Skip to main content

How CrowdRiff Helps UK & EU Destinations Stay GDPR-Compliant With User-Generated Content (UGC)

Including user-generated content (UGC) in your content strategy is one of the best ways to add authenticity to your marketing efforts, while also being one of the most effective ways to get travelers to book a trip to your destination.

Feedback from consumers says it all - recent studies found UGC video receives 12x the engagement of any other type, and 90% of consumers say authenticity is important when deciding which brands they like and support.

While destination marketing organizations (DMOs) are no stranger to using UGC, it’s important that they’re doing so with the right permissions and while protecting privacy rights. 

The UK and EU’s General Data Protection Regulation (GDPR) has added an extra step in DMO’s UGC workflow, but CrowdRiff has made it simple to make sure your organization is fully compliant.

There are eight fundamental rights under GDPR:

  • Right to information

  • Right to access

  • Right to withdraw consent

  • Right to object

  • Right to object automated processing of personal data

  • Right to be forgotten/erase data

  • Right for data portability

GDPR applies to any business that processes the personal data of EU citizens or residents, or if you offer goods or services to EU citizens or residents, even if you’re not based in the EU. 

UGC falls under GDPR because images are personal data that travelers are sharing which contains information about them. Basically, travelers have the right to know what data DMOs are collecting about them and how they’re doing so - Whether it's a crowded town square or a quiet park, when someone's face can be identified in an image, that counts as personal data. They also need to be able to know how the DMO may share that information with third parties and understand their right to require the DMO to delete all data collected about them. 

How destinations can get permissions to use UGC

Lucky for EU DMOs, there are many ways to acquire permissions for UGC without adding more work to your plate.

Remember that it’s always better to get explicit permission rather than implicit permission. For instance, you may use a branded hashtag to curate and encourage UGC and even state in your bio that using the hashtag grants permission for you to share. Despite this, a traveler could unknowingly use your hashtag without understanding they were implicitly granting you permission to also share their content. 

That’s why explicit permission is best practice - make sure you directly ask someone for permission to share content and, when hosting photo contests, ensure entrants have clearly been shown the terms and conditions that outline how you intend to use and share submissions. 

Visit Luxembourg is a great example of a DMO photo contest that clearly asked for permissions right when travelers were uploading photos for the contest.

CrowdRiff’s Collector also automatically secures rights to UGC, and our Advanced Rights Management (ARM) tool helps DMOs get rights to UGC visuals at scale. 

With Advanced Rights Management, DMOs can: 

  • Show the terms and conditions of their rights request on screen alongside the requested photos

  • Deliver a mobile-first, seamless user experience

  • Get rights to multiple photos at once

  • Manage and organize authorized content effortlessly

  • Apply custom branding: ARM can be custom branded with specific colors, logos and copy

Respecting a change in permissions is also important

Just as travelers enthusiastically grant permission to use their visuals, they may also eventually decide to revoke that permission. Your team’s process for handling change in permissions should be just as seamless as that for acquiring rights. 

Under GDPR, travelers have the right to request that you remove all content they gave you permission to use. Data permissions management can be quite involved and take a lot of time out of your day coordinating with other team members and departments to honor a deletion request. It may also require added expenses for systems to manage permissions and systems to manage visual assets. 

CrowdRiff also makes this part easy since we automatically store permissions from Instagram in our platform where you can quickly see which content you have permissions for and when someone requests a change in permissions. The platform also handles any and all data deletion requests so you don’t have to - phew!

Some solutions might help you track your unique hashtag, but leave it up to you to manage permissions. With so much incredible UGC out there, the last thing you need is to have to manage all of those permissions and loop your colleagues or other departments to help remove content with revoked permissions.

“Because we have explicit permission from the person that took the photograph to use it, we know that we're not accidentally using something that belongs to someone else,” says Eleanor Taylor, Tourism Content and Digital Officer for Experience Wakefield. “Additionally, those permissions are then stored on CrowdRiff’s servers, which we know are removed from our website, so it helps us feel more secure. It means we don't have to keep a list of consents anywhere on the council's servers, which presents its own problems with keeping that data secure.” 

Respecting your audience’s data privacy builds trust in your brand

GDPR and other international privacy laws have forced destinations to protect user data and be more transparent about how it’s used. But data privacy was already a major concern of many travelers long before these regulations took effect.

Using UGC in your marketing builds trust in your brand for your audience, so it makes sense to source UGC in a way that respects the privacy of the people who created it.

One study showed that 94% percent of consumers agree that transparency is the number one factor in brand loyalty. Your travelers should feel equally excited to see their images and videos shared about your destination as you are.

Check out our Europe and UK DMOs page to see all the ways CrowdRiff is helping EU DMOs get permissions for UGC and make their visuals go further.

Learn how DMOs in Europe and the UK are leveraging UGC to boost their marketing programs with CrowdRiff

CrowdRiff’s terms of service outline the internal controls we use to ensure we meet all GDPR requirements and that we have processes in place for managing personal data. 

We also have Data Processing Agreements (DPA) with every CrowdRiff customer which govern the relationship between the customer (the data controller) and CrowdRiff (the data processor) and ensure our compliance with EU data protection law.

Want to learn more about our commitment to GDPR and what you can do to remain compliant?  Check out our FAQs below! 

What is GDPR?

The General Data Protection Regulation (GDPR) is a component of EU privacy law and of human rights law that aims to strengthen the security and protection of personal data in the EU and harmonize EU data protection law. It also addresses the transfer of personal data outside of the EU and the EEA.

Is CrowdRiff GDPR compliant?

Yes.  Every instance where private information is collected, users have access to the terms and conditions outlining how we use, process, and protect their information. Our terms of service outline the internal controls we use to ensure we meet all the requirements set out by the GDPR and that we have processes in place for managing personal data. 

In addition, we have Data Processing Agreements with every CrowdRiff’s customer ensuring compliance with the obligations under EU data protection law. 

What is a Data Processing Agreement (DPA)?

Data Processing Agreements govern the relationship between the customer (acting as a data controller) and CrowdRiff (acting as a data processor). The DPA facilitates CrowdRiff’s customers’ compliance with the obligations under EU data protection law and contains strong privacy commitments, and has been updated to confirm our compliance with the GDPR. 

Our DPAs use the Standard Contractual Clauses (SCC) issued by the Council of the European Union to ensure the proper legal mechanisms are in place guaranteeing that the recipient will protect all personal data.

What are Standard Contractual Clauses (SCCs)?

SCCs are a key way to ensure the lawful and secure transfer of personal data from within the European Economic Area (EEA) to "third countries" (non-EEA countries). An SCC makes the transfer of data into a legally-binding agreement containing clauses guaranteeing that the third-country recipient will protect the personal data.

As a European DMO, can we store content on servers outside of the EU and remain GDPR compliant?

Yes you can. The DPA contains data transfer frameworks to ensure that our customers can lawfully transfer personal data to CrowdRiff outside of the EU by relying on the Standard Contractual Clauses (SCC) outlined in the GDPR.

How does CrowdRiff help me and my team stay GDPR compliant?

At CrowdRiff, we continually review our privacy and data security processes to ensure our compliance with GDPR and encourage all of our customers to do the same.  As a Data Controller, customers also bear the responsibility for ensuring that their processing of personal data is compliant with EU data protection law.

Where are the Data Processing Agreements (DPAs) with our sub-vendors?

Annex 2 in our Data Processing Agreement shows a list of permitted sub-processors with Data Processing Agreements. 

What are my GDPR consent obligations for content that I bring into CrowdRiff from third-party providers (Instagram, etc.)?

As the Data Controller, you are responsible for ensuring that you have the necessary consent (by obtaining rights) from end-users to use their content. 

What is personal data?

Personal data is any information which can be related to an identified or identifiable natural person. For example, telephone and credit card numbers, as well as email addresses are all considered personal data. 

How does CrowdRiff collect personal data?

CrowdRiff collects personal data when a user signs up for Media Hub, connects an account with advanced tracking, or submits content through a collector. In every scenario, users are required to acknowledge they have read CrowdRiff’s privacy policy outlining our obligations to GDPR compliance. 

Is UGC considered personal data?

If you can identify a natural person from an image, then it would be considered personal data. However, if a person in an image is unidentifiable, then it would not be considered personal data. 

How can I show people in my UGC and be GDPR compliant? 

To be GDPR compliant, you can’t directly show an identifiable face in your UGC. Some best practices for featuring people and ensuring GDPR compliance is to use UGC:

  • That has people shot from a distance

  • That has people shot from the side

  • That has people shot from behind

  • That shows people wearing masks (scuba divers, etc.)

  • That shows an obstructed view of a face (a person holding something blocking their face)

 

Just remember, if you are using an image with a face that could be recognized, then it’s personal data. 

What if I want to use a piece of UGC with an influencer in it?

If you plan to use a piece of UGC where you know the individual in the visual is also the owner, then you may use it if you obtain consent through a rights request. By requesting rights, you are asking permission to use the visual and informing the person on how you plan to use it. Since, you are ‘signifying an agreement to the processing of personal data relating to the individual in question’ then under GDPR, this is considered consent. 

How does GDPR impact existing CrowdRiff customers?

Existing customers who follow best practices when acquiring and using UGC will remain GDPR compliant. Here is an example gallery from Visit Europe. They’ve acquired the rights for every image they plan to use. They also use best practices when displaying personal data by not showing identifiable faces. 

How does CrowdRiff honor a request from an end-user (non-customer) to delete their personal data?

If we receive a request from an end-user, such as an individual whose UGC has been uploaded to the CrowdRiff platform, we will promptly contact our customer (the Data Controller) who has access to the personal data, and request they delete it. 

What is the process if a customer asks to delete their user data?

If a customer requests that their data be deleted, they can make a request to our support team. We then proceed to delete all of the customer’s user data.

How can a customer export their user data?

If a customer would like all of their data exported, they can submit a request to our support team. Depending on the size of the data, their data will be exported, compressed, and sent to the customer. 

What do we do to ensure personal data is secure and encrypted?

All user data (emails, passwords) is encrypted in transit using industry-standard best practices.

What if I have additional questions?

If you have any additional questions contact sales@crowdriff.com. If you’re an existing customer, contact your CSM.