Better Sharing Your App, Their Data
Clarifying When You Become the Data Controller for Third-Party Contacts
When users upload or input their contacts into your platform, it might feel like their data, their responsibility. After all, they chose to share this information, and these are their personal relationships.
But under global privacy laws like GDPR, CCPA, and LGPD, you’re often legally responsible for that data, too. This creates a complex web of obligations that many platforms overlook until they face regulatory scrutiny.
If your platform processes a friend’s email address—even if a user uploaded it—you may become the data controller for that contact. This legal designation carries significant responsibilities and potential liabilities.
This article clarifies when your platform inherits legal responsibility for third-party contact data and how to manage it safely to ensure compliance while still enabling valuable social features.
Core Foundation
This article continues from:
How to Handle Contacts Without Breaking Privacy Laws
Supporting reads:
- Lawful Groundwork – How to choose a lawful basis
- Privacy UX – How to surface consent and control
- Friends Aren’t Leads – Why contacts aren’t free marketing targets
What It Means to Be a Data Controller
Under GDPR (and similar laws), you are a data controller if:
- You determine the purposes of the data processing (e.g., why contact data is collected)
- You determine the means of the data processing (e.g., how data is matched, messaged, or stored)
This is a functional test based on your actual role in data processing, not on contractual designations or user perceptions. Even if your terms of service attempt to disclaim responsibility, regulators will look at the reality of how data flows through your platform.
If you:
- Design the UX for contact import
- Store unmatched or matched contacts
- Decide when and how invites are sent
- Determine how long contact data is retained
- Set the rules for how contacts are processed
You’re acting as a data controller, with all the legal responsibilities that entails.
Even if the user “uploads” the data voluntarily, you are not just a passive conduit. Your platform’s design choices, data handling practices, and processing activities all contribute to your status as a controller.
For more information on how different privacy laws approach controller responsibilities, see: What Other Privacy Laws Say About Contact Sharing
Responsibilities of a Data Controller
Being a data controller for third-party contact information brings specific legal obligations that you must fulfill:
| Responsibility | What You Must Do | Practical Implementation |
|---|---|---|
| Lawful basis | Choose a valid basis (usually consent) for processing contact data | Implement proper consent flows before contact import; document your legal basis |
| Transparency | Tell users and contacts what’s happening with their data | Provide clear privacy notices at the point of collection; explain processing in invitation messages |
| Minimization | Only collect necessary contact data | Limit fields to what’s needed (e.g., email only, not phone numbers or addresses) |
| Purpose limitation | Use contact data only for specified purpose | Don’t repurpose contact data for marketing or other secondary uses |
| Retention limits | Delete or anonymize data when no longer needed | Implement automated deletion for unmatched contacts and time-limited storage for invitations |
| Data subject rights | Enable access, deletion, and opt-out options | Create mechanisms for non-users to exercise their rights over their data |
| Security | Protect contact data from unauthorized access | Implement appropriate technical and organizational measures |
Failure to meet these duties can trigger significant consequences:
- GDPR fines (up to €20M or 4% global turnover)
- CCPA/CPRA enforcement actions and civil penalties
- CASL penalties (up to $10M in Canada)
- Brand damage and user churn
- Class action lawsuits and litigation costs
- Operational disruption from regulatory investigations
These responsibilities apply even if you’re processing data that users voluntarily provided, and even if the contacts themselves never directly interact with your platform.
Real-World Example: WhatsApp Transparency Backlash
WhatsApp faced a wave of user backlash—and regulatory scrutiny—when it updated its privacy policy to clarify that it was processing certain user metadata for Facebook business purposes. (Source)
The situation demonstrated how seriously users and regulators take data controller responsibilities:
- User Response: Millions of users migrated to alternative messaging platforms like Signal and Telegram in response to the policy change.
- Regulatory Scrutiny: Data protection authorities in multiple countries opened investigations into whether WhatsApp was properly obtaining consent and providing transparency.
- Business Impact: WhatsApp had to delay the implementation of its policy changes and launch an extensive communication campaign to address concerns.
Even though users “agreed” by using the service, regulators argued that:
- The disclosures were too vague and difficult to understand
- Consent was not properly obtained for all new uses of data
- Users weren’t given meaningful choices about how their data would be used
The lesson is clear: Transparency and clear purpose limitation are critical when you act as a data controller. Users care deeply about how their contacts’ information is handled, and regulators are increasingly willing to enforce these obligations.
How to Handle Responsibility Correctly
Here are specific steps to properly manage your responsibilities as a data controller for third-party contact data:
1. Be Transparent About Your Role
Make it clear in your privacy policy and product flows:
- What data you process (e.g., contacts’ emails, names, phone numbers)
- Why you process it (e.g., finding friends, sending invites, enabling sharing)
- How you safeguard it (e.g., encryption, access controls, retention limits)
- How users and non-users can exercise rights (e.g., access, deletion, objection)
Your disclosures should be specific and comprehensive, not buried in legal jargon or hidden deep in your terms of service.
Example disclosure:
“When you invite friends to [Platform], we process their email addresses to deliver your invitation and track responses. We store this information for up to 30 days if they don’t respond, or until they opt out if they decline. We do not use their data for any other purpose, such as marketing or profiling. Both you and your invited contacts can request deletion of this information at any time through our Privacy Center.”
This level of specificity builds trust while also satisfying regulatory requirements for transparency.
2. Get Explicit User Consent
Before processing any contact data, you need a valid legal basis. For most contact-powered features, explicit consent is the most appropriate choice.
Implement clear consent mechanisms before:
- Importing contacts
- Matching contacts against your user database
- Sending invites or messages to contacts
Present users with clear, specific consent prompts—not hidden inside Terms of Service or presented as a condition of using your service.
Your consent flows should:
- Explain exactly what will happen with the contact data
- Allow users to select specific contacts rather than importing all
- Be separate from other consent requests (e.g., marketing communications)
- Be as easy to withdraw as it was to give
For detailed guidance on implementing proper consent mechanisms, see: The Consent Playbook
3. Offer Non-User Rights
As a data controller, you have obligations not just to your users, but to anyone whose data you process—including contacts who have never signed up for your service.
If an invited contact or matched user reaches out and says:
- “Delete my data”
- “Don’t let people find me”
- “Show me what you have on me”
- “Stop processing my information”
You must have systems in place to respond appropriately and within the timeframes required by applicable laws (typically 30-45 days).
Provide:
- A simple, public-facing privacy contact form that doesn’t require account creation
- A process for searching, suppressing, and deleting contact data across your systems
- Clear documentation of how you handle these requests
- Training for customer support staff on handling privacy requests
This approach acknowledges that your responsibilities as a data controller extend to individuals who may never become users of your platform.
How Laws View Third-Party Contact Responsibility
Different privacy laws approach controller responsibilities in slightly different ways, but all create obligations for platforms that process third-party contact data:
| Law | Controller Obligations | Key Requirements |
|---|---|---|
| GDPR (EU/UK) | Transparency, lawful basis, data rights enforcement | Must have a valid legal basis (usually consent); must enable data subject rights for non-users; must provide clear information about processing |
| CCPA/CPRA (California) | Disclosure of data collection, right to opt out, deletion rights | Must disclose third-party data collection in privacy policy; must honor deletion requests; must provide opt-out mechanisms |
| CASL (Canada) | Consent + strict rules for sending commercial invites | Requires express or implied consent for commercial electronic messages; mandates clear identification and unsubscribe mechanisms |
| LGPD (Brazil) | Rights to access, correction, anonymization, deletion | Similar to GDPR, requires lawful basis and respect for data subject rights; emphasizes purpose limitation |
These laws may have different scopes and specific requirements, but they share a common principle: if you’re processing personal data, you have responsibilities to the individuals that data identifies, whether they’re your direct users or not.
Common Pitfalls to Avoid
When handling third-party contact data, be careful to avoid these common compliance pitfalls:
| Mistake | Risk | Better Approach |
|---|---|---|
| Hiding contact data processing in Terms of Service | Invalid consent; regulatory penalties; user distrust | Use clear, specific consent flows at the point of collection |
| Retaining unmatched contact data indefinitely | Violates minimization and retention rules; increases breach impact | Implement automatic deletion for unmatched contacts after a short period |
| No opt-out for non-users | Breaches GDPR and CPRA obligations; generates complaints | Create accessible mechanisms for non-users to opt out and exercise rights |
| Reusing contact data for marketing without consent | Marketing violation under PECR, CASL, CAN-SPAM; regulatory action | Use contact data only for the specific purpose disclosed at collection |
| Treating all contacts as “leads” | Purpose limitation violations; damages user trust | Maintain strict separation between connection features and marketing activities |
| No documentation of legal basis | Inability to demonstrate compliance if challenged | Document your legal basis assessment and implementation for all contact processing |
These pitfalls represent not just legal risks but also missed opportunities to build trust with both your users and their contacts.
Summary: Your Users Bring the Contacts, But You Inherit the Risk
When designing contact-powered features, it’s essential to adopt the right mindset about your responsibilities:
| Mindset | Best Practice | Why It Matters |
|---|---|---|
| “We just process what users upload” | Still need lawful basis + transparency | You can’t outsource your controller responsibilities to users |
| “They gave us access” | Still need to respect non-user rights | Data subjects have rights regardless of how you obtained their data |
| “It’s just internal matching” | Still counts as personal data processing | Even temporary or internal processing triggers controller obligations |
| “We’re just facilitating user connections” | Still responsible for system design and data flows | Your design choices determine the privacy impact |
Build every contact-based feature assuming you’ll have to answer for what happens to that data. This approach not only ensures compliance but also leads to more thoughtful, user-respecting product design.
By embracing your role as a data controller and implementing appropriate safeguards, you can create contact-powered features that enable meaningful connections while respecting privacy rights and building trust.
Up Next
Now that we’ve covered your platform’s responsibilities, we’ll dive into how global laws differ when it comes to contact-based sharing and invites.
Read Other Privacy Laws
Or revisit consent patterns and platform duties:
The Consent Playbook