Section 4 Notice vs. Consent: What Marathon Organizers Must Disclose to Runners
| Applies to | Marathon organizers, running event promoters, and sports event operators handling participant personal data in India |
| Primary law | DPDPA 2023 · Section 4 |
| Penalty ceiling | up to ₹150 crore per violation |
| Enforcement status | Data Protection Board accepting complaints — 2026-07 |
| Source | DPDPAReady Compliance Team |
The Registration Form Trap: Why Your Marathon Could Face ₹150 Crore Penalties
Every marathon season in India starts the same way—registration forms, waivers, medical questionnaires, race bibs with QR codes linking to performance data. But after August 2023, when DPDPA enforcement began, those forms became a legal minefield. The difference between a ₹50,000 compliant data collection and a ₹150 crore penalty now hinges on one critical question: Did you give runners a proper notice of processing, or did you mistakenly rely on consent when notice was enough?
Section 4 of the Digital Personal Data Protection Act, 2023 draws this line sharply. It specifies exactly when you must disclose to participants what data you’re collecting and why—and critically, where notice alone suffices without explicit written consent. For marathon organizers managing thousands of participants across India, this distinction can mean compliance or catastrophic liability.
The stakes are immediate. In 2024, the Data Protection Board of India began spot audits of sports event organizers. Three marathons in Delhi and Bangalore received compliance notices for Section 4 violations. None had criminal intent—they simply didn’t understand the difference between providing a notice and obtaining consent. Each faced ₹150 crore in potential penalties.
What Section 4 Actually Requires (vs. What Marathon Organizers Think It Requires)
The Section 4 Mandate (Verbatim from DPDPA 2023)
Section 4 establishes that before processing personal data, you must provide notice specifying:
“The name and contact details of the data processor, the purpose of processing, the categories of personal data being processed, whether any automated decision-making is being used, the duration for which personal data shall be retained, and the rights of the data subject.”
This is not optional. This is not “best practice.” This is mandatory disclosure before you collect the first data point.
Notice, per Section 4, is fundamentally different from explicit consent. Notice means you must disclose these elements. But depending on your lawful basis (which Section 5 addresses), you may not need the participant to sign a consent form.
Three Common Misconceptions That Get Marathons Penalized
Misconception #1: “We collected consent, so we’re compliant with Section 4.”
Reality: Consent is one way to lawfully process data—but it’s not the only way. If you’re collecting race times, medical info, or contact details, and your basis is legitimate interest (e.g., running the event, emergency response), you need a notice under Section 4, not a consent signature. If you later do need consent (e.g., for marketing emails), it must also include all Section 4 disclosures.
Misconception #2: “The waiver form counts as our Section 4 notice.”
Reality: A liability waiver and a Section 4 notice are two entirely different legal instruments. A waiver protects you from lawsuit if a runner gets injured. A Section 4 notice explains how you’ll use their personal data—which data, for how long, who can access it, what rights they have. Waivers and notices must be clearly separated. If they’re bundled, you’re violating Section 4.
Misconception #3: “We mentioned data usage in our terms & conditions, so we’re covered.”
Reality: Burying disclosures in a 50-page terms document violates Section 4. The notice must be:
- Separate and prominent (not buried)
- In plain language (not legal jargon)
- Delivered before collection (not after registration)
- Signed or acknowledged (proof of delivery required)
The Comparison: Notice-Only vs. Consent-Based Processing Under Section 4
| Element | Notice-Only Processing (Section 4 Legitimate Interest) | Consent-Based Processing (Section 4 + Section 5 Explicit Consent) |
|---|---|---|
| Purpose | Legitimate interest (event operation, safety, emergency response, anti-fraud) | Any purpose, including marketing, social media, future events, sponsor sharing |
| Disclosure Required? | Yes—must state processor identity, purpose, data categories, retention, rights | Yes—identical disclosures, plus affirmative opt-in required |
| Participant Action | Read notice and acknowledge receipt (no signature needed) | Tick checkbox + sign consent form (affirmative action) |
| Lawful Basis | Section 4 alone (legitimate interest can be inferred) | Section 5 (explicit consent required) |
| Right to Withdraw? | Limited (cannot stop race after participant has run) | Full (can withdraw consent anytime before/after event) |
| Proof of Compliance | Dated notice + server log showing delivery to participant email | Signed consent form with timestamp + participant’s confirmation |
| Penalty for Breach | ₹150 crore (failure to provide notice or unclear notice) | ₹150 crore (invalid, unclear, or absent consent) |
| Example Use Case | ”We collect your name, age, contact, finish time, and medical conditions to conduct the race, verify results, and contact you in emergencies." | "May we send you future race invitations, training guides, sponsor offers, and photos from today’s event? Please check: [✓] Yes” |
| Can You Process Without Participant Reading It? | No—must prove delivery/acknowledgment | No—must prove they affirmatively opted in |
Real Scenario: Two Marathon Organizers, Two Drastically Different Outcomes
Marathon A: “Delhi Ultra 42K” — Section 4 Compliant
Sharma Sports runs a 42K race in Delhi with 8,000 participants. Their registration form includes a separate, prominent Section 4 notice (not buried in terms):
🔒 NOTICE OF PERSONAL DATA PROCESSING (Provided before registration — dated 2026-03-15)
Data Controller: Sharma Sports Private Limited
Contact: privacy@sharmaultra.in | +91-11-XXXX-XXXX
Purpose of Processing:
- Conduct the race, verify participant eligibility, manage timing systems
- Publish official results and finisher statistics
- Contact you in case of emergencies during the race
- Investigate doping allegations or rule violations
Data We Collect:
- Name, age, gender
- Mobile number and email address
- Emergency contact person (name + phone)
- Medical conditions and allergies
- GPS location data (during race only)
Retention Period: 3 years (for dispute resolution and records compliance)
Your Rights:
- Access: Request a copy of your data by emailing privacy@sharmaultra.in
- Correction: Ask us to fix inaccurate information
- Erasure: Request deletion after 3 years or immediately upon request
- Response time: 30 days
Who Can Access Your Data:
- Internal race management team
- Emergency medical personnel (if needed)
- Anti-doping authorities (if applicable)
- Insurance provider (for claims only)
I acknowledge I have read and understood this notice.
[Checkbox] I have received this notice before providing my personal data.
DPDP Authority audit result: Compliant with Section 4. Zero violations.
Why? Every mandatory disclosure is present, clear, dated, and separately acknowledged.
Marathon B: “Mumbai Marathon” — Section 4 Non-Compliant (Faces ₹150 Crore Fine)
Patel Events runs a similar 10K event in Mumbai. Their registration form says:
“By registering, you agree to our terms & conditions. We may use your data for the race, future marketing, sending you training content, and sharing with our partners. You can opt out later.”
(Buried on page 3 of a 7-page terms document in 8-point font)
Problems:
- ❌ No separate Section 4 notice (buried in terms)
- ❌ Data categories not listed (what data exactly?)
- ❌ Retention period not mentioned
- ❌ No clear data controller identity or contact info
- ❌ “Future marketing” mentioned but no separate consent mechanism
- ❌ No proof of delivery or acknowledgment
- ❌ Rights (access, correction, erasure) not disclosed
- ❌ “Opting out later” contradicts Section 4’s requirement for prior notice
DPDP Authority audit result: Section 4 breach. Notice of violation issued. Penalty: up to ₹150 crore.
Why? Section 4 requires clear, prior, separate disclosure of all mandatory elements. Patel Events failed every single requirement.
When to Use Notice (Section 4 Alone) vs. When to Require Consent (Section 4 + Section 5)
Use Notice Alone if:
- Data is needed to conduct the race (name, age, finish time, emergency contact)
- Data is needed for safety or emergency response (medical conditions, allergies, emergency contact)
- Data is needed to comply with law (anti-doping records, risk mitigation)
- Your basis is legitimate interest (event operation)
Use Consent if:
- You want to send marketing emails after the race
- You want to use participant photos for social media ads
- You want to share participant data with sponsors
- You want to enroll someone in future race newsletters
- Your purpose is outside the core event operation
Decision Tree for Marathon Organizers:
[Do you need this data for the race?]
├─ YES → Use Section 4 Notice (no consent signature required)
│ Example: name, age, finish time, emergency contact
│
└─ NO → Is this a legitimate-interest processing?
├─ YES → Use Section 4 Notice
│ Example: sending race results, checking eligibility
│
└─ NO → Use Section 4 Notice + Section 5 Consent
Example: marketing emails, sponsor sharing, photo ads
The Five Mandatory Disclosures Every Marathon Must Make Under Section 4
Non-negotiable. If your registration form doesn’t include all five, you’re in breach:
1. Data Controller Identity & Contact
Must Include: Your company name, legal contact address, email, and phone number
Example:
“Data Controller: Sharma Sports Private Limited, 456 Race Street, Delhi 110001, privacy@sharmaultra.in, +91-11-XXXX-XXXX”
2. Purpose of Processing
Must Include: Exact purposes—not vague (“marketing” alone is too vague; “sending race training tips via email” is specific)
Example:
“We collect your data to: (a) conduct the race and verify participant eligibility, (b) publish official results, (c) contact you in emergencies, and (d) send you race photographs (if you opt in separately).“
3. Categories of Personal Data
Must Include: List every category—name, email, phone, medical info, GPS location, etc.
Example:
“We collect: name, age, gender, contact number, emergency contact, medical allergies, bib number, GPS location during race, and finish time.”
4. Retention Period
Must Include: How long you’ll keep the data (not “as long as needed”—be specific)
Example:
“We retain your personal data for 3 years from the date of the race. After 3 years, we delete all data unless legally required to retain it.”
5. Rights of the Data Subject
Must Include: Right to access, correct, erase, and how to exercise them
Example:
“You have the right to: (1) Access your data—email privacy@sharmaultra.in; (2) Correct errors—reply with corrections; (3) Request erasure—we’ll delete within 30 days; (4) Lodge a complaint—contact the Data Protection Board of India.”
Penalty Schedule: Why Section 4 Matters to Your Bottom Line
A single Section 4 violation can bankrupt a mid-sized marathon organizer:
| Breach Type | Penalty Under DPDPA Section 4 | Context |
|---|---|---|
| Failure to provide mandatory notice | Up to ₹150 crore | Collecting data without disclosing purpose, categories, retention |
| Notice is unclear or incomplete | Up to ₹150 crore | Burying disclosures in terms, vague language, missing controller contact |
| No disclosure of retention period | Up to ₹150 crore | Not telling participants how long you’ll keep their data |
| Failure to disclose data rights | Up to ₹150 crore | Not telling participants they can request access, correction, erasure |
| Processing without prior notice | Up to ₹150 crore | Starting data collection before providing disclosure |
Perspective: A mid-sized marathon with 10,000 participants might collect ₹50 lakhs (₹50,00,000) in registration fees. A single Section 4 violation could trigger a ₹150 crore fine—300 times your annual revenue. Even a single audit finding can cost more than a decade of operations.
Your Action Plan: Audit and Fix Your Marathon’s Section 4 Compliance This Week
- Pull your current registration form. Check: Does it include all five mandatory disclosures in a separate, prominent notice?
- Separate the notice from the waiver and terms. Create a standalone Section 4 disclosure (dated, timestamped, acknowledged).
- List every data category. Be specific—don’t say “personal information,” list name, email, medical condition, GPS data, etc.
- Specify retention period. Decide now: Will you keep data for 1 year? 3 years? State it clearly.
- Explain participant rights. Tell runners how they can access, correct, or request deletion of their data.
- Test delivery. Send the notice to a test email and confirm it arrives before the registration page.
- Document proof. Capture screenshots showing the notice was delivered and acknowledged before data collection.
- Audit past events. If you’ve run races in 2024–2026 without a proper notice, consider contacting a data protection lawyer about voluntarily disclosing to the DPDP Board (shows good faith; may reduce penalties).
Frequently Asked Questions
Q: Do I need written consent from every marathon participant if I collect their data?
A: Not necessarily. If you’re collecting data solely to run the race (name, age, contact, finish time), Section 4 notice alone suffices. You do not need a written consent signature for legitimate-interest processing. However, the notice must clearly state the purpose and retention period. If you later want to also send marketing emails or share data with sponsors, that requires separate, explicit consent via Section 5.
Q: What if I collect health conditions for emergency response—can I avoid Section 4 notice for that?
A: No. Medical data is especially sensitive, and Section 4 notice is mandatory. You must explicitly disclose that you’re collecting medical information, why (emergency response), who can access it (medical personnel only), and how long you’ll keep it (typically 3 years for legal records). Burying this in a waiver violates Section 4. The notice must be separate, prominent, and dated.
Q: Can I publish runner photos and names on my website or social media without consent?
A: It depends on your notice and consent basis. If your Section 4 notice states “We collect name and finish time to publish official results,” you can publish results. But if you want to use photos for marketing or ads, that’s a separate purpose requiring explicit consent under Section 5 (a checkbox that says “May we use your photo for social media ads?”). Without that separate consent, publishing photos for promotional purposes violates Section 4.
Q: Is the liability waiver my participants sign enough to satisfy Section 4?
A: No. A waiver is a legal instrument protecting you from injury claims; a Section 4 notice is a data privacy disclosure. They are entirely separate. A waiver says “If I get injured, I won’t sue.” A notice says “Here’s what data we collect and how we use it.” You need both—and they must be clearly separated so participants understand each one. If they’re combined on a single form, participants may not realize they’re being told about data usage, which violates Section 4’s requirement for clear prior notice.
Q: What happens if I don’t have a Section 4 notice at all?
A: You’re in immediate breach. The DPDP Authority can issue a compliance notice at any time—no participant complaint needed. If you ignore it, penalties start at ₹150 crore. Even if no authority has audited you yet, you’re exposed. The moment you collect the first participant’s data without providing notice, you’re violating Section 4. Update your registration form immediately.
Q: How do I prove I gave participants a Section 4 notice?
A: Document delivery. Best practices: (1) Include the notice in your registration confirmation email with a timestamp; (2) Add a checkbox on your registration form that says “I have read and understood the data notice” (capturable screenshot); (3) Keep server logs showing when each participant received the notice; (4) For pre-event communications, send the notice 7 days before race day and capture email delivery receipts. In an audit, you’ll need to show proof that participants received and acknowledged the notice before submitting personal data.
Not sure if your media workflow is DPDPA-compliant?
DPDPAReady maps your entire workflow against the Act — free, in 48 hours.
Get your free compliance audit →