Three Parties, Three Sets of Rights
Every photograph involving a person brings together three distinct parties, each with a different legal stake in how that image is used. Understanding each party's rights is the starting point for understanding why content attribution matters.
The Photographer
Holds the copyright in the photograph. Controls reproduction, distribution, and licensing — but cannot exploit the image commercially without the model's consent.
The Model
Holds personality rights and image rights over their likeness. These rights exist independently of copyright and cannot be waived entirely — even by a signed release.
The Platform
Hosts and distributes the content. Bears responsibility for ensuring hosted content is properly licensed — and liability exposure when it is not.
"Copyright tells you who made the image. Content attribution tells you who controls it — and who consented to its use. These are not the same question."
— ProntoIDTwo Separate Legal Frameworks, One Photograph
One of the most common misconceptions in the photography industry is that the photographer's copyright covers everything. It does not. Copyright governs the reproduction and distribution of the image as a creative work. Personality rights — sometimes called image rights or right of publicity — govern the use of a person's likeness for commercial purposes. These are separate legal frameworks, and both apply simultaneously to every commercial photograph.
This means a photographer can legally own and reproduce an image while simultaneously being prohibited from using it for commercial purposes — because they do not have the model's consent. And conversely, a model who has signed a release has not surrendered their personality rights entirely: they have granted a specific, scoped licence for defined uses. Uses that fall outside that scope remain unlicensed.
GDPR and Photography: What Every Operator Needs to Understand
Under the General Data Protection Regulation (GDPR), a photograph of an identifiable individual is personal data. This has significant implications for photographers and platforms operating in — or targeting — EU markets.
Processing personal data requires a lawful basis. For commercial photography, that basis is almost always explicit consent. A model release can serve as the documentation of that consent — but to satisfy GDPR requirements, it must be freely given, specific, informed, and unambiguous. A vague "unlimited use" release that the model signed without understanding what they were agreeing to is unlikely to meet this standard.
GDPR also enshrines a right to erasure — the "right to be forgotten." A model can request that images be removed from an organisation's systems and processing pipelines. This does not override a valid contractual release, but it does create an obligation to respond to such requests and to document why they are or are not being acted upon.
Why a Clear Content Attribution Chain Changes the Legal Picture
Content attribution is the documented record of who created a piece of content, who consented to its use, under what terms, and at what point in time. It is not just a record-keeping practice — it is the foundation of legal defensibility for all three parties.
For the photographer: a clear attribution chain proves that consent was obtained, that the right person gave it, and that the images are being used within the agreed scope. This is the difference between a watertight legal position and an expensive dispute.
For the model: attribution visibility means knowing where their image is being used, being able to verify that use is within the agreed scope, and having a structured mechanism to challenge it when it is not.
For the platform: verifiable attribution means being able to demonstrate due diligence — that content was published with a valid, confirmed release — which is increasingly relevant to both regulatory compliance and commercial contracting.
Verified Attribution as a Legal Standard
ProntoTag creates a complete, verifiable content attribution chain by connecting all three parties — photographer, model, and platform — in a single, cryptographically signed consent record. Each party's identity is confirmed against a government-issued ID. The scope of use is defined and agreed before signing. The timestamp is immutable. And the record is available to all three parties in real time.
This is not just better record-keeping. It is the architecture of a legally defensible content attribution system — one that satisfies GDPR consent requirements, provides evidentiary weight in contractual disputes, and gives every party visibility into the status of their rights at any point in time.