GDPR, consent and UGC
UGC features real, identifiable people, which makes it personal data. Here is how data-protection law, and GDPR in particular, shapes a UGC programme.
UGC rights conversations usually stop at copyright, who owns the photo. But a customer photo or video also contains something else: an identifiable person. Under GDPR and comparable regimes, that brings data-protection obligations alongside the copyright ones.
UGC is personal data
An image of an identifiable individual is personal data. Publishing and storing it is processing that data. That does not make UGC unusable, businesses process personal data lawfully all the time, but it means a UGC programme has to be built with data protection in mind, not only copyright.
Two permissions, not one
Copyright permission says you may use the content. Data-protection law adds that the person should understand and agree to how their personal data is used, and retains rights over it afterwards. A good rights request handles both at once, it makes clear what the content will be used for, which is exactly what informed agreement needs.
What that means in practice
- Be clear at the point of permission about how and where the content will be used.
- Keep a record of the permission, tied to the asset and the person.
- Honour removal requests, if a person asks for their content to be taken down, have a process to do it.
- Minimise: do not hold UGC, or the data around it, longer or wider than you need.
Sources & notes
- 1European Commission, GDPR overview · Personal data and processing obligations.
- 2UK ICO, guidance on images and personal data · When images count as personal data.
- 3Note · Practical guidance, not legal advice, confirm with a data-protection specialist in your market.
30 days
GDPR right-to-erasure SLA
End-to-end inc. CDN purges
45 days
CCPA deletion SLA
CPRA
64%
of brands fail withdrawal SLA on audit
Idukki research Q1 2026
38%
Median rights yes-rate
Idukki dataset
More from Rohin Aggarwal
- Conversational commerce
Why we built the Conversational PDP
Most product-page exits are a single unanswered question. Here is the case for answering it on the page, from your own evidence, and the story of why we built a Q&A that is curated-first and AI-second.
- Strategy
PDP before and after UGC: what actually changes on the page
Strip a product page back to brand-only content, then layer verified customer photos, video and reviews into the middle scroll, and watch what moves. A scroll-by-scroll look at the before and after, the numbers the public studies actually support, and where "just add UGC" gets oversold.
- Industry playbook
How to vet a creator: audience authenticity, engagement, and the fake-follower problem
On a typical account, roughly a fifth of followers are fake or inactive. Here is how to read the signals that separate a real audience from an inflated one, before you pay, with the four checks that catch most of it.
