- A Google review is personal data, so data protection rules like the GDPR apply to it.
- Google is the data controller for reviews hosted on its platform, and it handles erasure requests under the "right to be forgotten" (Article 17).
- You cannot delete a review just because it is negative, but individuals can ask Google to remove personal data in certain cases.
- When you collect reviews yourself, keep it clean: a lawful basis, a clear privacy notice and an easy opt-out. An NFC plate that sends customers straight to Google keeps your own data handling to a minimum.
The GDPR applies to Google reviews because a review is personal data: it identifies the reviewer, and it can name your staff too. If you serve customers in the EU or UK, that means obligations around how you collect and handle review-related data, although Google itself acts as the data controller for the reviews hosted on its platform. This article is general information to help you understand the landscape, not legal advice for your specific situation.
Why a Google review counts as personal data
Data protection law turns on one question: does the content relate to an identifiable person? A Google review usually does. It carries the reviewer's name and often their photo, and the text may name an employee ("Sarah at the front desk was fantastic"). Both the reviewer and any named staff member are data subjects, which is why the GDPR is in play the moment a review exists.
Personal data is any information relating to an identified or identifiable individual. A name, a photo, or a comment about a specific person all qualify.
Who is responsible: Google as data controller
For reviews published on Google, Google is the data controller. European courts settled this years ago: because Google collects and manages the data, it must handle requests to remove personal information under certain conditions. That is why removal requests for a review's personal data go through Google's own process, not yours. It also means you, as a business, cannot simply erase a review you dislike. Genuinely policy-violating reviews can be reported to Google, but disagreement is not a valid ground, and understanding anonymous Google reviews helps clarify what is and is not removable.
The right to erasure, in plain terms
Article 17 of the GDPR gives individuals a right to erasure, also called the right to be forgotten. A person can ask for their personal data to be deleted when it is no longer necessary, when they withdraw consent, or when it was processed unlawfully, and the controller must respond within one month. The right is not absolute: it does not apply where data must be kept for a legal obligation. One useful nuance for businesses is that companies generally cannot use this right to delist results tied to their corporate name, since the protection is built for individuals' personal data, not for a business reputation.
A customer can ask Google to remove their own review or personal data. A business cannot use the right to erasure to wipe unflattering but legitimate reviews about itself.
What GDPR means when you collect reviews yourself
The rules bite hardest where you handle customer data directly, for example when you email or text people asking for a review. In that case you are processing personal data and need the basics in order: a lawful basis such as consent or legitimate interest, a clear privacy notice explaining what you collect and why, and a simple way to opt out. Handling replies is part of it too, since a public response can expose customer details if you are careless. Our guide on replying to reviews shows how to respond without oversharing.
- Do tell customers, in a short privacy notice, how you will use their contact details.
- Don't add customers to marketing lists off the back of a review request without a basis.
- Do make opting out of review reminders effortless and honor it immediately.
- Don't reveal private order details or a customer's identity in a public reply.
Why NFC collection keeps your data handling light
The cleanest approach is to hold as little personal data as possible, a principle the GDPR calls data minimization. This is where an NFC review plate or card has a quiet advantage. When a customer taps it, they land directly on Google's own review page and submit the review to Google, not to you. You never store their contact details, their draft or their identity, because the whole exchange happens on Google's platform. Our our review cards work exactly this way, which sidesteps most of the data-handling burden that comes with email or SMS campaigns.
One tap sends your customer straight to Google's review page. You get the review, and you never have to store their personal details.
Shop Google review cards
GDPR, CCPA and the rest of the world
If your business is in the United States, the closest equivalent is California's CCPA, which gives residents comparable rights to know about and delete their personal data. The GDPR still reaches you if you offer goods or services to people in the EU or monitor their behavior, regardless of where your company sits. The practical takeaway is the same under either regime: be transparent, keep only what you need, and never try to buy or fake your way to a better rating. On that last point, our piece on whether buying reviews is legal explains why authentic collection is the only safe route.
Bottom line
Google reviews sit squarely inside data protection law because they are personal data, but the burden is lighter than it sounds. Google carries the controller responsibility for reviews on its platform, individuals hold the right to erasure for their own data, and your job is to collect reviews honestly and handle any customer data you touch with care. Sending customers straight to Google with a tap is the simplest way to grow your reputation while keeping your own data footprint close to zero.
Can a customer force me to delete their Google review?
Not from you directly, because the review lives on Google's platform, and Google is the data controller. A customer can edit or delete their own review, or ask Google to remove their personal data under the right to erasure. As the business, you can report reviews that break Google's policies, but you cannot delete a genuine review yourself.
Does GDPR apply to my US business?
It can. The GDPR reaches any business, wherever it is based, that offers goods or services to people in the EU or monitors their behavior. If your customers are purely in the US, California's CCPA and similar state laws are the more relevant frameworks. Either way, transparency and data minimization are the safe defaults.
Can I ask customers for reviews by email under GDPR?
Yes, if you do it properly. You need a lawful basis such as consent or legitimate interest, a clear privacy notice, and an easy opt-out that you honor. Avoid repurposing review-request contacts for unrelated marketing without a separate basis. Sending customers to Google via an NFC tap avoids most of this, since you never collect their contact details.
Is a reviewer's name personal data?
Yes. A name, on its own or with a photo, relates to an identifiable individual, which is the definition of personal data. The same applies to an employee named in a review. That is why the GDPR governs reviews, and why any data you collect around them should be handled transparently and kept to what you actually need.