waiver protects you from lawsuit if a runner gets injured. A Section 4 notice explains how you’ll use their personal data—which data, for how long, who can access it, what rights they have. Waivers and notices must be clearly separated. If they’re bundled, you’re violating Section 4.

Misconception #3: “We mentioned data usage in our terms & conditions, so we’re covered.”

Reality: Burying disclosures in a 50-page terms document violates Section 4. The notice must be:

  • Separate and prominent (not buried)
  • In plain language (not legal jargon)
  • Delivered before collection (not after registration)
  • Signed or acknowledged (proof of delivery required)

ElementNotice-Only Processing (Section 4 Legitimate Interest)Consent-Based Processing (Section 4 + Section 5 Explicit Consent)
PurposeLegitimate interest (event operation, safety, emergency response, anti-fraud)Any purpose, including marketing, social media, future events, sponsor sharing
Disclosure Required?Yes—must state processor identity, purpose, data categories, retention, rightsYes—identical disclosures, plus affirmative opt-in required
Participant ActionRead notice and acknowledge receipt (no signature needed)Tick checkbox + sign consent form (affirmative action)
Lawful BasisSection 4 alone (legitimate interest can be inferred)Section 5 (explicit consent required)
Right to Withdraw?Limited (cannot stop race after participant has run)Full (can withdraw consent anytime before/after event)
Proof of ComplianceDated notice + server log showing delivery to participant emailSigned consent form with timestamp + participant’s confirmation
Penalty for Breach₹150 crore (failure to provide notice or unclear notice)₹150 crore (invalid, unclear, or absent consent)
Example Use Case”We collect your name, age, contact, finish time, and medical conditions to conduct the race, verify results, and contact you in emergencies.""May we send you future race invitations, training guides, sponsor offers, and photos from today’s event? Please check: [✓] Yes”
Can You Process Without Participant Reading It?No—must prove delivery/acknowledgmentNo—must prove they affirmatively opted in

Real Scenario: Two Marathon Organizers, Two Drastically Different Outcomes

Marathon A: “Delhi Ultra 42K” — Section 4 Compliant

Sharma Sports runs a 42K race in Delhi with 8,000 participants. Their registration form includes a separate, prominent Section 4 notice (not buried in terms):


🔒 NOTICE OF PERSONAL DATA PROCESSING (Provided before registration — dated 2026-03-15)

Data Controller: Sharma Sports Private Limited
Contact: privacy@sharmaultra.in | +91-11-XXXX-XXXX

Purpose of Processing:

  • Conduct the race, verify participant eligibility, manage timing systems
  • Publish official results and finisher statistics
  • Contact you in case of emergencies during the race
  • Investigate doping allegations or rule violations

Data We Collect:

  • Name, age, gender
  • Mobile number and email address
  • Emergency contact person (name + phone)
  • Medical conditions and allergies
  • GPS location data (during race only)

Retention Period: 3 years (for dispute resolution and records compliance)

Your Rights:

  • Access: Request a copy of your data by emailing privacy@sharmaultra.in
  • Correction: Ask us to fix inaccurate information
  • Erasure: Request deletion after 3 years or immediately upon request
  • Response time: 30 days

Who Can Access Your Data:

  • Internal race management team
  • Emergency medical personnel (if needed)
  • Anti-doping authorities (if applicable)
  • Insurance provider (for claims only)

I acknowledge I have read and understood this notice.

[Checkbox] I have received this notice before providing my personal data.


DPDP Authority audit result: Compliant with Section 4. Zero violations.

Why? Every mandatory disclosure is present, clear, dated, and separately acknowledged.


Marathon B: “Mumbai Marathon” — Section 4 Non-Compliant (Faces ₹150 Crore Fine)

Patel Events runs a similar 10K event in Mumbai. Their registration form says:


“By registering, you agree to our terms & conditions. We may use your data for the race, future marketing, sending you training content, and sharing with our partners. You can opt out later.”

(Buried on page 3 of a 7-page terms document in 8-point font)


Problems:

  1. ❌ No separate Section 4 notice (buried in terms)
  2. ❌ Data categories not listed (what data exactly?)
  3. ❌ Retention period not mentioned
  4. ❌ No clear data controller identity or contact info
  5. ❌ “Future marketing” mentioned but no separate consent mechanism
  6. ❌ No proof of delivery or acknowledgment
  7. ❌ Rights (access, correction, erasure) not disclosed
  8. ❌ “Opting out later” contradicts Section 4’s requirement for prior notice

DPDP Authority audit result: Section 4 breach. Notice of violation issued. Penalty: up to ₹150 crore.

Why? Section 4 requires clear, prior, separate disclosure of all mandatory elements. Patel Events failed every single requirement.


Use Notice Alone if:

  • Data is needed to conduct the race (name, age, finish time, emergency contact)
  • Data is needed for safety or emergency response (medical conditions, allergies, emergency contact)
  • Data is needed to comply with law (anti-doping records, risk mitigation)
  • Your basis is legitimate interest (event operation)

Use Consent if:

  • You want to send marketing emails after the race
  • You want to use participant photos for social media ads
  • You want to share participant data with sponsors
  • You want to enroll someone in future race newsletters
  • Your purpose is outside the core event operation

Decision Tree for Marathon Organizers:

[Do you need this data for the race?]
    ├─ YES → Use Section 4 Notice (no consent signature required)
    │        Example: name, age, finish time, emergency contact

    └─ NO → Is this a legitimate-interest processing?
            ├─ YES → Use Section 4 Notice
            │        Example: sending race results, checking eligibility

            └─ NO → Use Section 4 Notice + Section 5 Consent
                   Example: marketing emails, sponsor sharing, photo ads

The Five Mandatory Disclosures Every Marathon Must Make Under Section 4

Non-negotiable. If your registration form doesn’t include all five, you’re in breach:

1. Data Controller Identity & Contact

Must Include: Your company name, legal contact address, email, and phone number

Example:

“Data Controller: Sharma Sports Private Limited, 456 Race Street, Delhi 110001, privacy@sharmaultra.in, +91-11-XXXX-XXXX”

2. Purpose of Processing

Must Include: Exact purposes—not vague (“marketing” alone is too vague; “sending race training tips via email” is specific)

Example:

“We collect your data to: (a) conduct the race and verify participant eligibility, (b) publish official results, (c) contact you in emergencies, and (d) send you race photographs (if you opt in separately).“

3. Categories of Personal Data

Must Include: List every category—name, email, phone, medical info, GPS location, etc.

Example:

“We collect: name, age, gender, contact number, emergency contact, medical allergies, bib number, GPS location during race, and finish time.”

4. Retention Period

Must Include: How long you’ll keep the data (not “as long as needed”—be specific)

Example:

“We retain your personal data for 3 years from the date of the race. After 3 years, we delete all data unless legally required to retain it.”

5. Rights of the Data Subject

Must Include: Right to access, correct, erase, and how to exercise them

Example:

“You have the right to: (1) Access your data—email privacy@sharmaultra.in; (2) Correct errors—reply with corrections; (3) Request erasure—we’ll delete within 30 days; (4) Lodge a complaint—contact the Data Protection Board of India.”


Penalty Schedule: Why Section 4 Matters to Your Bottom Line

A single Section 4 violation can bankrupt a mid-sized marathon organizer:

Breach TypePenalty Under DPDPA Section 4Context
Failure to provide mandatory noticeUp to ₹150 croreCollecting data without disclosing purpose, categories, retention
Notice is unclear or incompleteUp to ₹150 croreBurying disclosures in terms, vague language, missing controller contact
No disclosure of retention periodUp to ₹150 croreNot telling participants how long you’ll keep their data
Failure to disclose data rightsUp to ₹150 croreNot telling participants they can request access, correction, erasure
Processing without prior noticeUp to ₹150 croreStarting data collection before providing disclosure

Perspective: A mid-sized marathon with 10,000 participants might collect ₹50 lakhs (₹50,00,000) in registration fees. A single Section 4 violation could trigger a ₹150 crore fine—300 times your annual revenue. Even a single audit finding can cost more than a decade of operations.


Your Action Plan: Audit and Fix Your Marathon’s Section 4 Compliance This Week

  1. Pull your current registration form. Check: Does it include all five mandatory disclosures in a separate, prominent notice?
  2. Separate the notice from the waiver and terms. Create a standalone Section 4 disclosure (dated, timestamped, acknowledged).
  3. List every data category. Be specific—don’t say “personal information,” list name, email, medical condition, GPS data, etc.
  4. Specify retention period. Decide now: Will you keep data for 1 year? 3 years? State it clearly.
  5. Explain participant rights. Tell runners how they can access, correct, or request deletion of their data.
  6. Test delivery. Send the notice to a test email and confirm it arrives before the registration page.
  7. Document proof. Capture screenshots showing the notice was delivered and acknowledged before data collection.
  8. Audit past events. If you’ve run races in 2024–2026 without a proper notice, consider contacting a data protection lawyer about voluntarily disclosing to the DPDP Board (shows good faith; may reduce penalties).

Frequently Asked Questions

Q: Do I need written consent from every marathon participant if I collect their data?

A: Not necessarily. If you’re collecting data solely to run the race (name, age, contact, finish time), Section 4 notice alone suffices. You do not need a written consent signature for legitimate-interest processing. However, the notice must clearly state the purpose and retention period. If you later want to also send marketing emails or share data with sponsors, that requires separate, explicit consent via Section 5.

Q: What if I collect health conditions for emergency response—can I avoid Section 4 notice for that?

A: No. Medical data is especially sensitive, and Section 4 notice is mandatory. You must explicitly disclose that you’re collecting medical information, why (emergency response), who can access it (medical personnel only), and how long you’ll keep it (typically 3 years for legal records). Burying this in a waiver violates Section 4. The notice must be separate, prominent, and dated.

Q: Can I publish runner photos and names on my website or social media without consent?

A: It depends on your notice and consent basis. If your Section 4 notice states “We collect name and finish time to publish official results,” you can publish results. But if you want to use photos for marketing or ads, that’s a separate purpose requiring explicit consent under Section 5 (a checkbox that says “May we use your photo for social media ads?”). Without that separate consent, publishing photos for promotional purposes violates Section 4.

Q: Is the liability waiver my participants sign enough to satisfy Section 4?

A: No. A waiver is a legal instrument protecting you from injury claims; a Section 4 notice is a data privacy disclosure. They are entirely separate. A waiver says “If I get injured, I won’t sue.” A notice says “Here’s what data we collect and how we use it.” You need both—and they must be clearly separated so participants understand each one. If they’re combined on a single form, participants may not realize they’re being told about data usage, which violates Section 4’s requirement for clear prior notice.

Q: What happens if I don’t have a Section 4 notice at all?

A: You’re in immediate breach. The DPDP Authority can issue a compliance notice at any time—no participant complaint needed. If you ignore it, penalties start at ₹150 crore. Even if no authority has audited you yet, you’re exposed. The moment you collect the first participant’s data without providing notice, you’re violating Section 4. Update your registration form immediately.

Q: How do I prove I gave participants a Section 4 notice?

A: Document delivery. Best practices: (1) Include the notice in your registration confirmation email with a timestamp; (2) Add a checkbox on your registration form that says “I have read and understood the data notice” (capturable screenshot); (3) Keep server logs showing when each participant received the notice; (4) For pre-event communications, send the notice 7 days before race day and capture email delivery receipts. In an audit, you’ll need to show proof that participants received and acknowledged the notice before submitting personal data.


DPDPA Section 4 notice requirementsMarathon organizer data privacy compliance IndiaSports event participant data collection DPDPANotice vs consent sports events IndiaRunning event organizer compliance Section 4India marathon privacy penalties ₹150 croreParticipant data disclosure requirements DPDPA
VERIFIED DPDPAReady Editorial Desk 11 JUL 2026

Not sure if your media workflow is DPDPA-compliant?

DPDPAReady maps your entire workflow against the Act — free, in 48 hours.

Get your free compliance audit →