⚖Legal GuideApril 20, 2026·blogPost.legalAspectsReviewsUsEu.readTime min read

The Legal Landscape of Online Reviews: US vs EU in 2026

A practical breakdown of FTC rules, GDPR obligations, the Digital Services Act, and what every business owner needs to know before they touch their reviews.

Two jurisdictions. One problem. Fake reviews, suppressed criticism, coerced testimonials, and the legal grey zones around paid endorsements have forced regulators on both sides of the Atlantic to act — and they have done so in very different ways. If your business collects, displays, or responds to online reviews, you are now operating under a patchwork of overlapping laws that can expose you to penalties ranging from $51,744 per FTC violation in the United States to GDPR fines of up to €20 million or 4% of global annual turnover in the EU. This guide maps the terrain — without hyperbole, without simplification — so you know exactly where the lines are.

American review law is not one statute. It is a layered system of federal rules, a 2016 consumer rights law, and a 2024 FTC rulemaking that finally gave regulators the penalty authority they had been lacking for years.

The Consumer Review Fairness Act of 2016 was the first major federal intervention. Signed by President Obama on December 14, 2016, it voided any non-negotiable form contract provision that restricts, penalizes, or requires consumers to assign their intellectual property rights in reviews. In plain language: if your terms of service say "you agree not to leave negative reviews," that clause is unenforceable and the FTC can come after you.

But CRFA had a gap: it protected consumers' right to leave reviews, but it did not give the FTC authority to impose civil penalties for fake reviews. That changed in August 2024.

The FTC's 2024 Consumer Reviews and Testimonials Rule

Effective October 21, 2024, the FTC's final rule on Consumer Reviews and Testimonials (16 CFR Part 465) is the most comprehensive review regulation in US history. It establishes six core prohibitions — and attaches a $51,744-per-violation civil penalty to each one.

The six banned practices are: (1) creating or distributing fake reviews by nonexistent people or people without genuine product experience; (2) buying or selling reviews conditioned on expressing a particular sentiment; (3) posting insider reviews without disclosing the material connection; (4) soliciting family or employee reviews without transparent disclosure; (5) suppressing negative reviews through groundless legal threats, intimidation, or false accusations; and (6) buying fake social media engagement to misrepresent influence.

The rule explicitly covers AI-generated reviews. This was not boilerplate: the FTC recognized that the marginal cost of generating thousands of plausible-sounding fake reviews via large language models had dropped to near zero, and acted accordingly. On December 22, 2025, the FTC issued warning letters to 10 companies as its first enforcement step — a signal that the grace period is over.

The Sunday Riley Precedent

Before the 2024 rule existed, the FTC's most illustrative case was Sunday Riley Modern Skincare. Between 2015 and 2017, the company — at the CEO's explicit direction — had employees create fake Sephora accounts, use VPNs to mask their identities, and leave five-star reviews. A whistleblower leaked internal emails. The FTC settled in 2020, but controversially imposed no monetary penalty, drawing dissents from Commissioners Chopra and Slaughter who called it "egregious fake review fraud." The 2024 rule closed that loophole: the same conduct today would carry penalties in the millions.

The European Union's approach is structurally different from the US model. Rather than one rule for reviews, the EU has three separate legal instruments that interact: the GDPR governs how review data is handled; the Omnibus Directive (implemented via the UCPD) governs how reviews are presented and verified; and the Digital Services Act governs what platforms must do about fake reviews at scale.

Understanding which law applies to which actor is the first step. The GDPR applies to any organization handling personal data of EU residents — which includes data embedded in reviews. The UCPD applies to traders operating in the EU market. The DSA applies primarily to online platforms, with much stricter obligations for Very Large Online Platforms (VLOPs) with 45+ million EU users.

GDPR and the Right to Erasure of Reviews

Article 17 of the GDPR — the "right to be forgotten" — is one of the most frequently invoked rights against businesses hosting reviews. A reviewer in Germany can ask a business or platform to delete a review containing their personal data. The business has one month to respond. Failure to comply can trigger complaints to a national Data Protection Authority.

Here is the critical nuance that most guides miss: the right to erasure is not absolute. If a review contains personal opinions about the quality of professional services, courts and DPAs have repeatedly found that freedom of expression interests and the legitimate informational interest of future consumers can override an erasure request. The European Data Protection Board's 2025 Coordinated Enforcement Action specifically targeted inadequate erasure procedures — but it also clarified these competing interests.

What this means practically: if a plumber named Hans Schmidt leaves a one-star review that includes his full name and address, he can request erasure of his identifying information. But the business cannot be forced to delete the substance of a legitimate complaint simply because the reviewer changed their mind.

The Omnibus Directive: Verified Reviews Are Now Mandatory Disclosure

The 2019 Omnibus Directive — transposed into national law across EU member states by May 2022 — added a specific rule to the Unfair Commercial Practices Directive: traders must disclose whether and how they verify that reviews come from actual purchasers. If you claim reviews are verified and they are not, that is an unfair commercial practice subject to national enforcement.

Penalties under the UCPD as amended by the Omnibus Directive: member states must provide for fines of at least 4% of the trader's annual turnover, or at least €2 million when turnover cannot be determined. Italy, France, Germany, and the Netherlands have all launched investigations under these provisions.

The Digital Services Act: Platform Obligations Since February 2024

The DSA (Regulation EU 2022/2065) entered full force on February 17, 2024. For review platforms specifically, it introduced transparency and accountability requirements that go well beyond what any prior EU law demanded. VLOPs like Google, Tripadvisor, and Booking.com must implement systematic risk assessments for fake content, publish transparency reports on moderation actions, and provide researchers with data access.

The DSA's maximum fine for non-compliance is 6% of global annual turnover — and for repeated systemic violations, platforms can be temporarily suspended from operating in the EU. The European Commission opened its first non-compliance proceedings under the DSA in 2024, targeting X (formerly Twitter) over systemic content moderation failures.

A Strategic Lawsuit Against Public Participation (SLAPP) is a lawsuit filed not to win, but to intimidate. A restaurant owner who sues a critic for $50,000 over a one-star review is not really trying to collect $50,000 — they are trying to make the reviewer hire a lawyer and spend time defending themselves, knowing most people will simply delete the review and walk away.

This tactic is well-documented in a database maintained by the First Amendment organization FIRE: five hundred SLAPP cases were recorded in 2024 alone. Courts and legislatures have pushed back hard. As of 2025, 33 US states, the District of Columbia, and Guam have enacted anti-SLAPP statutes. In California, Texas, and Florida — three of the most economically significant states for small business — these statutes are robust and include fee-shifting provisions: if your lawsuit is deemed a SLAPP, you pay the reviewer's attorney fees.

The strategic calculus has shifted. A business that sues a reviewer in California under a defamation theory risks: (a) losing on the anti-SLAPP motion, (b) paying the reviewer's legal fees, and (c) generating far more negative publicity than the original review ever would have. Consumer rights attorneys call this the Streisand Effect of review litigation.

In the EU, the equivalent concern is addressed through the SLAPP Directive (Directive 2024/1069), which the European Parliament passed in April 2024. It targets primarily cross-border cases and requires courts to dismiss manifestly unfounded cases early in proceedings, with cost awards against the claimant.

Offering a customer a 10% discount in exchange for a review is not automatically illegal. But it becomes illegal — under both FTC rules and EU law — the moment you condition that benefit on the review being positive, or fail to disclose the material connection.

Under FTC rules, incentivized reviews require a "clear and conspicuous" disclosure in the review itself or immediately adjacent to it. The disclosure must be "unavoidable" on social media platforms and presented with equal prominence to the review content. A tiny asterisk at the bottom of a page does not qualify.

The EU Omnibus Directive adds a layer: if your platform displays ratings, you must tell users whether those ratings include verified purchases, unverified submissions, or incentivized content — and in what proportions. Presenting a 4.8-star average derived partly from incentivized reviews without disclosure is an unfair commercial practice.

The important distinction that many small businesses miss: you can ask for reviews. You can follow up with a post-purchase email. You can make the process easy. You cannot pay for positive sentiment, suppress negative content, or misrepresent the provenance of your ratings.

In the US, data retention for reviews is primarily governed by your own privacy policy and applicable state laws (California's CCPA being the most significant). There is no federal mandate on how long you must keep review data. But there is an obligation of consistency: if your privacy policy says you delete user data after two years, you cannot selectively retain reviews that are favorable.

Under GDPR, the principle of storage limitation (Article 5(1)(e)) requires that personal data not be kept longer than necessary for the purpose it was collected. For reviews, "necessary" is contested — but the EDPB's guidance suggests that reviews serving an ongoing commercial purpose (helping future customers make decisions) can be retained as long as they remain accurate and relevant.

The practical implication: a review from 2018 about a chef who left your restaurant in 2021 may no longer be accurate, and retaining it without review could expose you to both GDPR erasure requests and claims of misleading consumers. EU businesses should audit their review archives annually.

Knowing which regulator can come after you — and for how much — is essential for proportionate risk management. The enforcement landscape in 2026 is more complex than most compliance guides acknowledge.

Section 230 of the Communications Decency Act remains the bedrock of American internet law. Platforms like Google, Yelp, and Tripadvisor are not liable as publishers for user-generated reviews — they are treated as passive conduits. This is why a US business cannot sue Google for hosting a defamatory review; the lawsuit must be directed at the original reviewer.

The Supreme Court's 2023 decisions in Gonzalez v. Google and Twitter v. Taamneh declined to narrow Section 230 protections, leaving the basic framework intact. However, platforms lose this protection if they actively create or co-develop the problematic content — a fact that algorithmic amplification cases are increasingly testing.

In the EU, the DSA replaced the 2000 e-Commerce Directive's liability framework. Platforms that have "actual knowledge" of illegal content (including fake reviews) and fail to act expeditiously lose their immunity. This is a meaningful difference from Section 230: EU law creates a "notice and action" duty, while Section 230 contains no equivalent requirement.

For completeness, businesses serving UK customers face a distinct third regime. The Digital Markets, Competition and Consumers Act 2024 came into force with its fake review provisions on April 6, 2025. It explicitly lists fake reviews and undisclosed incentivized reviews as banned practices — automatically illegal, no need to prove they were "unfair" on a case-by-case basis.

The UK's Competition and Markets Authority (CMA) can fine businesses up to 10% of global annual turnover, or £300,000 — whichever is higher. Daily non-compliance fines of up to 5% of daily global turnover or £15,000 apply to persistent violations. The CMA launched five investigations in 2025 targeting Autotrader, Feefo, Dignity, Just Eat, and Pasta Evangelists.

Directors and managers can face personal liability for violations they knowingly permitted — a provision that has no direct parallel in the current US federal framework, where corporate veil protections are generally stronger.