Skip to content
Better Sharing Better Sharing

Matching vs Messaging

Subtitle: Why Surfacing Matches and Sending Invitations Are Two Legally Distinct Actions

Finding friends and inviting friends are not the same thing.

Just showing a user that their contact is already using your platform is different—legally and technically—from messaging that contact. This distinction is crucial for designing compliant contact discovery features.

This article explains why matching and messaging require different consent flows, legal bases, and engineering patterns, and how to implement each correctly.

Core Foundation

This article continues from:
Transparent Matching UX

Supporting articles:

Definitions

Understanding the precise definitions of matching and messaging is essential for applying the correct legal frameworks to each activity:

Term Meaning Technical Implementation Legal Classification
Matching Comparing imported contacts to your user database and surfacing matches Database comparison operations; UI display of results Data processing; potential profiling
Messaging Sending an invite, reminder, or notification to a contact Email, SMS, or in-app notification delivery Electronic marketing communication

Matching is silent discovery—it involves processing contact data to identify connections but doesn’t directly communicate with the matched individuals.

Messaging is active outreach—it involves sending communications to individuals and triggers additional legal requirements beyond those for matching.

This distinction affects everything from the consent mechanisms you implement to the legal basis you rely on for processing.

Legal Differences

The legal frameworks that apply to matching and messaging differ significantly:

Action What It Triggers Compliance Requirements
Matching only GDPR profiling rules; data processing requirements Lawful basis (consent or legitimate interest); transparency; data minimization
Messaging GDPR, PECR, CASL, CAN-SPAM marketing rules Explicit consent in many jurisdictions; sender identification; opt-out mechanisms

Important Note: Even passive matching still counts as processing personal data. This means you need:

  • A lawful basis under GDPR (typically consent or legitimate interest)
  • Transparency about the processing
  • Data minimization measures
  • Appropriate retention periods
  • Mechanisms to honor data subject rights

However, matching alone doesn’t trigger the stricter requirements of electronic marketing laws like CASL or PECR, which apply when you send messages to contacts.

How to Handle Matching Correctly

Implementing compliant contact matching requires attention to several key principles:

Consent and Transparency

  • Obtain Clear Permission

    • Ask users for consent before matching their contacts
    • Explain the purpose of matching in simple terms
    • Specify what data will be used for matching
    • Clarify how matches will be presented

  • Documentation

    • Record when and how consent was obtained
    • Store the exact language shown to users
    • Maintain records of matching activities
    • Document your legitimate interest assessment if not using consent

Data Minimization

  • Limited Data Collection

    • Match only the fields needed (email or phone number)
    • Avoid processing unnecessary contact information
    • Filter contacts client-side when possible
    • Hash identifiers where appropriate for privacy

  • Retention Limits

    • Define clear retention periods for imported contacts
    • Delete unmatched contacts promptly
    • Document your retention policy
    • Implement automatic deletion workflows

User Experience

  • Passive Presentation

    • Surface matches in a non-intrusive way (e.g., “You might know Alex”)
    • Present matches in dedicated sections of the app
    • Provide context about how the match was found
    • Do not auto-follow or auto-connect matched users

  • User Control

    • Allow users to dismiss or hide specific matches
    • Provide options to delete imported contacts
    • Offer settings to pause or disable matching
    • Implement feedback mechanisms for unwanted matches

Respecting Non-User Rights

  • Opt-Out Mechanisms

    • Offer opt-outs for users who don’t want to be discoverable
    • Honor opt-outs across all matching features
    • Implement global suppression lists
    • Document opt-out requests

  • Rights Fulfillment

    • Establish processes for handling non-user rights requests
    • Create verification mechanisms for identity confirmation
    • Train support staff on handling privacy inquiries
    • Document your approach to non-user rights

Implementation Example:
A “People You May Know” section that users can access when they choose, with clear explanations of how matches were found, options to hide specific matches, and settings to disable the feature entirely.

How to Handle Messaging Correctly

Sending invitations to contacts triggers additional legal requirements beyond those for matching:

Consent Requirements

  • Explicit User Action

    • Only send invites when users explicitly trigger them
    • Separate matching consent from messaging consent
    • Use clear, affirmative consent mechanisms
    • Document messaging consent separately

  • Specific Consent

    • Obtain consent for the specific messaging purpose
    • Avoid bundled consent for multiple purposes
    • Make consent granular and specific
    • Ensure consent is freely given

Message Content

  • Required Elements

    • Preview the message before sending
    • Include sender identification (both user and platform)
    • Clearly state the purpose of the message
    • Provide a prominent opt-out link
    • Include a link to your privacy policy
    • Add required business information (physical address, etc.)

  • Transparency

    • Make the commercial nature clear when applicable
    • Avoid deceptive subject lines
    • Use straightforward language
    • Explain why the recipient is receiving the message

Frequency and Follow-up

  • Limited Communication

    • Send one invite only—no automatic reminders unless recipient opts in
    • Implement cooling-off periods between invitations
    • Honor opt-outs immediately and globally
    • Document all communications sent

  • Suppression Management

    • Maintain a global suppression list
    • Check against suppressions before sending any message
    • Apply suppressions across all users and campaigns
    • Preserve suppression records indefinitely

Implementation Example:
A messaging flow that requires users to select specific contacts, shows a preview of the invitation, requires explicit consent before sending, and includes all required disclosures in the message.

Real-World Example: When Matching Became Messaging

Understanding real-world examples helps illustrate the importance of distinguishing between matching and messaging:

Facebook’s People You May Know Feature:

Facebook’s contact discovery feature raised significant privacy concerns because:

  • Implementation Issues:

    • Users were matched without understanding why or how
    • No clear consent was gathered for surfacing recommendations
    • Some matches revealed sensitive relationships (e.g., between patients and doctors)
    • The feature used multiple data sources without transparency
    • Users couldn’t easily opt out of being discoverable

  • Privacy Implications:

    • Revealed potentially sensitive connections
    • Created perception of surveillance
    • Led to regulatory scrutiny
    • Damaged user trust
    • Generated negative press coverage

  • Key Lessons:

    • Even passive features need active consent if they feel intrusive
    • Transparency about data sources is essential
    • Users need control over their discoverability
    • Privacy impact assessments should consider unexpected consequences
    • Matching can inadvertently reveal sensitive information

(Source)

Risky Patterns to Avoid

Certain implementation patterns create significant legal and reputational risks:

Pattern Why It’s a Problem Better Alternative
Surfacing matches without opt-in Feels like surveillance; may violate transparency requirements Obtain clear consent before showing matches; explain how matches are found
Auto-sending invites to matched contacts Violates marketing rules; lacks specific consent Require explicit user action to send invites; preview messages before sending
Not offering “Don’t show me” option for users Breaches data subject rights; damages user trust Provide clear opt-out mechanisms for both users and non-users
Reminding users about matched contacts without consent Triggers anti-spam laws; creates perception of nagging Obtain separate consent for reminders; limit frequency; respect user preferences
Using matching data for other purposes Violates purpose limitation; exceeds consent scope Strictly limit use to stated purpose; obtain separate consent for other uses
Revealing sensitive connections Privacy violation; potential harm to users Implement privacy-preserving matching algorithms; allow users to control visibility

Implementation Guidance:

  • Conduct privacy impact assessments for both matching and messaging features
  • Test features with diverse user groups to identify unexpected privacy concerns
  • Implement robust logging to track consent and user actions
  • Regularly review and update your approach as regulations evolve

Summary: Match Lightly, Message Carefully

Effective contact discovery features respect the distinction between matching and messaging:

Action Best Practice Legal Basis User Experience
Matching contacts Passive, consented, opt-out available Consent or legitimate interest Transparent, controlled, non-intrusive
Messaging contacts Explicit user trigger, opt-out included Explicit consent in most jurisdictions Clear, preview-based, user-initiated

Treat matching like discovery.
Treat messaging like marketing.

This distinction isn’t just about legal compliance—it creates better user experiences by respecting boundaries and building trust. When users understand and control both the matching and messaging processes, they’re more likely to engage positively with your platform’s social features.

If you design with these principles, your Find Your Friends features will grow networks—and avoid privacy pitfalls that have affected even the largest platforms.

Up Next

Next, we’ll explain how to design safe, compliant invitation flows for when users actually want to message their friends.

Read Sending Invitations After Matching

Or revisit foundational consent rules:
The Consent Playbook

Copy

Leave a Comment

Your email address will not be published. Required fields are marked *