In brief

In insurance, online reviews weigh on the purchase decision even more than elsewhere, but the model that works for e-commerce does not transfer. The difference is not the widget or the number of stars, it is the customer's data and the way the judgement is collected. For an insurance company, compliance is played out in two distinct steps. The first is choosing the platform most compliant with the regulations, the second, the one almost no one owns, is making its own collection compliant. And the platform does not take that second step for you, because it has neither the interest nor the audit tools.

The weight of a review, in insurance, is higher than elsewhere for two specific reasons. It is a high-distrust purchase: the customer pays today for a future promise and fears the moment of the claim, so social proof counts for more precisely because the product is intangible and the relationship rests on trust. And it is often a comparison-driven, low-loyalty purchase, motor insurance above all, where the score is one of the first filters of choice. In companies that sell online, or whose business is largely online, this translates directly into conversion. And the more the score weighs on the sale, the more a non-representative collection becomes a problem, commercial and regulatory alike.

The first step, choosing the most compliant platform

Not all platforms treat data, moderation and publication in the same way. The assessment moves on two distinct regulatory planes. The first is data protection, the UK GDPR and sector rules, and concerns the transfer of the customer's data to a third party. The second is consumer protection, the Digital Markets, Competition and Consumers Act 2024, in force since 6 April 2025, which concerns the way reviews are collected and presented, and which reaches the aggregate score itself, defined by the Act as consumer review information. On these two planes, the main and most evident criteria are three, without claiming to be exhaustive.

The transfer of data. Here the insurer starts with a constraint that e-commerce does not have. An insurer's perimeter for communicating customer data is closed and grounded in law: the FCA, reinsurers, loss adjusters, intermediaries, fraud and credit databases. A review platform sits outside it, so the transfer is a further, discretionary, marketing-purpose operation. It needs its own legal basis, and for a public review that generates a score the correct basis is consent (Article 6(1)(a) of the UK GDPR), not legitimate interest, which only holds for an internal satisfaction survey. The minimisation principle (Article 5(1)(c)) further requires transmitting the minimum necessary, an email and a pseudonymised policy reference, never data revealing the line or the cover. For health or protection policies the contact alone can reveal health data (Article 9), and then explicit consent is required. To this are added the Data Protection Act 2018 and the oversight of the ICO, which is the reason an insurance DPO, as a rule, does not pass customer data to a third party.

The invitation method. Even the methods that best protect privacy can open the door to manipulation. The brand-generated link, even with the customer's data encrypted, and the generic public link do not require passing customer data to the review platforms, and on the privacy side that is an advantage. The flip side is that the brand distributes them, deciding who to send them to and when, so it could easily solicit only satisfied customers and only in the most favourable phases of the relationship. The score that results no longer represents the real experience, but only its best part. An insurer that wants to be compliant must ask not only whether the method protects the data, but whether the collection represents the whole customer experience, not only satisfied customers and not only the most favourable moments.

Moderation and presentation. Under the Act the treatment of reviews must be transparent and non-discriminatory. Some platforms suspend negative reviews, from one to three stars, for a mediation period, while positives are published much faster. Even when disclosed, this asymmetric treatment is not enough to make the collection compliant, because if it systematically delays or reduces negative reviews it alters the score the consumer sees at that moment, and during mediation the brand can induce the customer to withdraw or amend the judgement. Transparency softens the problem, it does not remove it. A widget showing only five-star reviews is selective presentation, potentially misleading. And AI-suggested review text, which the user merely accepts, erodes the authenticity the law requires. These are the signals a brand must be able to read before signing.

The second step, making the collection compliant

Choosing the right platform is necessary but not sufficient, because compliance is not a property of the platform, it is a property of the process by which that single brand collects. And on that process the platform does not intervene, for two structural reasons.

It has no interest. The business model of a review platform rewards volume and high scores, more reviews, higher scores, more perceived value of the service. A selective collection that inflates the score goes in the same direction as its revenue, not against it.

It has no tools. The platform is at once the party that collects and the party that should attest that the collection is correct, it is judge in its own cause, and no internal audit can credibly certify what the auditor itself produces. The compliance of the collection is, by definition, an examination the collector cannot perform.

The result is visible across the sector, where large online insurers often show a high public score, above four stars out of five, that finds no match in the real perception of the service, not because the service is excellent, but because the collection, though formally privacy-compliant, is not representative. And it is precisely a non-representative score that regulators sanction. Under the DMCC Act the CMA can determine a breach without recourse to the courts and impose fines of up to 10% of global annual turnover, and for a blacklisted practice it does not need to prove that a single consumer was misled: the conduct alone is the breach.

Why an independent party, separate from the platform, is needed

If the platform cannot attest its own collection, the verification must come from an external party, independent of both the platform and the brand, someone who does not collect reviews, does not sell them and does not process the customer data, and who therefore has no interest in the result. It is the same logic by which accounts are not certified by whoever prepares them, but by an independent auditor.

An independent party can analyse a brand's reputational profile from public sources alone, without accessing internal systems, and assess what the platform does not attest: whether the collection process is representative and whether the published score reflects the real experience of customers. There is also a second regulator in the room for a UK insurer: the FCA Consumer Duty, in force since July 2023, requires firms to deliver good outcomes for retail customers, including communications that are fair, clear and not misleading, so a score that overstates genuine service quality engages the Consumer Duty as well as the DMCC Act. This is the space in which Fametrue, with Famecert operates.

The correct sequence, for an insurer, therefore stays double. First you choose the most compliant platform, on data, on moderation and on presentation, then you make the collection compliant and have the result verified by a party that has no interest in inflating it.

Frequently asked questions

What legal basis is needed to transfer an insurance customer's data to a review platform in the UK?
For a public review that generates a score the correct basis is consent (Article 6(1)(a) of the UK GDPR), not legitimate interest, which only holds for an internal satisfaction survey. The minimisation principle (Article 5(1)(c)) requires transmitting the minimum necessary, an email and a pseudonymised policy reference, never data revealing the line or the cover. For health or protection policies the contact alone can reveal health data (Article 9) and explicit consent is required. The Data Protection Act 2018 applies and the ICO is the supervising regulator.

Why does a high score on a review platform not guarantee an insurer's compliance?
Because a high score can be the result of a collection that is privacy-compliant but selective, steered towards satisfied customers and favourable moments in the relationship. The score then represents only the best part of the experience, not the whole customer base. Under the DMCC Act 2024 the published score is itself in scope, so a non-representative collection is exposed even when every individual review is genuine.

Can a review platform certify the compliance of an insurer's collection?
No. The platform is at once the party that collects the reviews and the one that should attest they are correctly collected, so it is judge in its own cause. Its business model also rewards volume and high scores, the same direction as a selective collection. The compliance of the collection is, by definition, an examination the collector cannot perform, and it requires an independent third party.

What is the difference between the brand-generated invitation link and transferring data to the platform?
The brand-generated link, even with encrypted data, and the generic public link do not require transmitting customer data to the platform, which on privacy is an advantage. The flip side is that the brand distributes them, deciding who to invite and when, and can solicit only satisfied customers at the most favourable moments. A method that protects the data does not therefore guarantee a representative collection.

Is the asymmetric treatment of negative reviews compliant with the DMCC Act?
It is not enough to make the collection compliant, even when disclosed. If a platform suspends negative reviews from one to three stars for a mediation period while publishing positives quickly, it systematically delays or reduces dissent and alters the score the consumer sees at that moment. Under the Act the treatment of reviews must be transparent and non-discriminatory, and transparency softens the problem but does not remove it.

Why does a review weigh more in the insurance sector than in others?
For two reasons. It is a high-distrust purchase: the customer pays today for a future promise and fears the moment of the claim, so social proof counts for more because the product is intangible. And it is often a comparison-driven, low-loyalty purchase, motor insurance above all, where the score is one of the first filters of choice. The more the score weighs on the sale, the more a non-representative collection becomes a commercial and regulatory problem.

Read also: The DMCC Act banned fake reviews in the UK, and the aggregate score is in scope too.

This article is for information purposes and does not constitute legal advice. For a binding legal assessment you should consult a qualified professional.

Official sources
Digital Markets, Competition and Consumers Act 2024 — legislation.gov.uk CMA — Fake reviews guidance (CMA208), GOV.UK Data Protection Act 2018 — legislation.gov.uk FCA — Consumer Duty

Fametrue SRL · VAT 04396951206
© Fametrue 2026. All rights reserved.

Back to the Observatory