Growth Tree Background

GDPR and Refer-a-Friend Programs ( Customer Referral)

Home » Blog » GDPR and Refer-a-Friend Programs ( Customer Referral)

The General Data Protection Regulation (GDPR) is coming into effect on May 25, 2018 and will affect all companies with customers in the European Union regardless of if you or your company are based in the European Union. GDPR will create a more consistent regulatory environment for marketers to operate in and in turn is intended to streamline privacy considerations for affected companies.

Note: This is not intended to be legal advice. Please have your council review this article and appropriate regulations.

How does GDPR affect Customer Referral Programs?

We won’t go into an overview of GDPR here as there are many sites which do this including the GDPR home page ( Instead this article will review specifically how GDPR may affect referral programs. Specifically, we will review User Consent and the Right to be Forgotten.

In this article we will speak directly to how the SaaSquatch platform works and how it addresses the issue of GDPR compliance.

Extended User Consent

The regulatory change, that is possibly getting the most attention with the introduction of GDPR, is the increased requirements around extended user consent.

The GDPR definition of consent states that consent must be freely given, specific, informed and must be unambiguous and involve an opt-in versus a traditional opt-out. This consent must be easily understood and be possible to be withdrawn.


Consent is simple enough with respect to the referror. As a best practice under GDPR you will need to seek clear consent to market to all of your users, new and existing. Additionally you will need to make it easy to revoke consent.

If your users choose to revoke marketing consent through your system you will need to simply make an API call to the SaaSquatch platform which will delete all stored user data, stop all future messaging from SaaSquatch to the user and will stop the SaaSquatch platform from collecting additional user information in the future.

Referred Friend

Obtaining consent from a referred friend is the source of most concern around consent. This is because a typical, and non-compliant, refer-a-friend program collects the referred friend’s email from a referror and then emails the referred friend with clear marketing material. It would not be until after this email that the Referred Friend would be able to provide consent, which is not permitted under GDPR.

In addition to send an initial marketing email to referred users without consent, these non-compliant referral programs store personal private information about the referred friend and often continue to market to them through follow up emails without consent. Non-compliant systems also often request users to authorize their social media accounts. From this authorization the platform will then capture the Referror’s friend list which includes personal private information of unconsenting users.

The SaaSquatch Solution

At SaaSquatch we have always taken the privacy of referred friends seriously. Due to this approach we do not collect any identifiable information or create any form of profile for referred friends.

The SaaSquatch platform:

  • Never records a referred friend’s personal and private information including, but not limited to, IP address, Name, Email Address, Social Media Handle or Usage Habits.
  • Never sends any message to a referred friend including, but not limited to, marketing emails, reminder emails, social media messages, or notifications.
  • Never records any data about a referred friend until they have become your user and provided clear consent to participate in the referral program.
  • Never uses cookies or beacons to build profiles of referred friends or to track their behaviour in any way.

With the SaaSquatch platform when a referror shares their referral information they always send the message directly.

When a referror sends an email to their friends we use the “mailto:” functionality which opens the referror’s personal email tool. We do not pre-collect the referred friend’s email address and instead require the referror to enter it manually or retrieve it from their own contact book. Additionally, these emails are simple text only messages making them friend-to-friend communication and not corporate marketing communication. The referred friend’s email address is never recorded my SaaSquatch.

When a referror makes a referral via social media the SaaSquatch platform does not allow them to authorize their social media account. This in turn means that SaaSquatch never sends, and never can send, social media messages on the referror’s behalf to any of their connections. When a referror does make a referral on social media they are posting their own message in accordance with the social networks enforcements of GDPR. The referred friend’s social media handle is never recorded by SaaSquatch.

These above policies mean that SaaSquatch never directly tracks, messages or markets to a referred friend and thus consent is not required at this part of the referral journey. Some have suggested that the referror provide privacy notice to the referred friend however we feel that due to the lack of information collected by the SaaSquatch platform this is not required.

The Right to be forgotten

One of the other key concepts enforced through GDPR is the right to be forgotten. This is to mean that all identified users have the right to have all their history and data forgotten. It is key to review this from the perspective of both the Referror and the Referred Friend.


In the SaaSquatch platform the right to be forgotten is addressed for the Referror through an API call.

When a Referror indicates they would like their data removed you make a single request to the SaaSquatch platform and the users data will be deleted within the 30 day time window required by GDPR. Following this request the SaaSquatch will not collect additional information about the user even if it is accidentally passed to SaaSquatch.

Referred Friend

As we do not receive consent to track referred friends we do not collect any personally identifiable information about them including, but not limited to, IP address, email address, usage behaviour or name.

The only data SaaSquatch associates with referred friend is the referral code of the referror. This referral code can be made random to insure that it also contains no identifiable information about the referror.

Extra Caution

While we believe that the SaaSquatch platform operates within the requirements of GDPR you may choose to exercise extra caution.

If you would like to be extra cautious with respect to GDPR and your customer referral program here are some solutions the SaaSquatch platform can support.

  • Disable Email –  In the SaaSquatch platform you can disable email sharing. The referror will still be provided with a referral link and code which they can share as they see fit but you will not be facilitating a referral email
  • Disable Social Sharing –  In the SaaSquatch platform you can disable social sharing. The referror will still be provided with a referral link and code which they can share as they see fit but you will not be facilitating a social message.
  • Disable Referral Links –  If you want to go another step further you can remove links all together and only provide users with referral codes. These codes can be entered at signup or checkout. The codes will allow your referral program to function as normal but will ensure there is no corporate sponsored digital marketing occurs.
  • Referred Friend Landing Page WidgetYou can turn on the SaaSquatch referred friend widgets. These widget will let the referred friend know the details of the referral program. This is of more concern if the referror is getting a reward for making the referral as the widget forces the referred friend to be made aware of this fact.

If you have further questions regarding your SaaSquatch program and GDPR please contact our customer support team at