Consent for a customer testimonial is not a single yes. It is a layered permission — to use their words, their name, their job title, their company, their photo, their logo — and each layer can be revoked. A team that manages testimonials at any scale needs a clear playbook for how those layers are granted, recorded, and renewed.
This article is that playbook. It assumes you are not a law firm and do not need formal legal review of every quote, but you do need a process that holds up if a customer leaves and asks you to take their testimonial down.
The five layers of testimonial permission
When a customer says "yes, you can use my quote on your site," they are actually granting permission to use up to five distinct things. Treat each one as a separate yes, because they often have different lifespans.
- The words themselves. The verbatim quote text.
- The attribution. The customer's first and last name.
- The role and company. Their job title and employer.
- The photo. A headshot, in some cases a candid photo.
- The company logo. The visual mark of their employer.
A standard testimonial usage permission should explicitly call out all five layers. When customers grant blanket permission for "use this quote with my name and photo," you have implicitly bundled four of the five layers without itemizing them. That's fine for low-risk use but it's brittle if any one piece needs to change.
For the contextual difference between testimonials and case studies, which often have different permission scopes, see case study vs testimonial.
What good consent looks like
A consent record should answer six questions clearly:
- Who granted it? Customer name and email, plus the company they represent.
- When? Date and time of consent.
- What did they consent to? Explicit yes/no for each of the five layers above.
- How can we reach them to renew or revoke? A current contact email.
- What did they actually see? A snapshot of the exact quote and presentation they approved.
- What is the consent expiration policy? Default duration before re-confirmation is needed.
The sixth point is the one most teams skip. Without a default expiration, you end up with testimonials on your site from people who left their company three years ago, and you have no policy to handle it.
How to capture consent in practice
The least-friction path is to embed consent capture in your testimonial collection workflow. If you already use a tool that collects testimonials, the consent layers should be checkboxes the customer ticks at the moment they submit the quote. Our how to collect testimonials from customers piece covers the full collection workflow this fits into.
For testimonials you extracted from existing customer conversations — support tickets, sales calls, internal Slack messages — you need a retroactive consent request. The pattern that works is a short email with:
- The exact quote you want to use.
- A mock-up of where it will appear (URL or screenshot).
- Three checkboxes for the customer to tick: "yes to the quote with my name," "yes to also include my photo," "yes to also include my company logo."
- A clear opt-out and revocation path.
Send this email separately from any sales or success communication. It is a permission request, not a sales touchpoint, and bundling them produces lower yes rates.
When permission expires
A consent grant is not perpetual unless you explicitly say so and the customer explicitly agrees. Even then, several specific events should trigger a re-confirmation:
- The customer leaves the company. Their job title and company affiliation in your testimonial are now stale. The quote may still be theirs, but the attribution is no longer accurate.
- The company is acquired or rebranded. The logo and company name may need updating.
- The product they are praising changes substantially. Their quote about feature X is now misleading if feature X has been replaced.
- Your terms of service or branding changes. If you redesign your site such that the testimonial appears in a meaningfully different context (e.g., moved from a quiet customer page to a paid ad), re-confirm.
Our testimonial attribution decay piece covers the operational side of attribution decay in detail. The short version: set a quarterly review cadence to scan your testimonials against your current customer roster and flag anyone who has changed roles or left.
The revocation flow
A customer who wants their testimonial removed should be able to do it without a fight. The flow should be:
- The customer sends a request (email, form submission, or contact through the company they work at).
- You acknowledge within one business day.
- You remove the testimonial from all public surfaces within five business days.
- You confirm completion to the customer.
- You log the revocation in your consent record so the testimonial is not accidentally reinstated by a future content audit.
Do not negotiate. Do not ask them to reconsider. The reputational cost of being seen to fight a revocation request is much higher than the conversion value of any single quote.
Photo and headshot specifics
Customer photos carry the most consent risk because they are personal in a way text quotes are not. A few specific rules:
- Never use a photo pulled from LinkedIn or social media without explicit permission, even if the photo is "public." Public means visible, not licensed.
- When you collect a photo from a customer, ask whether they would prefer a candid or a professional headshot. Many customers have a preference and asking signals respect.
- Store the source file with the consent record. If the customer asks you to use a different photo later, you should know what you have.
- Re-confirm photo usage every two years. People update their professional appearance, and an outdated photo can feel impersonal or worse.
Logo usage and trademark considerations
Company logos are trademarked, and even with the customer's individual permission, you generally need separate permission from the company's brand or legal team to display their logo. For most small and mid-market customers this is an informal yes from a marketing contact. For enterprise customers, it is a formal request to brand/legal.
The safest approach is to put logo usage permission in a separate request from the testimonial quote itself, and to address it to the customer's company rather than to the individual employee. Some enterprise customers will say yes to a quote but no to a logo, and that's a legitimate split.
For the conversion impact of logos vs quotes, our trust bar customer logos vs testimonial quotes piece explains why you might prefer a single strong quote to a row of logos anyway.
Storage and retrieval
A consent record is useless if it cannot be retrieved when you need it. The minimum infrastructure is:
- A single source-of-truth list (a database table, a spreadsheet, or a tool that handles this for you) where every active testimonial has a row.
- Each row references the consent record (link to the email thread, the form submission, or the contract).
- Each row records the consent expiration date so you can run a query against "what expires in the next 30 days."
- The list is owned by one person on the team, not distributed across three systems.
If your testimonial library has grown to the point that you cannot quickly answer "do we have permission to use this specific quote in this specific ad," your consent management has fallen behind your content production. Pause new collection and clean up the back catalog first.
Confidentiality and NDA-protected testimonials
Some of your strongest testimonials may come from customers whose contracts include NDA clauses about endorsements. In these cases the customer themselves cannot grant consent — their employer must. Our testimonial confidentiality and NDA handling piece covers the legal review path for these situations.
The rule of thumb: if a customer hesitates or asks to check with legal, treat that as a default no until written confirmation arrives. Do not press.
Closing rule
Consent for testimonials is a relationship-management discipline, not a legal-compliance checkbox. Customers who feel respected when you ask for permission give better quotes, agree to longer durations, and refer their colleagues. Customers who feel pressured or surprised tend to revoke at the worst moments.
Treat the consent layer as part of the product, not as paperwork. The testimonials it produces are worth more.