GDPR and online reviews: what the law says
Online reviews are a powerful tool for consumers and businesses alike, but they also raise important legal questions. In the European Union, the General Data Protection Regulation (GDPR) and various consumer protection laws govern how reviews can be collected, published, and managed. Understanding these rules is essential for any business that solicits or responds to customer reviews. This guide breaks down the key legal principles you need to know.
The legal framework for online reviews in the EU
[blog.article_3.s1_content]Your right of reply as a business
As a business owner, you have the right to respond to any review left on your Google Business Profile or other platforms. This is a fundamental right that allows you to:
- Correct factual errors: If a review contains inaccurate information, you can politely set the record straight.
- Provide context: You can share your perspective on the situation without disclosing private customer details.
- Show professionalism: A well-crafted response demonstrates that you take customer feedback seriously.
However, there are important limits to your right of reply:
- Never disclose personal data: You cannot reveal a customer's identity, transaction details, medical information, or any other personal data in your response.
- Stay factual and professional: Responses that are insulting, threatening, or retaliatory can expose you to legal liability.
- Do not pressure reviewers: Contacting a reviewer privately to pressure them into removing a review can constitute harassment.
Defamatory reviews: what you can do
Not all negative reviews are defamatory. Under EU law, a review is considered defamatory when it contains false statements of fact that harm your reputation. Opinions, even harsh ones, are generally protected. Here is how to handle potentially defamatory reviews:
- Document everything: Take screenshots and note the date, content, and reviewer information.
- Report to Google: Use Google's review reporting tool to flag reviews that violate their policies (fake reviews, spam, conflict of interest, offensive content).
- Send a formal notice: In many EU countries, you can send a cease-and-desist letter to the reviewer (if identifiable) or the platform.
- Legal action: As a last resort, you can pursue legal proceedings. Courts can order the removal of defamatory content and award damages.
Google typically removes reviews that are clearly fake, contain hate speech, or include personal information. However, they rarely remove reviews based on disputes over the accuracy of the customer's experience.
Consent and personal data in reviews
Reviews themselves contain personal data — the reviewer's name, opinions, and sometimes details about their interactions with your business. Here is what you need to know:
- Publicly posted reviews: When a customer posts a review on Google, they have voluntarily made that information public. You can display, quote, or embed these reviews (e.g., via a website widget) without additional consent.
- Private feedback: If a customer sends you private feedback (via email or your collection page), you cannot publish it as a review without their explicit consent.
- Employee reviews: Be cautious about having employees post reviews. This must be disclosed and can violate platform policies and consumer protection laws.
- Incentivized reviews: You can offer incentives for leaving a review (e.g., a discount), but you cannot condition the incentive on it being positive. The incentive must be disclosed.
Best practices for GDPR-compliant review collection:
- Use a clear and honest solicitation message
- Include your business identity and contact information
- Provide an easy opt-out mechanism
- Do not require a purchase or personal data disclosure beyond what is necessary
- Never manipulate or cherry-pick reviews
Key Takeaways
Managing online reviews while respecting EU law and GDPR is entirely achievable with the right approach. Here is a summary of your legal obligations and rights:
- You can ask customers for reviews — just respect opt-out preferences and data protection rules
- You can respond to any review — but never disclose private customer information
- You can report defamatory or fake reviews to Google and pursue legal action if needed
- You must include unsubscribe options in all solicitation emails and SMS
- You must not suppress negative reviews, fabricate positive ones, or condition incentives on positive ratings
When in doubt, consult a legal professional familiar with your country's specific regulations. And remember: tools like Reevio are designed with GDPR compliance built in, so you can focus on collecting genuine feedback without worrying about legal pitfalls.
Try Reevio for free and discover how AI can transform your review management.
Try for free →