Referral Programs

How to Become GDPR Compliant in Referral Programs (A Personal Take)

Discover how to create GDPR-compliant referral programs.


Over the recent weeks, many of our customers have been raising concerns about the new EU privacy regulation – GDPR.

Some wonder whether it’ll allow them to run any referral programs at all. Others, worry about the number of changes they’ll have to make to become compliant. And most admit to feeling anxious about how the new regulation might hinder or even sabotage their growth.

Instead of addressing their concerns in private conversations, I decided to share my thoughts on GDPR here. In particular, how, I believe, it will affect lead generation and referral programs.

Most of all, I want to show you that GDPR isn’t something of which to be afraid. Personally, I see it as a change that, most likely, will improve growth strategies for the better.

And that’s because of one factor it brings forth – greater trust.

Now, there’s a lot to it, and I’ll cover all my ideas in the post. But let me give you the main reason right now why I think GDPR will help boost your growth:

As GDPR puts customers in control over how brands communicate with them, it also makes them more open to engaging with companies once again.

Being able to dictate what communications customers receive and when, will, most likely, alleviate the growing anxiety we’ve all experienced when surrendering our emails to a brand. But of course, for this to happen, brands will have to adapt their referral and lead generation programs to comply with the new regulation.

As said, there’s a lot to cover. So, let’s begin…


Not long ago, the Economist called data the world’s most valuable resource and the oil of the digital era. They also wrote:

“Internet companies’ control of data gives them enormous power. Old ways of thinking about competition, devised in the era of oil, look outdated in what has come to be called the ‘data economy.'”

Of course, it’s not just internet companies controlling the data that are the problem but a common person’s concerns about the security of their personal information.

Data breaches, personal data leaks, spam and a lot more have made customers more sensitive about how their information is being used and by whom.

Hence the GDPR, the European Union’s response to those issues.  

Now, I won’t go into much of the regulation’s detail here. It’s already been covered extensively almost everywhere by now.

(Note: If you’re unsure about it though, I recommend these two articles for overview – Reforge’s “GDPR: What Growth People Need to Know” and “What the GDPR Means to Social Media Marketers” by Buffer.)

But I want to make it clear that I’m a huge GDPR fan. I see it as a major step in the right direction toward responsible handling of personal information we all share with companies.

I believe that GDPR will force businesses to be good internet citizens. To respect the privacy of everyone who engages with them (or vice versa.)

At CloudSponge we’ve always lived by the golden rule of respecting people’s online privacy. So, adapting to GDPR compliance has been easy for us. But I’m now glad to have our customers and data processors held to the same standard.

Unfortunately, GDPR is complex. When talking about it in relation to referral programs, we must address two of its areas:

  • Procedures for gathering and storing the data.
  • Policies and processes for handling personal information.

Disclaimer: Before I go on, I believe it’s worth mentioning that the below are my ideas and interpretations of the new European regulation. By far, it’s not legal advice on which you could base your GDPR compliance.

Audit the features of your sharing interface,
Download The Better Sharing Workbook today!

#1. Gathering and Storing 3rd Party Data

The main premise of any referral program is achieving growth through advocates.

Such programs rely on satisfied users recommending a product to others, either via email or other referral channels.

But under GDPR, doing so poses certain challenges:

It is impossible to gain the referred person’s explicit consent for their data to be used. After all, it’s someone else, rather than the data owner, who uses their email address to send a recommendation.

It’s similarly challenging to get a reconsent. The practice aims to get a person’s consent for a company to keep retaining their data. Although one might argue that a signup could be used in the process (i.e., the reconsent could be incorporated in the referred user’s signup or onboarding process.)

Under GDPR, individuals have the right to manage, edit and remove their data, as needed. This suggests that any company running referral programs would have to, then, provide referred users with a way to be in charge of their information.
For referred customers who become users, access to their account settings in the admin would, most likely, suffice. The challenge, however, are those users who haven’t converted into customers, at least not yet. In any other circumstances, a company could retain their personal details as a “ghost profile,” for example, to reconcile once they sign up. Under GDPR, unfortunately, that’s not the case. Later in the post, I’ll share some ideas how to solve that.

#2. Policies for Handling Personal Information

Similarly, companies running viral programs of any kind will have to amend their policies for acquiring, storing, and processing personal data.

But confusing or scary as it might be, I believe GDPR is for the better.

Let me tell you why, briefly:

GDPR Forces Companies to Be More Responsible in Handling Personal Data

Every business has a responsibility towards its customers and vendors. No one engaging with it should ever be afraid of a company will put too much strain on them (i.e., by spamming or never-ending following-ups.)

Customers, leads and vendors should expect honesty across all areas of the business.

And naturally, they shouldn’t fear the consequences of sharing personal data with them.

But that’s not always the case.

Under GDPR, that person would be able to specify exactly how they want the company to engage with them, and whether they should retain the person’s details at all.

Eventually, the expectation for this will force companies to act so that customers feel confident about engaging with them again.

Which brings us to another benefit of GDPR:

GDPR Puts Customers in Control

Giving customers extended control over their data allows them to:

  • Choose how they want to engage with a brand, what messages they want to receive, etc.
  • Decide when that relationship ceases.

Just this simple thing, as I stated above, should reduce the anxiety over communicating with brands.

When a person can a.) choose what information they’re going to receive from a brand, and b.) stop anytime, they’ll be more likely to engage.

This, for me, is the greatest benefit of GDPR. It reduces the risk of engaging with brands and in turn, renews customers’ trust in brand communications.

I’ll risk saying that GDPR will make customers desire brand engagement. In fact, it might even change the buying cycle again, making buyers want to speak to brands earlier, rather than close to the end of the process.

Here’s what it means for your referral programs:

  • Fewer customers will respond negatively to referral emails.
  • This, in turn, will make them more willing to act on a referral and check out your product.
  • They might also be more willing to sign up for a demo, since they know they can control the communications with you, and how their data is being used.

Overall, such renewed trust could mean greater referral program’s success rate.

Finally, GDPR Forces Companies to Become Mindful of Their Customers

It’s easy to take customers for granted. Sure, they’re important but often, also, nothing more than a point on a chart. That’s particularly true when they have little say about how you manage their connection.

When they have a say, the relationship changes completely.

For one, their needs and expectations become important. And it’s the company that must mind those.

But GDPR brings a major challenge too – managing lead generation, and referral and viral programs without the ability to gain consent.

Here are my thoughts on the issue.

GDPR and Lead Generation, Referrals and Viral Programs

CloudSponge customers process email data to generate more leads, send referrals, invitations and allow users to import their address books.

In short, they use 3rd party email source (a user or customer but not the data owner) to achieve their objectives.

But given what we’ve just discussed about GDPR, as Reforge askedare the days of growth at any cost coming to an end?

My opinion: No, I don’t think so. (And just to be clear, the Reforge author concurs.)

Although, it will force changes and new practices on the growth industry, GDPR will cause it no harm in the long term.

Top challenges we face initially are:

  1. Processing someone’s email without the ability to gain consent
  2. Storing referred or invited users’ data before they act on a referral message
  3. Acquiring permission once the referred person processed the request
  4. Auditing existing users for consent
  5. Improving all touch points to communicate relevant policies.

#1. Processing personal data without consent

Under GDPR, a consent is a clear, freely given, and specific action by the user confirming their agreement to process their personal data in a way a company specified when asking for it.

Also, the consent must be documented (i.e., you must have some proof of it) and a person must be able to withdraw it easily.

A simple way to gain such consent is having a clearly labelled checkbox on a form. For example:

Can you see a problem?

Such solution won’t work in a word-of-mouth growth strategy. Referral programs, for example, rely on an implicit consent. After all, it’s someone else who uses a person’s email, not the data owner.

A current customer – the referrer – is sending an email via a third party. To me, it’s no different than if someone told me their email address, and I punched it into a recipient field in Gmail.

The article 6.1 of the GDPR regulation, point 1f might relate to this situation as well. Take a look:

“Processing shall be lawful only if and to the extent that at least one of the following applies […] processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

In short, according to the article, you could collect and process a person’s data when it’s necessary for legitimate interests but does not affect their fundamental rights.

For that, however, I’d see a strong need to clearly define what constitutes legitimate interest. And also, how your organization is going to use a person’s data for this purpose.

Also, an important aspect of the legitimate interest is that it should be reviewed and documented on a case-by-case basis. For lead generation, this could mean individual growth strategies you consider employing.

#2. Storing referred or invited user’s data before they act on a referral message

Legitimate interest allows companies to send referral programs. However, once that happens, another issue arises – what to do with a person’s data then?

Normally, their name and email would remain in the database, to match with their activity post-referral (i.e., visits to the site, the signup, etc.) With this data, companies can run stats on their referral programs, and also reward users for attracting new customers.

Under GDPR, however, the above cannot happen without a clear and explicit consent. And this makes it a catch 22 scenario:

  • On one end, you should retain their data, if only to know whom to reward for a referral.
  • On the other, you can only do this if the referred person gives you the right to do it (which they can’t without acting on a referral first.)

We’ve discussed various solutions to this recently. One idea that stands out is to store a one-way hash version of the person’s email (also known as Pseudonymization). This way, when the referred person eventually signs up for the service, you can calculate the one-way hash and compare it to the hashes in your database to find a record and reward the correct referrer.

#3. Acquiring consent once the referred person processed the request

Once someone acted on a referral, visited your site and just when they’re about to sign up, is the moment to ask for consent.

However, it’s easy to forget this step, as often, referred users would go through the same signup process as any other customer.

In this case, however, the signup process must include a consent-optimized form. Again, the size and scope of how you seek consent might depend on your product. The fact remains that such form must include at least relevant checkboxes.

#4. Auditing Consent

Meeting the reconsent requirement could simply mean analyzing user behavior and reaching out to customers who remain disengaged from the product for a specific time to request reconsent.

However, this could pose growth challenges too:

Faster churn, potentially. Many disengaged users eventually churn. However, depending on a product, this could happen sooner or later. Requesting reconsent could speed up the process, resulting in faster churn.

User experience. At some point a company will have to reach to engaged users too. But depending on the reconsent strategy, this might affect a person’s UX.

#5. Improving all touch points to communicate relevant policies

I see this point being implemented quite wildly across the industry. Many platforms I know of or use have recently updated their terms and conditions to meet the GDPR requirements.

SurveyMonkey launched a page dedicated GDPR page. In it, they clearly define their responsibilities under the new regulation.

Mouseflow offers a dedicated page, detailing their users’ responsibilities under GDPR:

MouseFlow’s description of how “Explicit Consent” affects their accounts.

LinkedIn introduced changes to its terms and conditions, clarifying their use of a person’s data better. Here are some excerpts from the company’s Privacy Policy:

LinkedIn’s easy-to-read Privacy Policy section on data it receives from third parties.
LinkedIn’s description of how they let their users control the way they communication with them.

Stitch Fix added a section on Referrals to their Privacy Policy. Note the clear language explaining the entire process and how a referred person’s data would be used:

Excerpt about Referrals from Stitch Fix’s Privacy Policy.

Airbnb explains what they do with referred user’s information you input into the system:

Airbnb’s precise description of how they use your contacts’ information when you share it with them.


Fact: GDPR will change how we run referral and viral programs. But in spite of a lot of anxiety around it, I believe it’s for the better.

For one, handing over control over brand communications and their personal data to customers will make them open to engaging with brands again.

They’ll be more likely to act on referral invitations, try out new products or talk to sales much earlier in the process. All of which can bring only one outcome – greater growth.

Review and Audit Your Sharing Process

Download our Better Sharing Workbook Now

(it's quick, easy and absolutely free!)

Jay Gibb, CEO/Founder at CloudSponge

Follow @circuitfive


Try CloudSponge for free in your
testing environment

Get Started

Have a questions or prefer a guided tour?
Schedule a consultation with our Founder.