Global Rules for Contact Matching

Subtitle: How GDPR, CPRA, CASL, and PECR Apply to Find Your Friends Features

Find Your Friends (FYF) features can make your platform grow faster—but they also cross into regulated territory in almost every major jurisdiction.

If you match a contact to a user, you’re processing personal data—and must comply with global privacy laws. Understanding the specific requirements of each major privacy framework is essential for building compliant contact discovery features.

This article summarizes how GDPR, CPRA, CASL, PECR, and other frameworks impact FYF features, with specific guidance for global compliance.

Core Foundation

This article continues from:
Consent, Retention, and Opt-Out at Scale

Supporting articles:

• Lawful Groundwork
• Other Privacy Laws

What Triggers Regulation?

Understanding which actions trigger regulatory requirements is the first step in building compliant contact discovery features:

Action	What It Triggers	Compliance Requirements
Importing contacts	Personal data processing	Lawful basis; transparency; data minimization
Matching contacts to users	Profiling and re-identification risks	Privacy impact assessment; appropriate controls; opt-out mechanisms
Surfacing matched users	Transparency and consent obligations	Clear disclosures; user control; privacy by design
Sending invites after matching	Marketing and anti-spam regulations	Explicit consent; sender identification; opt-out mechanisms

Key Principle: Even silent matching must be handled carefully. The absence of outbound messaging doesn’t eliminate your compliance obligations—it merely changes which specific requirements apply.

Jurisdiction-by-Jurisdiction Breakdown

Different regions have specific requirements that apply to contact matching features. Understanding these nuances is essential for global compliance.

European Union (GDPR + ePrivacy Directive)

The General Data Protection Regulation creates comprehensive requirements for processing personal data, including contact information:

Key Requirements:

• Lawful Basis

  • Matching contacts = processing personal data
  • Requires lawful basis (consent or legitimate interest)
  • If using legitimate interest, must document balancing test
  • Consent must be freely given, specific, informed, and unambiguous

• Transparency Obligations

  • Article 13 applies when collecting data directly from users
  • Article 14 applies when obtaining contacts indirectly
  • Must inform data subjects about:
    • Identity of the data controller
    • Purposes of processing
    • Categories of personal data
    • Recipients of the data
    • Retention period
    • Data subject rights

• Data Subject Rights

  • Right to access personal data
  • Right to rectification of inaccurate data
  • Right to erasure (“right to be forgotten”)
  • Right to restrict processing
  • Right to object to processing
  • Right to data portability

• Electronic Marketing Rules

  • ePrivacy Directive governs electronic communications
  • Messaging triggers opt-in marketing rules
  • Prior consent required for marketing communications
  • Soft opt-in exception rarely applies to FYF features

Implementation Guidance:

• Implement explicit consent mechanisms before importing contacts
• Create Article 14 notices for referred contacts
• Document your lawful basis for processing
• Implement comprehensive data subject rights fulfillment processes

United Kingdom (UK GDPR + PECR)

Following Brexit, the UK has its own version of GDPR and the Privacy and Electronic Communications Regulations:

Key Requirements:

• UK GDPR

  • Mirrors EU GDPR in most respects
  • Same lawful basis requirements
  • Same data subject rights
  • Same accountability principles

• PECR-Specific Rules

  • Governs any electronic marketing
  • Prior consent required for messaging
  • Strict rules on consent quality
  • Specific requirements for unsubscribe mechanisms

Implementation Guidance:

• Treat UK requirements similarly to EU GDPR
• Pay special attention to PECR consent requirements for messaging
• Monitor for potential UK-specific divergence over time
• Implement clear opt-out mechanisms in all communications

Canada (CASL)

Canada’s Anti-Spam Legislation is one of the strictest electronic messaging laws globally:

Key Requirements:

• Contact Matching

  • Matching alone is lower risk than messaging
  • Still requires appropriate privacy notices
  • Must have lawful basis under PIPEDA

• Electronic Messaging

  • Sending invites or marketing requires express consent
  • Strict one-time referral exception applies only if:
    • Sender has existing relationship with both referrer and recipient
    • Full disclosure of sender identity is included
    • Message includes unsubscribe mechanism
  • Only allows for a single message (no follow-ups without consent)

• Documentation Requirements

  • Must maintain records of consent
  • Must document basis for any exceptions relied upon
  • Must keep records of unsubscribe requests

Implementation Guidance:

• Implement express consent mechanisms for any messaging
• Include complete sender identification in all communications
• Provide prominent unsubscribe mechanisms
• Limit to one message unless recipient opts in for more

For more information, see: Government of Canada – CASL

United States (CAN-SPAM + CCPA/CPRA)

The United States has both federal anti-spam legislation and state-level privacy laws that apply to contact matching:

Key Requirements:

• CAN-SPAM Act

  • No prior consent needed for one-time invites
  • Opt-out must be offered immediately
  • Must include valid physical postal address
  • Cannot use deceptive subject lines or sender information
  • Must honor opt-outs within 10 business days

• California Privacy Rights Act (CPRA)

  • Treats contact info matching as sharing personal data
  • Requires “Do Not Sell or Share My Personal Information” option
  • Notice of Financial Incentive required if rewards involved
  • Provides rights to access, delete, and correct personal information
  • Applies to businesses meeting specific thresholds

• Other State Laws

  • Virginia, Colorado, Connecticut, Utah, and other states have similar laws
  • Most follow CCPA/CPRA model with variations
  • Implement controls for the strictest requirements to ensure compliance

Implementation Guidance:

• Include all required sender information in communications
• Implement a simple, one-click unsubscribe mechanism
• Create a “Do Not Sell or Share” option for California residents
• Document any financial incentives related to referrals
• Honor opt-outs promptly and globally

Brazil (LGPD)

Brazil’s Lei Geral de Proteção de Dados creates comprehensive data protection requirements:

Key Requirements:

• Lawful Basis

  • Lawful basis (consent or legitimate interest) required
  • Consent must be free, informed, and unambiguous
  • Legitimate interest requires balancing test and documentation

• Transparency and Rights

  • Transparency and user rights must be respected
  • Must respond to rights requests within 15 days
  • Right to delete unmatched or unsubscribed data
  • Right to access personal data being processed

• Data Protection Principles

  • Purpose limitation restricts how data can be used
  • Data minimization requires collecting only necessary data
  • Security measures must be appropriate to the processing

Implementation Guidance:

• Document your lawful basis for processing Brazilian contact data
• Implement processes to handle data subject rights requests
• Create Portuguese-language privacy notices when applicable
• Consider data localization implications if storing data outside Brazil

Universal Compliance Checklist

To simplify compliance across multiple jurisdictions, implement these universal best practices that satisfy the strictest requirements of all major privacy laws:

Principle	Practice	Implementation Guidance
Explicit consent	For importing and matching contacts	Use clear, affirmative consent mechanisms; document when and how consent was obtained
Clear disclosures	Who is matched, why, and how to opt out	Provide transparent explanations at each step; include privacy notices in all communications
One-time messaging	Only if user triggers it	Implement user-initiated invitation flows; avoid automatic messaging; respect frequency limits
Global opt-outs	Block future matches and invites across users	Create centralized suppression system; apply opt-outs across all users and features
Data minimization	Delete unmatched data quickly	Implement automatic deletion workflows; document retention periods; minimize data collection
Rights fulfillment	Honor access, deletion, and objection rights	Create processes for both users and non-users; respond within required timeframes
Documentation	Record all privacy decisions and processes	Maintain comprehensive records of consent, processing activities, and compliance measures

Key Principle: If you design for GDPR, CPRA, and CASL at once—you’ll be globally safe. These frameworks represent the strictest requirements across different aspects of contact matching and messaging.

Global Risk Patterns to Avoid

Certain implementation patterns create significant legal and reputational risks across multiple jurisdictions:

Bad Practice	Legal Risk	Better Alternative
Auto-matching contacts without consent	GDPR and CPRA violation; lack of transparency	Implement explicit consent before matching; provide clear explanations
Auto-sending invites after match	Breach of anti-spam laws; consent violation	Require user action to trigger invitations; preview messages before sending
No opt-out option for non-users	Breach of GDPR, CASL, CCPA; damages trust	Create accessible opt-out mechanisms for non-users; honor opt-outs globally
Retaining unmatched imports indefinitely	Data minimization failure; increased breach risk	Implement automatic deletion after defined period; document retention policy
Using contacts for purposes beyond matching	Purpose limitation violation; consent scope breach	Strictly limit use to stated purpose; obtain separate consent for other uses
Ignoring regional variations	Non-compliance in specific jurisdictions	Implement region-specific adjustments where necessary; document your approach

Implementation Guidance:

• Conduct privacy impact assessments for contact matching features
• Implement privacy by design principles from the start
• Create clear documentation of design decisions
• Regularly review and update your approach as regulations evolve

Summary: Match Globally, Respect Locally

Effective global compliance requires a strategic approach that balances universal principles with regional nuances:

Strategy	Outcome	Business Benefit
Local consent flows	Compliance with strictest regions	Reduced regulatory risk; ability to operate globally
Transparency at every step	Higher trust and retention	Better user experience; stronger platform reputation
Suppression and opt-out handling	Global regulatory alignment	Fewer complaints; improved sender reputation
Data minimization and short retention	Lower breach and audit risks	Reduced security liability; simplified compliance
Comprehensive documentation	Defensible compliance posture	Evidence for regulatory inquiries; clear internal guidance

If your FYF system would satisfy GDPR, CPRA, and CASL, it’s probably safe everywhere else too. This approach creates a foundation for global compliance while still allowing for growth and innovation.

Building a globally compliant contact matching system requires upfront investment in proper design and implementation, but it pays dividends through reduced legal risk, stronger user trust, and sustainable growth. By addressing privacy requirements from the beginning, you avoid costly retrofits and potential regulatory penalties.

Up Next

Finally, we’ll show how trust-first Find Your Friends features outperform aggressive ones—boosting growth and loyalty.

Read Trust-First Social Graph Growth

Or revisit consent and suppression patterns:
Consent, Retention, and Opt-Out at Scale