Before and after photography is simultaneously one of the most powerful clinical and marketing tools an aesthetic clinic has — and one of the areas where compliance problems most commonly arise.
A patient who consented to treatment has not automatically consented to being photographed. A patient who consented to photography has not automatically agreed to their images being used on Instagram. And a clinic that stores clinical photographs in a shared Google Drive or a camera roll has a GDPR problem whether they know it or not.
This guide covers everything you need to know: what consent you need, how to obtain it correctly, how to store images safely, and the clinical photography standards that protect both your patients and your practice.
Why photo consent is separate from treatment consent
This is the most important thing to understand about clinical photography in aesthetics. Treatment consent and photo consent are legally distinct.
A patient has the right to:
- Consent to treatment AND consent to clinical photography for their own records
- Consent to treatment AND consent to photography but decline any marketing use
- Consent to treatment AND refuse all photography
Any of these is a valid position, and none of them affects the quality of care the patient receives. Bundling photo consent into your treatment consent form — or implying through a single signature that photography and marketing use are included — is a consent failure that could expose you to a GDPR complaint or legal action.
What your photo consent form needs to cover
BA standalone photo consent document should address the following:
Purpose of photography
Specify clearly why images are being taken. Clinical purposes (monitoring treatment outcomes, medical record-keeping) are different from marketing purposes (before and after galleries, social media, website). Be specific — “for clinical purposes” and “for use in our patient gallery on Instagram” are separate permissions.
Storage and access
Tell patients where images will be stored (encrypted cloud storage, clinic server, etc.), who can access them (the treating practitioner, the clinic manager, no one else), and how long they will be kept. Under GDPR, you should not retain personal data — including clinical photographs — longer than necessary for the specified purpose.
The right to withdraw consent for marketing use
Patients can withdraw marketing consent at any time. If they do, you must remove their images from marketing materials within a reasonable timeframe. Make clear in your form that this right exists, and document any withdrawals immediately.
Specific marketing opt-in
Marketing use of clinical photographs requires a specific, separate opt-in. This means a distinct checkbox or signature — not a statement buried in a longer form. Under GDPR, silence or pre-ticked boxes are not valid consent.
GDPR requirements for aesthetic clinic photography (UK)
Clinical photographs are sensitive personal data under UK GDPR — in the same category as health records and medical information. This means:
- You must have a legal basis for processing them — legitimate interest for clinical records, explicit consent for marketing
- You cannot share them with third parties without authorisation — including sharing with other clinicians who are not directly involved in the patient’s care
- You must implement appropriate technical and organisational security measures to protect them
- Patients have the right to request access to their images, and the right to request deletion (subject to your legitimate clinical retention requirements)
The Information Commissioner’s Office (ICO) has published guidance on health data under GDPR. If a patient raises a subject access request for their clinical photographs, you must respond within one month.
HIPAA requirements for aesthetic clinic photography (US)
In the US, clinical photographs qualify as Protected Health Information (PHI) under HIPAA when they can identify a patient. Using PHI in marketing requires a specific written authorisation — separate from the general treatment consent and separate from the HIPAA Notice of Privacy Practices acknowledgement.
Key points for US aesthetic clinics:
- Storing before and after photos on platforms without a Business Associate Agreement (BAA) is a HIPAA violation — this includes standard Instagram, personal iCloud, and consumer Google Drive
- Any photo that could identify the patient — including photos that only show part of the face — is PHI and subject to full HIPAA protections
- Patient authorisation for marketing use must be obtained in writing, specify what will be disclosed, to whom, and for what purpose, and be signed and dated by the patient
Where most clinics get it wrong: storage
The most common photo storage mistake in aesthetic clinics is not malicious — it is convenient. Images saved to a personal iPhone. Before and afters in a WhatsApp thread for sharing with the marketing team. A shared Google Drive folder with photos that can be accessed from any device.
Every one of these scenarios creates a compliance problem. Consumer storage platforms are not GDPR-compliant for clinical data, are not HIPAA-compliant for PHI, and do not provide the access controls, encryption, or audit trails that regulators expect.
Clinical photographs must be stored in an encrypted system with role-based access controls — meaning only the people who need access to an image actually have it, and there is a record of who accessed what and when.
Consentz stores clinical photographs using AWS 256-bit AES encryption, linked directly to the patient’s treatment record. Images are accessible only within the platform, with role-based permissions — and the ghost imaging feature allows precise before-and-after overlay comparison within the clinical record rather than needing to export images to a separate tool.
Clinical photography best practice
Beyond consent and storage, the quality and consistency of your clinical photography affects both its clinical value and its marketing impact.
Standardise your setup
Inconsistent lighting, angles, and backgrounds make before and after comparisons unreliable clinically and unconvincing visually. Aim for:
- Consistent lighting — avoid harsh shadows or direct flash (ring lights with diffusers work well)
- Neutral background — plain wall, consistent colour
- Standard angles — frontal, both three-quarter profiles, lateral views for relevant treatments
- Consistent framing — head and neck for facial aesthetics, same focal distance every time
Remove identifying items from photos intended for marketing use
For marketing photos, patients should not wear distinctive jewellery or clothing that could identify them if they have chosen anonymous consent. Tattoos or other distinctive features should be noted in the consent documentation.
Photograph complications, not just successes
Clinical photography should document complications and unexpected outcomes, not just results you are proud of. A photograph taken when a complication is identified is important clinical evidence that documents the timeline — when the complication occurred and what it looked like — and is your best protection if the situation escalates to a complaint.
Frequently asked questions
1. Can I post before and after photos on Instagram without separate consent? aesthetic clinic?
No. Using clinical photographs in any public-facing marketing requires specific, written opt-in consent stating that images may be used for marketing. Treatment consent — even if it mentions photography — is not sufficient for this purpose. The consent must be specific to marketing use and must be as easy to withdraw as it was to give.
2. What happens if a patient asks me to delete their before and after photos?
Under UK GDPR, patients have the right to request erasure of their personal data (including photographs) unless you have a legitimate basis for retaining them. For clinical photographs linked to a treatment record, you may have a legitimate interest in retaining them as part of the clinical record for the required retention period. However, marketing photographs should be removed promptly on request. Document all requests and your responses.
3. Do I need separate consent for using before and after photos in staff training?
This depends on how they are used. Using anonymised images for in-house clinical training is unlikely to require explicit consent. Using identifiable images in external training events, educational publications, or online educational content requires specific consent that covers that use. When in doubt, obtain consent.
4. Can I use photos of patients I took before GDPR came in?
Pre-GDPR photographs of patients that you have been using for marketing should have explicit, documented consent to be used in that way. If you cannot evidence that consent, the safest approach is to stop using those images in marketing and not rely on the argument that they predate GDPR.
