Idukki
Strategy

GDPR, consent and UGC

UGC shows identifiable people, so it is personal data under GDPR. A defensible programme records scoped permission, honours removal requests, and minimises what it holds.

The cookie banner is not a consent record. The DM that says 'yes you can use it' is not a consent record. The Instagram tag is not a consent record. None of the three would survive a regulator walking through your data on a site visit, and closing that gap is what the workflow below is for.

In this article

UGC rights conversations usually stop at copyright: who owns the photo. But a customer photo or video also contains something else, an identifiable person, and under GDPR and comparable regimes that brings data-protection obligations alongside the copyright ones.

Is UGC personal data?

An image of an identifiable individual is personal data. Publishing and storing it is processing that data. None of this makes UGC unusable, businesses process personal data lawfully every day, but it does mean a UGC programme has to be built with data protection in mind, not only copyright.

Why do you need two permissions, not one?

Copyright permission says you may use the content. Data-protection law adds that the person should understand and agree to how their personal data is used, and keeps rights over it afterwards. A good rights request does both at once: it spells out what the content will be used for, which is exactly what informed agreement needs. Our UGC rights and permissions guide covers how to word a request that satisfies both at the point of collection.

What does GDPR mean for UGC in practice?

  • Be clear at the point of permission about how and where the content will be used.
  • Keep a record of the permission, tied to the asset and the person.
  • Honour removal requests, if a person asks for their content to be taken down, have a process to do it.
  • Minimise: do not hold UGC, or the data around it, longer or wider than you need.
QuestionCopyright permissionData-protection consent
What it coversThe right to use the workHow a person’s data is processed
Who holds the rightThe content creatorThe identifiable individual shown
Can it be withdrawn?Per the licence termsYes, including erasure in many cases
What you must keepThe licence recordScoped consent + removal process
Copyright permission versus data-protection consent.

The harder edge case is when a creator deletes the original post after you have featured it. That is where holding your own copy and record matters: we cover it in what happens to your gallery when a creator deletes the original.

Sources & notes

  1. 1European Commission, GDPR overview · Personal data and processing obligations.
  2. 2UK ICO, guidance on images and personal data · When images count as personal data.
  3. 3Note · Practical guidance, not legal advice, confirm with a data-protection specialist in your market.
  • 0 days

    GDPR right-to-erasure SLA

    End-to-end inc. CDN purges

  • 0 days

    CCPA deletion SLA

    CPRA

  • 0%

    of brands fail withdrawal SLA on audit

    Idukki research Q1 2026

  • 0%

    Median rights yes-rate

    Idukki dataset

Compliance benchmarks across UGC programmes.
#ugc#rights-management#gdpr#compliance

Continue reading

1 piece in this cluster

These long-form pieces on the Idukki blog link back to this article, go deeper on the cluster.

More from Rohin Aggarwal

We use cookies

We use essential cookies to run this site and optional analytics cookies to understand how it’s used. You can change your choice anytime in our privacy policy.