Why You Need Written Consent for Client Photos (and How GDPR Applies)
Let’s start with a simple but important question:
👉 Are you GDPR compliant?
If you’re a business owner in the EU—or you work with clients in the EU—the answer needs to be yes. And if your first thought was “Uhh… I think so?”, then this post is for you.
I know GDPR can sound dry and overwhelming (hi, legalese 👋), but it’s actually about protecting your clients, your business, and your brand reputation. So let’s break it down in plain language, with real examples you’ll actually care about.
What Is GDPR, Really?
GDPR stands for General Data Protection Regulation, and it’s a privacy law that applies across the European Union.
It’s all about how you collect, store, and use personal data—which includes:
Names
Email addresses
Photos
Voice recordings
Testimonial quotes
IP addresses
Social media handles
Basically… any information that can identify a real human
And yes—that means when you post a photo of a happy client, share a glowing testimonial, or collect email addresses through your website, you’re handling personal data.
Who Needs to Be GDPR Compliant?
If any of these sound like you, then yes, you’re legally required to comply with GDPR:
✅ You’re based in the EU
✅ You work with clients who live in the EU
✅ You collect personal data through your website or online systems
✅ You share client content (photos, testimonials, etc.) on your website or social media
Spoiler: That’s most of us.
Even if you’re not a tech company or selling data—if you run a service-based business and communicate online, you’re working with personal data. Period.
What Does GDPR Actually Require You to Do?
Here’s the simplified version of what GDPR expects:
✅ Ask for clear, written consent
You need written permission to use any client’s photo, testimonial, or identifiable data for marketing purposes.
✅ Tell people how you’ll use their data
You can’t collect data and keep it a mystery. If someone signs up for your email list, they need to know what they’re agreeing to.
✅ Allow people to opt out or request deletion
People have the right to ask you to remove their info from your system—and you need a process to do that.
✅ Keep their data secure
No tossing client info into random Google Docs or sharing screenshots in open Slack channels.
✅ Have a clear, accessible privacy policy on your website
This should outline what you collect, why, and how it’s stored. It also needs to be written in clear language—not legal gibberish.
What Happens If You’re Not Compliant?
Best case? Someone asks you to take something down.
Worst case? You face complaints, fines, or a damaged reputation—especially if a client’s photo or testimonial was used without proper consent.
Even if no one comes knocking, clients pay attention to how you handle their info. Doing things by the book builds trust and positions your brand as credible and professional.
Not Sure Where to Start? I’ve Got Someone Who Can Help.
I know GDPR can feel overwhelming, especially if you're a solopreneur or small team. That’s why I’ve partnered with a Spain-based data protection consultant who helps small businesses set up GDPR-compliant systems without the overwhelm.
From privacy policies to cookie banners and consent forms—they’ll walk you through it in a way that actually makes sense. And yes, they speak both English and Spanish.
If you want an intro, just DM or email me. I’ll happily connect you.
Final Thoughts: GDPR Isn’t Optional—But It Doesn’t Have to Be Scary
Think of GDPR like insurance for your business reputation. It’s not about bureaucracy—it’s about respecting your clients and protecting your brand.
So yes, you can post that amazing client testimonial.
You can show off the results you’ve helped create.
You just need to get proper consent and handle it responsibly.
Need help setting things up? I’ve got resources. Let’s get you covered.
Let’s start with a simple but important question:
👉 Are you GDPR compliant?
If you’re a business owner in the EU—or you work with clients in the EU—the answer needs to be yes. And if your first thought was “Uhh… I think so?”, then this post is for you.
I know GDPR can sound dry and overwhelming (hi, legalese 👋), but it’s actually about protecting your clients, your business, and your brand reputation. So let’s break it down in plain language, with real examples you’ll actually care about.
What Is GDPR, Really?
GDPR stands for General Data Protection Regulation, and it’s a privacy law that applies across the European Union.
It’s all about how you collect, store, and use personal data—which includes:
Names
Email addresses
Photos
Voice recordings
Testimonial quotes
IP addresses
Social media handles
Basically… any information that can identify a real human
And yes—that means when you post a photo of a happy client, share a glowing testimonial, or collect email addresses through your website, you’re handling personal data.
Who Needs to Be GDPR Compliant?
If any of these sound like you, then yes, you’re legally required to comply with GDPR:
✅ You’re based in the EU
✅ You work with clients who live in the EU
✅ You collect personal data through your website or online systems
✅ You share client content (photos, testimonials, etc.) on your website or social media
Spoiler: That’s most of us.
Even if you’re not a tech company or selling data—if you run a service-based business and communicate online, you’re working with personal data. Period.
What Does GDPR Actually Require You to Do?
Here’s the simplified version of what GDPR expects:
✅ Ask for clear, written consent
You need written permission to use any client’s photo, testimonial, or identifiable data for marketing purposes.
✅ Tell people how you’ll use their data
You can’t collect data and keep it a mystery. If someone signs up for your email list, they need to know what they’re agreeing to.
✅ Allow people to opt out or request deletion
People have the right to ask you to remove their info from your system—and you need a process to do that.
✅ Keep their data secure
No tossing client info into random Google Docs or sharing screenshots in open Slack channels.
✅ Have a clear, accessible privacy policy on your website
This should outline what you collect, why, and how it’s stored. It also needs to be written in clear language—not legal gibberish.
What Happens If You’re Not Compliant?
Best case? Someone asks you to take something down.
Worst case? You face complaints, fines, or a damaged reputation—especially if a client’s photo or testimonial was used without proper consent.
Even if no one comes knocking, clients pay attention to how you handle their info. Doing things by the book builds trust and positions your brand as credible and professional.
Not Sure Where to Start? I’ve Got Someone Who Can Help.
I know GDPR can feel overwhelming, especially if you're a solopreneur or small team. That’s why I’ve partnered with a Spain-based data protection consultant who helps small businesses set up GDPR-compliant systems without the overwhelm.
From privacy policies to cookie banners and consent forms—they’ll walk you through it in a way that actually makes sense. And yes, they speak both English and Spanish.
If you want an intro, just DM or email me. I’ll happily connect you.
Final Thoughts: GDPR Isn’t Optional—But It Doesn’t Have to Be Scary
Think of GDPR like insurance for your business reputation. It’s not about bureaucracy—it’s about respecting your clients and protecting your brand.
So yes, you can post that amazing client testimonial.
You can show off the results you’ve helped create.
You just need to get proper consent and handle it responsibly.
Need help setting things up? I’ve got resources. Let’s get you covered.
Building bold brands for women who are done playing small. Designed in Framer, fueled by chai, and backed by weekly coworking vibes.