GDPR, consent and UGC
UGC shows identifiable people, so it is personal data under GDPR. A defensible programme records scoped permission, honours removal requests, and minimises what it holds.
The cookie banner is not a consent record. The DM that says 'yes you can use it' is not a consent record. The Instagram tag is not a consent record. None of the three would survive a regulator walking through your data on a site visit, and closing that gap is what the workflow below is for.
In this article
UGC rights conversations usually stop at copyright: who owns the photo. But a customer photo or video also contains something else, an identifiable person, and under GDPR and comparable regimes that brings data-protection obligations alongside the copyright ones.
Is UGC personal data?
An image of an identifiable individual is personal data. Publishing and storing it is processing that data. None of this makes UGC unusable, businesses process personal data lawfully every day, but it does mean a UGC programme has to be built with data protection in mind, not only copyright.
Why do you need two permissions, not one?
Copyright permission says you may use the content. Data-protection law adds that the person should understand and agree to how their personal data is used, and keeps rights over it afterwards. A good rights request does both at once: it spells out what the content will be used for, which is exactly what informed agreement needs. Our UGC rights and permissions guide covers how to word a request that satisfies both at the point of collection.
What does GDPR mean for UGC in practice?
- Be clear at the point of permission about how and where the content will be used.
- Keep a record of the permission, tied to the asset and the person.
- Honour removal requests, if a person asks for their content to be taken down, have a process to do it.
- Minimise: do not hold UGC, or the data around it, longer or wider than you need.
| Question | Copyright permission | Data-protection consent |
|---|---|---|
| What it covers | The right to use the work | How a person’s data is processed |
| Who holds the right | The content creator | The identifiable individual shown |
| Can it be withdrawn? | Per the licence terms | Yes, including erasure in many cases |
| What you must keep | The licence record | Scoped consent + removal process |
The harder edge case is when a creator deletes the original post after you have featured it. That is where holding your own copy and record matters: we cover it in what happens to your gallery when a creator deletes the original.
Sources & notes
- 1European Commission, GDPR overview · Personal data and processing obligations.
- 2UK ICO, guidance on images and personal data · When images count as personal data.
- 3Note · Practical guidance, not legal advice, confirm with a data-protection specialist in your market.
0 days
GDPR right-to-erasure SLA
End-to-end inc. CDN purges
0 days
CCPA deletion SLA
CPRA
0%
of brands fail withdrawal SLA on audit
Idukki research Q1 2026
0%
Median rights yes-rate
Idukki dataset
Continue reading
1 piece in this clusterThese long-form pieces on the Idukki blog link back to this article, go deeper on the cluster.
More from Rohin Aggarwal
- Strategy
PDP before and after UGC: what actually changes on the page
Add verified customer photos, video and reviews to the middle scroll of a brand-only PDP and conversion lifts. Here is what moves, scroll by scroll, and where "just add UGC" gets oversold.
- Strategy
A kitchen table in Egham, why I built Idukki
Day job: SAP architect on UK government software. Night job: founder of a UGC platform for DTC brands. The Venn diagram of those two communities is, on a good day, approximately one person. Here is how I ended up running both.
- Strategy
The Death of Impression-Based Pricing: A Finance Director's Case
Impression-based pricing made sense while impressions tracked funnel impact. They stopped. A finance director's argument for outcome-based commercial models in the agentic era.