Global Laws for Referrals

Subtitle: How GDPR, PECR, CASL, CAN-SPAM, and CPRA Apply to Your Referral Program

Building a referral program that grows fast is great.
Building one that’s legally compliant everywhere you operate is essential.

Different regions impose different rules on referral programs—especially when user contacts and incentives are involved. Understanding these requirements is crucial for building compliant, sustainable growth strategies.

This article walks through the key privacy laws that impact referral programs, and how to design yours to work across borders while maintaining compliance with global regulations.

Core Foundation

This article continues from:
How to Handle Contacts Without Breaking Privacy Laws

Key related articles:

• Incentivized Referrals
• The Consent Playbook
• Your App, Their Data
• Post-Send Obligations

What Triggers Legal Requirements in Referrals?

Referral programs involve several activities that trigger legal obligations under privacy and marketing laws. Understanding these triggers helps you identify which compliance requirements apply to your specific implementation.

Action	Legal Impact	Implementation Considerations
Importing contacts	Processing personal data	Requires lawful basis under GDPR; triggers data controller obligations
Sending invites	Triggering marketing laws	May require prior consent depending on jurisdiction and message content
Offering rewards	Triggering financial incentive rules	Requires additional disclosures; changes the nature of communication
Tracking recipient actions	Increasing processing scope	Expands data processing activities; requires transparency
Storing unmatched contacts	Retention and deletion rules apply	Necessitates data minimization and defined retention periods

Implementation Guidance:

• Document each data processing activity in your referral flow
• Identify which laws apply to each activity based on user and recipient location
• Implement appropriate compliance measures for each trigger point
• Review regularly as regulations evolve

Major Privacy and Anti-Spam Laws to Know

European Union (GDPR + ePrivacy Directive)

The General Data Protection Regulation (GDPR) and ePrivacy Directive create a comprehensive framework for handling personal data and electronic communications in the EU.

Key Requirements for Referral Programs:

1. Consent Requirements

   • Prior opt-in consent is mandatory if your message promotes your platform
   • Consent must be freely given, specific, informed, and unambiguous
   • Pre-checked boxes are invalid for obtaining consent
   • Consent must be documented and provable

2. Article 14 Notices

   • When processing third-party contact information, you must provide information notices
   • Must inform recipients about:
     • Your identity as the data controller
     • Categories of personal data processed
     • Purposes and legal basis for processing
     • Data retention period
     • Data subject rights
   • Must be provided within one month of obtaining data or at first communication

3. Data Protection Principles

   • Data minimization: Collect only necessary contact information
   • Purpose limitation: Use data only for the specified referral purpose
   • Storage limitation: Delete or anonymize data when no longer needed
   • Accountability: Document compliance measures

Implementation Guidance:

• Design referral flows that collect explicit consent before processing contacts
• Create Article 14 notices to send to referred contacts
• Implement data minimization by collecting only essential contact information
• Establish clear retention periods for contact data
• Document all compliance measures for accountability purposes

For more detailed information, see: Lawful Groundwork

United Kingdom (UK GDPR + PECR)

Following Brexit, the UK has its own version of GDPR (UK GDPR) and the Privacy and Electronic Communications Regulations (PECR), which closely mirror EU regulations but with some distinctions.

Key Requirements for Referral Programs:

1. Core Requirements

   • Same fundamental principles as EU GDPR
   • Data minimization, purpose limitation, and lawful basis requirements apply

2. PECR-Specific Rules

   • PECR regulates all electronic marketing (email, SMS)
   • Consent needed even if initiated by user if sent via your platform
   • Soft opt-in exception rarely applies to referral messages
   • Must include clear identification of sender and opt-out mechanism

Implementation Guidance:

• Implement explicit consent mechanisms before processing UK contacts
• Include clear sender identification in all communications
• Provide prominent unsubscribe mechanisms
• Document consent for accountability purposes

UK-Specific Considerations:

• The UK Information Commissioner’s Office (ICO) has specific guidance on electronic marketing
• Penalties can reach up to £17.5 million or 4% of annual global turnover
• The UK may diverge further from EU regulations over time, requiring separate compliance strategies

Canada (CASL)

Canada’s Anti-Spam Legislation (CASL) is one of the strictest electronic messaging laws globally, with significant implications for referral programs.

Key Requirements for Referral Programs:

1. Express Consent

   • Required for most electronic messages
   • Must be documented and provable
   • Must specify purpose and identify sender

2. “One-time Referral” Exception

   • Applies only if ALL of these conditions are met:
     • Sender has an existing personal or business relationship with both the referrer and recipient
     • Referrer has an existing personal or business relationship with the recipient
     • Full sender identification information is included
     • Unsubscribe mechanism is provided
   • Only allows for a single message (no follow-ups without consent)

3. Message Requirements

   • Must identify sender clearly
   • Must include sender’s contact information
   • Must include an unsubscribe mechanism
   • Must disclose if sent on behalf of another person

Implementation Guidance:

• Design referral messages that clearly identify your company as the sender
• Include complete contact information in all messages
• Provide a functional unsubscribe mechanism in every message
• Limit to one message per recipient unless you obtain express consent
• Document all consent and messaging activities

For more information, see: Government of Canada – CASL Overview

United States (CAN-SPAM)

The Controlling the Assault of Non-Solicited Pornography And Marketing Act (CAN-SPAM) regulates commercial email messages in the United States. It’s generally less strict than GDPR or CASL but still imposes important requirements.

Key Requirements for Referral Programs:

1. Consent Model

   • No prior consent needed for one-time invitations
   • Opt-out model rather than opt-in
   • Must honor opt-outs promptly (within 10 business days)

2. Message Requirements

   • Must include:
     • Clear sender identification
     • Valid physical postal address
     • Conspicuous opt-out mechanism
     • Clear subject line that isn’t deceptive
   • Cannot use deceptive headers, subject lines, or sender information

3. Opt-Out Compliance

   • Cannot require recipients to:
     • Pay a fee to opt out
     • Provide information beyond email address
     • Take steps beyond visiting a single page or replying to an email
   • Cannot sell or transfer email addresses of people who have opted out

Implementation Guidance:

• Include all required sender information in every message
• Implement a simple, one-click unsubscribe mechanism
• Process opt-outs within 10 business days (immediately is best practice)
• Maintain a suppression list to prevent messaging opted-out recipients

Important Limitation:
While CAN-SPAM is less restrictive than other regulations, complying only with CAN-SPAM will not ensure global compliance. If you have users or recipients in the EU, UK, Canada, or California, you’ll need to meet those stricter standards as well.

California (CCPA/CPRA)

The California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), creates significant obligations for businesses handling California residents’ personal information, including in referral programs.

Key Requirements for Referral Programs:

1. Data Sharing Framework

   • Referrals are considered “sharing personal information” if you process emails/phone numbers
   • Triggers disclosure and opt-out requirements
   • May constitute a “sale” of personal information if incentives are involved

2. Required Disclosures

   • Must disclose collection and use of contact information in privacy policy
   • Must provide a Notice of Financial Incentive if rewards are involved, explaining:
     • Material terms of the incentive program
     • Categories of personal information implicated
     • How the value of the data relates to the incentive
     • How to opt out of the incentive program

3. Opt-Out Rights

   • Must provide a “Do Not Sell or Share My Personal Information” option
   • Must honor opt-out requests within 15 business days
   • Must pass opt-out requests to any third parties you’ve shared data with

Implementation Guidance:

• Include detailed disclosures about your referral program in your privacy policy
• Create a Notice of Financial Incentive if your program offers rewards
• Implement a “Do Not Sell or Share My Personal Information” option
• Honor opt-out requests promptly and comprehensively
• Document all data sharing activities related to your referral program

For more information, see: CCPA Regulations

Brazil (LGPD)

Brazil’s Lei Geral de Proteção de Dados (LGPD) is modeled after the GDPR and creates comprehensive data protection requirements for processing Brazilian residents’ personal data.

Key Requirements for Referral Programs:

1. Lawful Basis

   • Consent or legitimate interest required for contact data use
   • Consent must be free, informed, and unambiguous
   • Legitimate interest requires balancing test and documentation

2. Transparency Requirements

   • Must disclose:
     • Purpose of data processing
     • Retention period
     • Data subject rights
     • Identity and contact information of the data controller

3. Data Subject Rights

   • Deletion rights apply to referred contacts
   • Access rights allow individuals to see what data you hold
   • Correction rights allow for updating inaccurate information
   • Must respond to rights requests within 15 days

Implementation Guidance:

• Document your lawful basis for processing Brazilian contact data
• Provide clear privacy notices to both referrers and recipients
• Implement processes to handle data subject rights requests
• Consider data localization implications if storing data outside Brazil

Universal Best Practices for Global Compliance

To simplify compliance across multiple jurisdictions, implement these universal best practices that satisfy the strictest requirements of all major privacy laws:

Rule	Practice	Implementation Guidance
Consent	Always ask explicitly before messaging contacts	Use clear, affirmative consent mechanisms; document when and how consent was obtained
Transparency	Disclose sender, reason, and incentive in every invite	Include complete information about who is sending the message, why, and any rewards involved
Data minimization	Only collect essential fields (email, maybe name)	Avoid collecting unnecessary data like phone numbers, addresses, or demographic information
One-time messaging	Avoid multiple follow-ups unless recipient opts in	Send only one message per recipient unless they explicitly consent to more
Opt-out and suppression	Honor immediately and globally	Implement a global suppression list; process opt-outs within 24 hours

Implementation Considerations:

1. Consent Management

   • Store consent records with timestamps and consent text
   • Implement consent verification before processing referrals
   • Provide mechanisms to withdraw consent

2. Global Suppression List

   • Maintain a centralized database of opted-out contacts
   • Check against this list before sending any messages
   • Apply suppressions across all users and campaigns

3. Data Minimization

   • Collect only necessary contact information
   • Hash or encrypt contact data when possible
   • Implement automatic deletion workflows

4. Documentation

   • Record all privacy-related decisions and implementations
   • Document your compliance approach for each jurisdiction
   • Maintain records of consent, opt-outs, and data processing activities

Risky Referral Designs to Avoid

Certain referral program designs create significant legal and reputational risks across multiple jurisdictions:

Design Flaw	Why It’s Risky	Better Alternative
Auto-import and message all contacts	Breach of GDPR, PECR, CASL; lacks consent	Require explicit selection of contacts; implement clear consent mechanisms
No disclosure of incentives	Breach of CPRA; lacks transparency	Clearly disclose all incentives to both referrers and recipients
Sending reminders without opt-in	Violates CAN-SPAM, CASL; constitutes spam	Send only one message unless recipient explicitly opts in to more
Keeping unmatched contacts indefinitely	Data minimization violation; increases breach risk	Implement automatic deletion after a defined period (e.g., 30 days)
Using contacts for other marketing	Purpose limitation violation; consent scope breach	Use contact data only for the specific referral purpose disclosed
Pre-checking consent boxes	Invalid consent under GDPR, CASL; deceptive practice	Require active, affirmative consent actions

Case Study: LinkedIn’s Referral Program Legal Issues

LinkedIn faced a class-action lawsuit over its “Add Connections” feature, which allowed users to import contacts and send invitations. The court found issues with:

1. Sending multiple reminder emails without separate consent
2. Making it difficult to stop the reminder emails
3. Using language that obscured the commercial nature of the messages

LinkedIn settled for $13 million and made significant changes to its referral mechanisms, including:

• Clearer disclosure about follow-up messages
• Explicit consent for each type of message
• Improved opt-out mechanisms
• More transparent language about how contact data would be used

This case highlights the importance of transparent, consent-based referral designs that respect recipient preferences.

Global Compliance Checklist for Referral Programs

Use this checklist to ensure your referral program meets global compliance standards:

Step	Action	Implementation Guidance
Consent	Implement explicit opt-in before invites	Use clear checkboxes with specific consent language; avoid pre-checked boxes
Transparency	Create clear message previews and disclosures	Show users exactly what will be sent; disclose any incentives
Reward structure	Design to reward conversions, not sends	Structure incentives to trigger on meaningful actions, not just contact sharing
Opt-outs	Implement global suppression across users	Create a centralized suppression database; check before sending any message
Retention	Delete or hash unmatched contact data quickly	Set automatic deletion timers; document your retention policy
Documentation	Record all compliance measures	Maintain records of consent, processing activities, and design decisions
Testing	Verify compliance across jurisdictions	Test your referral flow against requirements for each target market

Summary: Design for the Strictest Rules

If you build your referral program to satisfy GDPR + CASL + CPRA, you’ll meet (or exceed) the standards everywhere else. This approach not only protects you legally but also builds trust, better engagement, and longer-lasting growth.

The most effective approach to global compliance is to design your referral program to meet the strictest requirements across all jurisdictions:

1. Consent

   • Implement explicit, affirmative consent mechanisms
   • Document consent with timestamps and consent text
   • Make consent specific to the referral activity

2. Transparency

   • Provide clear information about data processing
   • Disclose incentives and commercial nature of messages
   • Show message previews before sending

3. Opt-out

   • Implement prominent, one-click unsubscribe mechanisms
   • Honor opt-outs immediately and globally
   • Maintain a centralized suppression list

4. Minimization

   • Collect only necessary contact information
   • Implement defined retention periods
   • Delete or anonymize data when no longer needed

5. Deletion rights

   • Allow both referrers and recipients to request data deletion
   • Process deletion requests promptly
   • Document your deletion processes

Benefits of a Global Compliance Approach:

1. Legal Protection

   • Reduces risk of regulatory penalties
   • Provides defense against class-action lawsuits
   • Creates documentation trail for accountability

2. User Trust

   • Demonstrates respect for privacy
   • Creates transparent, honest user experiences
   • Builds long-term relationship with users

3. Business Efficiency

   • Simplifies compliance management
   • Reduces need for region-specific implementations
   • Creates consistent user experience across markets

4. Sustainable Growth

   • Focuses on quality referrals over quantity
   • Reduces spam complaints and negative brand perception
   • Aligns business incentives with user experience

Up Next

Next, we’ll dive into how to structure the technical architecture for privacy-forward referral programs.

Read Referral Feature Architecture to learn about implementing these principles in your technical stack.

Or revisit why incentives trigger stricter rules:
Incentivized Referrals