Event Photo Consent: A Practical Guide for Organisers

Photography consent at events is increasingly important; not just as a legal requirement but as a matter of attendee trust. Getting consent right means being clear about what you collect, why you collect it and how attendees can control their own data. Here is how to do it properly.

Two types of photography consent

Event photography involves two legally and ethically distinct types of consent:

1. Consent to be photographed

At most professional events, general photography consent is obtained via the event registration terms and conditions. Attendees agree that photography may take place at the event and that images may be used for event marketing and documentation.

This consent covers general photography of event spaces, group shots and incidental inclusion in event coverage. It does not cover targeted facial recognition or biometric data collection.

2. Consent for facial data collection

When you use AI face-matching technology to deliver photos to attendees, you are collecting biometric data (a facial embedding derived from the attendee's selfie). Under GDPR and equivalent legislation in the UK, UAE and many other jurisdictions, biometric data is a special category requiring explicit, informed consent.

This consent must be:

Freely given: The attendee must not be penalised for declining. They can still attend and access general gallery photos; they simply do not receive personalised photo matching.
Specific: The consent statement must specify that facial data is being collected for photo matching purposes.
Informed: The attendee must understand what data is collected, how it is stored and when it is deleted.
Unambiguous: A clear affirmative action (ticking a checkbox, pressing "I agree") is required; not pre-ticked boxes or assumed consent.

The key test is whether your consent process would pass the "grandmother test": can a non-technical attendee read your consent statement and understand exactly what they are agreeing to? If the answer is no, the consent is not informed and therefore not valid under GDPR.

What your consent statement should include

A compliant consent statement for AI-powered event photo delivery should cover:

What data is collected: A selfie photograph used to create a face template for matching purposes.
Why it is collected: To identify which event photos you appear in and deliver them to you personally.
Who processes it: Name the platform provider processing the facial data.
How long it is retained: Specify the deletion schedule; typically 30 days after the event.
How to exercise rights: How the attendee can request deletion of their data at any time.

Practical consent collection methods

Pre-event registration form

The cleanest approach is to include an optional photo service consent checkbox in the event registration form. Place it after the main registration fields with a brief, plain-language explanation. Tick to opt in; leave blank to opt out.

On-site QR flow

For attendees who register on the day, the selfie capture flow on your photo platform should include a consent screen before the camera activates. This screen must be readable without scrolling; a brief summary with a clear "I agree" button and a link to the full privacy notice.

Verbal briefing at registration

In addition to the written consent, brief your registration staff to verbally explain the photo service. This is not a replacement for written consent; it is a supplement that reduces misunderstanding and increases opt-in rates.

Handling opt-outs gracefully

Attendees who decline photo consent should still be able to access the general gallery. Simply exclude them from face-matching and ensure their selfie (if captured for another purpose) is not processed for matching.

If an attendee who previously consented requests deletion of their data during or after the event, the platform should delete their facial template within 72 hours. This is a legal requirement under GDPR and equivalent laws.

Being transparent and easy to opt out of actually increases overall consent rates. Attendees who feel in control are more likely to opt in. Events with clear, respectful consent processes consistently achieve higher photo registration rates than those with complex or confusing opt-out mechanisms.

Data retention and deletion

Best practice for event photography data retention:

Facial templates (biometric data): Delete within 30 days of the event. No legitimate business reason to retain beyond this.
Selfie photos used for matching: Delete with the facial template or within 30 days.
Event photos (general gallery): Retain for the period specified in your event terms; typically 6-12 months with download access for attendees.
Engagement analytics: Anonymised engagement data (download counts, scan rates) can be retained for reporting purposes indefinitely, provided no personal identifiers are included.

Regional considerations

UK GDPR: Post-Brexit, the UK has its own version of GDPR administered by the ICO. The requirements for biometric data consent are substantially the same as EU GDPR.

UAE PDPL: The UAE's Personal Data Protection Law (Federal Decree Law No. 45 of 2021) requires explicit consent for biometric data collection. This applies to events hosted in the UAE, including Dubai and Abu Dhabi.

Saudi Arabia PDPL: Saudi Arabia's Personal Data Protection Law requires explicit consent for sensitive data including biometric information. Ensure your platform stores data within the Kingdom or in jurisdictions approved under NDMO guidelines.

See Eventiere at your next event

Automated photo delivery for events of any size. Setup in under an hour. No app download required.

Book a demo