Is face-recognition attendance legal in India under the DPDP Act?

Yes, but a face template is personal data under the DPDP Act 2023, so you must have a valid lawful basis — usually free, specific, informed consent — give a clear notice, limit the data to the stated purpose, secure it, set a retention period, and provide a grievance route. Scanning staff faces with no consent and no notice is where most small deployments fall short.

Do cheap face-recognition attendance machines misidentify people?

Commodity face-recognition devices have measurably higher error rates for darker skin tones, women, older faces, and occluded faces (veils, turbans, masks). In attendance use this shows up as genuine staff being marked absent or the wrong person being matched, especially when the device runs on a single fixed confidence threshold in poor entrance lighting.

What consent do I need to scan an employee's face for attendance?

You should collect free, specific, informed and unambiguous consent before enrolling each person's face, tell them what is captured and why, how long it is kept, who to contact, and offer a non-biometric alternative (such as a manual register) for anyone who refuses without penalising them.

Compliance guide

Face-recognition attendance and the DPDP Act: a plain-English guide for Indian businesses

Updated 10 June 2026 · ~9 minute read

A face-recognition attendance box now costs less than a month's salary for one employee. Resellers fit them on the wall of gyms, garment units, retail chains, coaching classes and coworking floors across India in an afternoon. The pitch is simple: no buddy-punching, no registers, attendance "done". What almost nobody mentions is that the moment you enrol the first face, you have started processing biometric personal data under India's Digital Personal Data Protection Act, 2023 (DPDP Act) — and that the device you just bought gets a predictable slice of your people wrong.

This guide is written for the owner or facilities manager who installed one of these systems, not for a privacy lawyer. It covers two risks that travel together: misidentification (bias and false matches) and DPDP non-compliance. Both are quiet until a staff member complains, a wrong person is let in, or someone asks to see your consent paperwork — and then they are very loud.

Why cheap face-recognition misidentifies real people

Face recognition is not one accuracy number. It is a trade-off between two kinds of error:

False reject — a genuine, enrolled person is notmatched. In attendance, that's your own worker marked absent while standing at the gate.
False accept— the wrong person is matched to someone else's identity. In access control, that's the wrong person let through the door, or one employee marked present for another.

A device ships with a single confidence threshold that decides where it sits between these two errors. Push it to reduce false accepts and you reject more genuine people; loosen it and you let more wrong matches through. Most low-cost devices are never re-tuned for your actual staff.

Worse, the errors are not evenly spread. Commodity face models are trained mostly on lighter, well-lit, unoccluded faces. In an Indian workplace that means the people most likely to be repeatedly mis-recognised are often:

Workers with darker skin tones, especially under poor entrance lighting.
Outdoor and manual workers whose faces carry dust, sweat or sun exposure.
Women whose hairline is covered by a saree pallu, dupatta or veil.
Men in turbans, or anyone in a mask or helmet at the moment of capture.
Older staff and members, whose enrolment photo drifts from their current face.
Night-shift workers captured in low light.

When the same people get marked absent three times a week, it stops being a tech glitch and becomes a fairness problem — one that can cost wages, trust, and eventually a complaint.

What the DPDP Act 2023 actually requires

The DPDP Act treats the face template your device stores as personal data of a Data Principal (your employee, member or visitor). You are the Data Fiduciary deciding why and how it is processed. In plain terms, you are expected to:

Have a lawful basis. For most private attendance/access use that means consent that is free, specific, informed and unambiguous — collected before you enrol the face, not assumed because someone showed up to work.
Give notice. Tell people what is collected, the purpose, and how to exercise their rights — in clear language, at the point of capture.
Limit the purpose and the data.Use the face data only for the stated attendance/access purpose; don't quietly repurpose it for surveillance or sharing.
Limit storage. Define a retention period and delete templates when a person leaves or withdraws consent.
Secure it. Apply reasonable security safeguards — encrypted templates, access control on the device and any cloud dashboard, no plain face images sitting on an SD card.
Enable rights & grievances. Let people access, correct, or erase their data and withdraw consent, and name someone to handle complaints.
Take extra care with children.Processing children's data (e.g. in a school or coaching institute) carries stricter conditions.

None of this requires you to rip the device off the wall. It requires paperwork and a few settings — which is exactly the part the reseller didn't hand you.

The fix: a consent notice, a fair fallback, and a tuned threshold

You can close most of the gap with a handful of concrete steps:

Put a DPDP consent & disclosure notice at every capture point and collect written or recorded consent before enrolling anyone.
Offer a manual alternative — a register or card — for anyone who refuses face capture, with no penalty.
Ask your installer to review the match threshold against your real staff, and re-take poor enrolment photos in good lighting.
Set a deletion timeline for people who leave, and make sure templates are stored encrypted rather than as raw images.
Name a contact person for data complaints and put their details on the notice.

How FaceAudit helps

Doing all of that from a blank page is the hard part. FaceAudit reads a description of your deployment and a few sample match logs, then produces a plain-language bias and false-match risk report, a DPDP Act gap analysis, and a ready-to-print consent notice tailored to your organisation — the document you can actually put at your entrance. The free check gives you a risk level and a one-page checklist; the full report gives you the paperwork.

You never upload a single face image — FaceAudit works on text only, so running the audit doesn't add to your risk.

See where your face-attendance system exposes you.

Run a free risk check now — risk level, the groups most likely mis-identified, and a one-page checklist, in about 30 seconds.

Run a free risk check →

This article is general information, not legal advice. For a binding opinion on your specific deployment, consult a qualified data-protection lawyer.