GDPR and Customer Reviews: A Practical Guide for EU Businesses

If your business collects or displays customer reviews and you operate in the EU, GDPR already applies to you. And since 2022, the EU Omnibus Directive has added a new layer on top of that: explicit rules about fake and incentivized reviews that carry real enforcement weight.

Most businesses running review programs haven't thought this through. They send review-request emails without a lawful basis, display reviews without considering the personal data they contain, and use platforms that have never been audited for EU compliance. That's a combination that creates exposure, both legal and reputational.

This guide covers what you actually need to know: the GDPR obligations that come with collecting reviews, what the Omnibus rules change, and how to evaluate whether a review platform is built for the EU market or just happens to serve it.

1. Understand the Lawful Basis for Review-Request Emails

Why it matters: Sending a customer an email asking for a review is a form of direct marketing communication. Under GDPR, you need a lawful basis to do it. In most EU member states, the relevant law for email marketing is the ePrivacy Directive (implemented nationally as laws like PECR in the UK or the TDDDG in Germany), which sits alongside GDPR. Getting this wrong isn't just a GDPR violation — it can also breach national spam laws.

How to do it: There are two routes businesses typically use:

• Legitimate interests (GDPR Article 6(1)(f)) — You may be able to rely on legitimate interests for a post-purchase review request if you have an existing customer relationship and the request is proportionate. This requires a documented Legitimate Interests Assessment (LIA) showing your interest in collecting honest feedback outweighs the customer's right not to be contacted. This is the most commonly used route, but it isn't automatic — you need to document it.
• Consent — If you're in doubt, or if you're contacting prospects rather than existing customers, explicit opt-in consent is the cleaner approach. It's harder to obtain but much easier to defend.

What this means in practice: Your post-purchase review-request email needs to be clearly expected by the customer, limited to one message (or a documented reasonable sequence), and include an easy way to opt out of future communications. An unsubscribe mechanism is not optional.

Tip: Don't assume your existing email marketing consent covers review requests. Check whether your privacy notice and signup flow actually mention it. If not, you either need to update your notices or document a legitimate interests assessment.

2. Recognise That Reviews Contain Personal Data

Why it matters: A customer review contains, at minimum, the reviewer's name (or username), their written opinion, and often their email address and IP address in the background. Under GDPR, all of this is personal data. You are the controller of that data once it lands on your platform or in your system.

How to do it: Your privacy notice needs to cover reviews specifically. Be clear about:

• What personal data you collect from reviewers (name, email, IP, content of the review)
• Why you collect it and what your lawful basis is
• How long you retain it
• Who you share it with (including review platform providers, who are data processors)
• How reviewers can exercise their rights

If you use a third-party review platform, you should have a data processing agreement (DPA) in place with that provider. If the platform is based outside the EU, you also need to confirm there is a valid transfer mechanism in place — standard contractual clauses (SCCs), adequacy decision, or similar. A US-based platform with no DPA and no SCCs is a compliance gap.

Tip: Check whether your review platform provider is willing to sign a DPA. If they're not — or if they don't know what one is — that tells you something.

3. Handle Right-to-Erasure Requests Without Deleting Legitimate Reviews

Why it matters: Under GDPR Article 17, reviewers have the right to request deletion of their personal data. This creates a genuine tension for review platforms: a review is both personal data (belonging to the reviewer) and a piece of public record (relevant to other consumers making decisions). Getting this balance wrong in either direction is a problem.

How to do it: Erasure requests need to be assessed case by case. In most situations, you have grounds to retain a legitimate, verified review even after a reviewer requests deletion — specifically under GDPR Article 17(3)(e), which allows retention where the data is necessary for the establishment, exercise, or defense of legal claims, or Article 17(3)(b) for tasks in the public interest.

But these exemptions are not blanket. A sensible approach is:

• Remove or anonymise the reviewer's personal identifiers (name, email) where possible, while retaining the review content if it remains relevant and accurate
• Have a documented policy for how you handle erasure requests relating to reviews
• Don't simply delete any review that the business being reviewed asks to be removed — that conflates business interests with data subject rights and could suppress legitimate feedback

What you should not do: Allow businesses to trigger erasure of reviews they dislike by filing spurious GDPR requests. Some platforms have seen this weaponised as a deletion mechanism dressed in compliance language.

Tip: The right approach is to treat erasure requests as coming from the reviewer, not the business. A business cannot invoke the reviewer's GDPR rights on their behalf.

4. Understand What the EU Omnibus Directive Makes Illegal

Why it matters: The EU Omnibus Directive (Directive (EU) 2019/2161), fully in force since May 2022, amended the Unfair Commercial Practices Directive to explicitly prohibit a set of practices around consumer reviews. These are now illegal across the EU, not just poor form.

What is now explicitly prohibited:

• Submitting or commissioning fake reviews — paying for reviews, getting employees or associates to write them, or using review farms
• Failing to disclose that reviews are incentivized — offering discounts, gifts, or other benefits in exchange for reviews without clearly disclosing this to readers
• Claiming reviews are by customers who purchased the product when no steps are taken to verify this
• Suppressing negative reviews without a legitimate basis for removal

The Directive requires that any business which publishes consumer reviews must state whether and how they ensure reviews come from actual customers. This applies to both businesses that collect reviews directly and to platforms that host them.

What this means for your review platform: If you use a platform that doesn't verify reviewers — or worse, a platform that lets businesses pay to suppress or reorder reviews — you're relying on infrastructure that is non-compliant with EU law. Enforcement is handled nationally, and fines can reach 4% of annual turnover.

Tip: Read your review platform's terms carefully. Ask them directly: do they verify that reviewers are real customers? Can businesses pay to improve their ranking or suppress reviews? If the answer to the first is "no" or to the second is "yes," you have an Omnibus problem. See also why verified reviews matter.

5. Evaluate Whether Your Review Platform Is Built for EU Compliance

Why it matters: Most major review platforms were built in the US, at scale, for a US-first market. EU compliance was retrofitted, often partially. That matters when the law that governs your data is EU law, not California law.

What to look for in a compliant, EU-friendly review platform:

Verification before publication. The platform must verify that reviews come from real people before they go live — at minimum by email confirmation. This directly satisfies the Omnibus requirement to take steps to ensure reviews are from actual customers. Platforms that let unverified reviews publish by default are not compliant with the Directive's intent. (More on what honest reviews actually look like.)

No pay-to-play ranking. Rankings and profile prominence must not be purchasable. Allowing businesses to pay for higher placement while presenting the result as an objective ranking is a deceptive commercial practice under the Directive.

Data ownership and export. You need to be able to access your own data. A platform that locks in your reviews or charges you to export them is not just a commercial nuisance — it creates compliance problems when regulators or customers ask for records.

A signed DPA. Any platform processing personal data on your behalf is a processor under GDPR. They must offer a DPA. If they don't, you're operating without a required legal instrument.

EU data residency or adequate transfer mechanisms. Ideally, your review data stays in the EU. If it doesn't, there must be a valid legal transfer mechanism. This is easy to confirm — ask the platform where data is stored and what transfer safeguards apply.

Transparent removal policy. The platform should have a documented, consistent policy for when reviews can be removed — and it should not be "when the business asks." Legitimate grounds for removal include policy violations, demonstrably false content, or verified identity concerns. Businesses disliking a review is not a legitimate basis.

Tip: When evaluating a platform, ask for their DPA, their data residency information, and a copy of their review removal policy. A compliant platform can answer all three quickly and clearly.

6. Audit Your Current Review Collection Process

Why it matters: If you've been collecting reviews for a while, there's a reasonable chance your current process was set up before these rules were fully in force or fully understood. A brief audit is worth doing.

How to do it: Work through these questions:

• Do we have a documented lawful basis for each type of review-request email we send?
• Does our privacy notice mention reviews, reviewer data, and how long we retain it?
• Do we have a DPA in place with our review platform provider?
• Can we export all our review data if we switch platforms?
• Can we respond to a reviewer's erasure request without simply deleting the review entirely?
• Does our platform verify reviewers before reviews go live?
• Does our platform let businesses pay to improve their ranking or suppress reviews?

If you can't answer yes to all of these, you have concrete items to fix. Most of them are straightforward: updating a privacy notice, requesting a DPA, or switching to a platform built around verification.

Tip: Keep a brief record of your answers and when you reviewed them. If a regulator or a customer ever asks, having documented your thinking is far better than having no record at all.

The Bottom Line

GDPR compliance for reviews isn't optional, and since 2022 the EU has made the rules about fake and unverified reviews explicit and enforceable. The businesses that get this right aren't just reducing legal risk — they're building a review profile that customers can actually trust.

That means using a platform where every review is verified before it goes live, rankings can't be bought, and you own your data. It means sending review-request emails with a clear lawful basis and a visible unsubscribe. And it means treating the occasional negative review as legitimate feedback rather than a problem to suppress.

A verified, honest review from a real customer is worth more than ten unverified five-stars — legally, and commercially. See how OtterHonest is built around verified reviews and data ownership.

For related reading: how to collect more reviews compliantly, how to respond to negative reviews, and how to build customer trust online.