Legal Considerations When Responding to Reviews

Key Takeaways

• According to the FTC, the Consumer Review Fairness Act makes it illegal to use contracts that restrict customers from posting honest reviews
• According to Paubox's analysis of HHS enforcement, HIPAA violation fines for revealing patient information in reviews range from $50,000 to $240,000
• According to defamation law, opinions ("This place sucks") are protected speech; false factual claims ("They stole my credit card") may be actionable
• According to the FTC, you cannot offer incentives specifically for positive reviews—only for reviews in general with disclosure
• Legal action against reviewers often backfires through the "Streisand Effect," drawing more attention to negative content

What are the legal considerations when responding to reviews? The answer is that review responses are published statements with legal weight—treat them accordingly. According to the FTC, the Consumer Review Fairness Act prohibits restricting honest reviews, while HIPAA can result in fines up to $240,000 for healthcare providers who reveal patient information. The safest approach: keep responses general, take specifics offline, never reveal private information, and never threaten legal action publicly.

A dentist responds to a negative review by mentioning the patient's missed appointments. A restaurant threatens to sue a customer over a bad review. A salon includes photos of a customer's service in their response.

All of these businesses just made potentially costly legal mistakes.

Review responses feel informal—like a conversation. But they're published statements that can expose your business to liability. Understanding the legal boundaries helps you respond effectively without putting yourself at risk.

This guide isn't legal advice (consult an attorney for your specific situation), but it covers the key legal considerations every business owner should know.

The Consumer Review Fairness Act

According to the Federal Trade Commission, in 2016 Congress passed the Consumer Review Fairness Act (CRFA) to protect consumers' rights to share honest opinions about businesses.

What the Law Prohibits

The CRFA makes it illegal for businesses to use contracts that:

• Restrict customers from posting honest reviews (positive or negative)
• Penalize customers for leaving reviews (fees, legal threats, etc.)
• Require customers to give up their intellectual property rights to their reviews

Why This Matters

If your terms of service, contracts, or policies include language that restricts reviews, you're violating federal law.

Illegal provisions include:

• "Customer agrees not to post negative reviews online"
• "Any negative online comments will result in a $500 fee"
• "Customer transfers copyright of all reviews to the business"

The FTC can and does enforce this. Businesses have been fined for including anti-review clauses in their contracts.

What You CAN Do

The CRFA doesn't prevent you from:

• Responding to reviews (within legal limits)
• Flagging reviews that violate platform policies
• Taking action against clearly defamatory content (through proper legal channels)
• Asking satisfied customers to leave reviews (without coercion)

HIPAA and Healthcare Reviews

According to Paubox's analysis of HIPAA compliance in online review responses, healthcare providers face unique restrictions due to the Health Insurance Portability and Accountability Act (HIPAA).

What's Protected

HIPAA protects "Protected Health Information" (PHI), which includes:

• Patient identity (confirming someone is your patient)
• Medical conditions and diagnoses
• Treatment details
• Appointment history
• Payment information
• Any individually identifiable health information

The Problem with Review Responses

When a patient leaves a negative review, your natural instinct is to explain what really happened. But doing so may require revealing PHI.

HIPAA violation:

"We're sorry about your experience. As your records show, you missed three follow-up appointments, which may have contributed to the complications you experienced with your anxiety medication."

This response:

• Confirms they're a patient
• Reveals appointment history
• Discloses medication information

Each of these is a potential HIPAA violation.

According to Paubox's analysis, the HHS Office for Civil Rights has issued fines ranging from $50,000 to $240,000 for HIPAA violations in review responses.

How to Respond Safely

Use generic responses that don't confirm the patient relationship:

"We take all feedback seriously and strive to provide the best care possible. We invite anyone with concerns to contact our office directly at [phone] so we can discuss privately."

"Thank you for your feedback. Due to privacy regulations, we cannot discuss individual cases online. Please reach out to our office if you'd like to talk about your experience."

Key principles:

• Never confirm or deny they're a patient
• Never reference treatment, appointments, or medical details
• Never share diagnostic information
• Always direct to private communication

The Patient Who Shares Their Own Information

What if the patient reveals their own medical information in their review?

You still can't respond in kind. Even if they mention their diagnosis, treatment, or conversations with you, responding with additional details is still a violation.

The safest approach is always a generic response that invites offline discussion.

Defamation: When Reviews Cross the Line

Not all negative reviews are defamatory. In fact, most aren't.

What Constitutes Defamation

For a review to be legally defamatory, it must include:

1. A false statement of fact (not opinion)
2. Published to a third party (posted publicly)
3. Causing damage to your business or reputation
4. Made with fault (negligence for private figures, actual malice for public figures)

Opinion vs. Fact: The Critical Distinction

Protected opinion:

• "This place sucks"
• "Worst experience ever"
• "I would never recommend them"
• "The food was terrible"

Potentially defamatory (if false):

• "They committed fraud"
• "The owner is a drug dealer"
• "I got food poisoning from eating here"
• "They stole my credit card information"

The key is whether the statement can be proven true or false. Opinions can't be—facts can.

Before You Sue: Reality Check

Even if a review is defamatory, legal action is often a poor choice:

Challenges:

• Cost: Legal fees can easily reach $10,000-$50,000+
• Anonymity: You may not know who wrote the review
• Burden of proof: You must prove the statements are false AND that you were harmed
• Streisand Effect: Lawsuits often draw more attention to the negative content
• Counterclaims: The reviewer may countersue

Better options often include:

• Flagging the review for platform removal
• Responding professionally to present your side
• Building positive reviews to dilute the impact
• Consulting an attorney for a cease and desist letter (less expensive than litigation)

When Legal Action Makes Sense

Consider pursuing legal remedies when:

• The review contains clearly false statements of fact
• You can prove significant financial damage
• You can identify the reviewer
• Platform removal has failed
• The damage justifies the cost

Always consult with an attorney who specializes in defamation law before proceeding.

Privacy Laws and Customer Information

Don't Reveal Private Information

Even outside healthcare, sharing customer information in review responses can create legal problems.

Problematic responses:

"Based on your account history, you've complained and received refunds seven times this year."

"Our records show you visited at 2:37 PM on January 15th and were served by Amanda."

"The credit card transaction shows you were only charged $47.50, not $52 as you claimed."

These responses reveal information that customers may consider private, potentially violating:

• State privacy laws (especially in California, Colorado, Virginia, and other states with consumer privacy legislation)
• Your own privacy policy
• Customer expectations of confidentiality

The Right Approach

Instead of:

"Your transaction history shows this is your fifth complaint in 2024."

Say:

"We'd like to understand what happened. Please contact us directly at [email] so we can look into this."

Take the specifics offline where you can discuss details privately.

FTC Guidelines on Reviews and Endorsements

According to the Federal Trade Commission's advertising guidelines, specific regulations govern how businesses can solicit and use reviews.

Incentivized Reviews

You cannot offer incentives specifically for positive reviews. That's considered deceptive.

Illegal:

• "Leave us a 5-star review and get 10% off your next visit"
• "Post a positive review to enter our prize drawing"

Legal (with proper disclosure):

• "Leave us a review (any rating) and get 10% off your next visit"
• BUT: The review must disclose the incentive

Platform policies matter too. Google and Yelp prohibit incentivized reviews entirely, regardless of disclosure. Violating their policies can get your business penalized or removed.

Fake Reviews and Astroturfing

Creating fake positive reviews—or paying others to do so—is illegal under FTC rules.

This includes:

• Writing reviews for your own business
• Having employees write reviews (without disclosure)
• Paying for positive reviews
• Trading reviews with other businesses
• Using review-generation services that create fake reviews

The FTC has taken enforcement action against businesses engaging in these practices.

Using Customer Reviews in Marketing

If you use customer reviews in advertising:

• You must have permission to use identifiable information
• The review must reflect a genuine customer experience
• Any material modification must be disclosed
• You should have documentation of the reviewer's identity and permission

Responding Without Legal Risk: Practical Guidelines

Always Safe

• Thank them for feedback
• Apologize for their experience (not admitting fault)
• Invite them to contact you privately
• State your general commitment to quality
• Sign with your name and title

Sometimes Risky

• Correcting factual errors (can escalate or reveal information)
• Referencing their specific purchase or visit
• Mentioning staff members by name
• Offering specific compensation publicly

Always Risky

• Threatening legal action
• Revealing private customer information
• Disclosing protected health information (HIPAA)
• Accusing the reviewer of lying (even if they are)
• Name-calling or personal attacks
• Revealing the reviewer's identity if posted anonymously

A Safe Response Template

This template works for most situations:

"Thank you for taking the time to share your feedback. We're sorry to hear your experience didn't meet expectations, and we'd like to learn more about what happened. Please contact us at [email/phone] so we can discuss this directly and make things right. — [Your name], [Title]"

This response:

• Shows you're responsive
• Doesn't admit fault
• Doesn't reveal private information
• Invites offline resolution
• Presents you professionally

Special Situations

When the Reviewer Threatens You

If a reviewer threatens violence, extortion, or harassment:

1. Document everything (screenshots)
2. Report to the platform
3. Consider reporting to law enforcement
4. Consult an attorney
5. Don't respond publicly

When You're Being Extorted

"Remove my negative review or I'll post more" is extortion.

1. Don't comply
2. Screenshot the threat
3. Report to the platform
4. Consider law enforcement involvement
5. Don't engage publicly

When the Review Contains Truly Illegal Content

Some content goes beyond defamation:

• Threats of violence
• Disclosure of protected information (SSN, financial data)
• Child exploitation
• Explicit harassment

Report to the platform immediately. Report to law enforcement if appropriate. Consult an attorney.

The Cost of Getting It Wrong

Legal mistakes in review responses can cost:

Direct costs:

• HIPAA fines: $100 to $50,000+ per violation
• FTC enforcement: Varies widely, but significant fines possible
• Legal fees: Even if you win, defending yourself is expensive
• Settlements: Often cheaper than litigation but still costly

Indirect costs:

• Reputation damage from public legal battles
• Time spent on legal issues instead of running your business
• Stress and distraction

The few minutes you save by firing off an angry response aren't worth the potential consequences.

Building a Legally Safe Response System

Create Guidelines

Document your review response policy:

• What information can and cannot be included
• Who is authorized to respond
• Review process for sensitive responses
• Escalation procedures for potentially defamatory reviews

Train Your Team

If multiple people respond to reviews:

• Share these legal guidelines
• Provide approved response templates
• Require review of non-standard responses
• Establish clear escalation paths

When in Doubt, Consult

For any review that touches on:

• Legal claims (fraud, theft, safety violations)
• Healthcare information
• Potential defamation
• Threats or harassment

Consult with an attorney before responding. The cost of a quick legal consultation is far less than the cost of a mistake.

Use Tools Wisely

Automated response tools like HeyThanks can help by:

• Providing consistent, safe response templates
• Flagging reviews that need human review
• Ensuring timely responses without rushed mistakes
• Maintaining records of all responses

The Bottom Line

Review responses are public statements with legal weight. Treat them accordingly.

When in doubt:

• Keep it general
• Take specifics offline
• Don't reveal private information
• Don't threaten legal action
• Consult a professional

The goal is to respond professionally, protect your reputation, and avoid creating new legal problems in the process.

For more on effective review responses within these boundaries, see our guides on how to handle negative reviews and review response mistakes to avoid.

Disclaimer: This article provides general information about legal considerations in review responses. It is not legal advice. Consult with a qualified attorney for advice specific to your situation and jurisdiction.