GDPR and online reviews: what the law says

[blog.article_3.intro]

The legal framework for online reviews in the EU

Online reviews in the EU are governed by a combination of regulations that protect both consumers and businesses:

• EU Directive 2019/2161 (Omnibus Directive): Requires platforms to verify the authenticity of reviews and disclose how reviews are collected, moderated, and displayed. Businesses cannot publish fake reviews or selectively suppress negative ones.
• Consumer Rights Directive: Prohibits misleading commercial practices, including manipulating reviews or creating false impressions of customer satisfaction.
• GDPR (Regulation 2016/679): Governs the collection and processing of personal data, which is directly relevant when you solicit reviews via email or SMS.
• National laws: Many EU member states have additional consumer protection laws. For example, in France, the DGCCRF actively monitors fake reviews, while Germany's UWG (Unfair Competition Act) provides further protections.

Your right of reply as a business

As a business owner, you have the right to respond to any review left on your Google Business Profile or other platforms. This is a fundamental right that allows you to:

• Correct factual errors: If a review contains inaccurate information, you can politely set the record straight.
• Provide context: You can share your perspective on the situation without disclosing private customer details.
• Show professionalism: A well-crafted response demonstrates that you take customer feedback seriously.

However, there are important limits to your right of reply:

• Never disclose personal data: You cannot reveal a customer's identity, transaction details, medical information, or any other personal data in your response.
• Stay factual and professional: Responses that are insulting, threatening, or retaliatory can expose you to legal liability.
• Do not pressure reviewers: Contacting a reviewer privately to pressure them into removing a review can constitute harassment.

Defamatory reviews: what you can do

Not all negative reviews are defamatory. Under EU law, a review is considered defamatory when it contains false statements of fact that harm your reputation. Opinions, even harsh ones, are generally protected. Here is how to handle potentially defamatory reviews:

• Document everything: Take screenshots and note the date, content, and reviewer information.
• Report to Google: Use Google's review reporting tool to flag reviews that violate their policies (fake reviews, spam, conflict of interest, offensive content).
• Send a formal notice: In many EU countries, you can send a cease-and-desist letter to the reviewer (if identifiable) or the platform.
• Legal action: As a last resort, you can pursue legal proceedings. Courts can order the removal of defamatory content and award damages.

Google typically removes reviews that are clearly fake, contain hate speech, or include personal information. However, they rarely remove reviews based on disputes over the accuracy of the customer's experience.

GDPR obligations when soliciting reviews

When you send emails or SMS to customers asking for reviews, you are processing personal data under GDPR. Here are the key obligations you must respect:

• Lawful basis: You need a valid legal basis to send solicitation messages. The most common is legitimate interest (for existing customers) or consent (for prospects). Check your local e-Privacy regulations, as rules vary by country.
• Transparency: Your privacy policy must explain that you may contact customers to request feedback and reviews.
• Right to opt out: Every solicitation email or SMS must include a clear unsubscribe option. You must honor opt-out requests immediately.
• Data minimization: Only collect the personal data you need (name, email, phone number). Do not store unnecessary information.
• Data retention: Do not keep customer contact data indefinitely. Define a retention period and delete data when it is no longer needed.
• Data security: Protect stored customer data with appropriate technical measures (encryption, access controls, etc.).

Consent and personal data in reviews

Reviews themselves contain personal data — the reviewer's name, opinions, and sometimes details about their interactions with your business. Here is what you need to know:

• Publicly posted reviews: When a customer posts a review on Google, they have voluntarily made that information public. You can display, quote, or embed these reviews (e.g., via a website widget) without additional consent.
• Private feedback: If a customer sends you private feedback (via email or your collection page), you cannot publish it as a review without their explicit consent.
• Employee reviews: Be cautious about having employees post reviews. This must be disclosed and can violate platform policies and consumer protection laws.
• Incentivized reviews: You can offer incentives for leaving a review (e.g., a discount), but you cannot condition the incentive on it being positive. The incentive must be disclosed.

Best practices for GDPR-compliant review collection:

• Use a clear and honest solicitation message
• Include your business identity and contact information
• Provide an easy opt-out mechanism
• Do not require a purchase or personal data disclosure beyond what is necessary
• Never manipulate or cherry-pick reviews

Key Takeaways

Managing online reviews while respecting EU law and GDPR is entirely achievable with the right approach. Here is a summary of your legal obligations and rights:

• You can ask customers for reviews — just respect opt-out preferences and data protection rules
• You can respond to any review — but never disclose private customer information
• You can report defamatory or fake reviews to Google and pursue legal action if needed
• You must include unsubscribe options in all solicitation emails and SMS
• You must not suppress negative reviews, fabricate positive ones, or condition incentives on positive ratings

When in doubt, consult a legal professional familiar with your country's specific regulations. And remember: tools like Reevio are designed with GDPR compliance built in, so you can focus on collecting genuine feedback without worrying about legal pitfalls.