What about “refer-a-friend” or referral programs?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Your referral program is working. Subscribers are sharing a link, friends are clicking it, and you're collecting new email addresses. The problem: those friends didn't sign up to hear from you. They clicked a link because someone they know shared it, which isn't the same as consenting to your marketing emails. Under GDPR and CASL, that distinction isn't just semantic. It's the difference between a valid list and a liability.

Most referral programs run into this by design. The referring subscriber says "sign up and we both get a discount," the new person enters their email to claim the reward, and the company assumes that transaction counts as consent to future marketing. It doesn't, at least not in jurisdictions with meaningful consent requirements. Under GDPR, consent must be freely given, specific, informed, and unambiguous. Entering an email to claim a referral reward doesn't meet that bar unless there's a separate, explicit checkbox for marketing emails that isn't pre-checked.

The fix is to build the consent layer into the referral flow itself. When a referred friend lands on your page, include an unchecked checkbox with language like: "I'd also like to receive [Brand]'s newsletter and promotional emails." People who tick that box are on your list properly. People who don't can still get transactional emails tied to the referral (confirmation, reward delivery) but shouldn't receive your marketing campaigns. Yes, this will reduce the number of referral signups that convert to marketing subscribers. But those extra subscribers were a consent risk rather than an asset.

Under CAN-SPAM (which applies in the US), the requirements are looser, but skipping the explicit checkbox still has a cost. Referral subscribers acquired without clear consent tend to disengage faster and report spam at higher rates, which hurts your sender reputation even if they're technically legal to email. The deliverability cost usually outweighs the short-term list growth.

If you're already running a referral program without explicit consent and you're in a GDPR or CASL jurisdiction, the practical next step is a re-permission campaign for the referral segment. Send one email explaining who you are, how you got their address, and asking them to confirm they want to stay. Anyone who doesn't confirm gets removed. It's a painful short-term list shrink, but it leaves you with a segment that actually wants to hear from you and won't damage your re-engagement metrics going forward.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Help me fix consent in my referral program

I just read about consent requirements for referral programs on the Email Almanac. Help me apply this to my situation. I need to: 1. Audit my current referral flow for consent gaps 2. Add the right checkbox language to my registration form 3. Decide whether my existing referral segment needs re-permissioning 4. Set up tagging so referral contacts and opted-in contacts are in separate segments My details (fill in what applies): - Email platform: ... - Current referral mechanism: link share, in-email button, etc. - Jurisdiction of most subscribers: US, EU, Canada, mixed - Whether existing referral contacts have explicit marketing consent: yes/no/unsure

Edit the yellow boxes, then send to the AI of your choice.