This article explains how Advocate referral programs can maintain General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA)/ California Privacy Rights Act (CPRA) compliance.
Note: This article is for general information only and is not legal advice. Your legal and privacy teams are responsible for determining how applicable laws apply to your business and how you configure Advocate.
impact.com is designed to support referral programs in line with major privacy regulations, including GDPR and CCPA/CPRA. The platform:
Applies technical and organizational measures to help protect personal data.
Provides capabilities to help you respond to data subject/consumer rights requests (for example, access and deletion).
Allows you to configure data and program behavior to align with your privacy and data‑retention policies.
However, compliance is shared:
impact.com is responsible for the platform and its controls.
You (the brand) are responsible for:
Deciding what data to collect and for what purposes.
Providing required privacy notices and disclosures.
Collecting and recording any required consent.
Configuring Advocate, your CRM, and your marketing tools in accordance with applicable laws.
Advocate referral programs are designed around transactional communications, such as:
Referral invitations from an existing customer to a friend.
When using the social sharing email option to send the Advocate's share link to a friend, selecting the Share via email button launches the Advocate's own email client and the sender is the Advocate, not the brand.
Notifications about referral status and rewards.
Essential system messages to operate the referral program.
These messages are directly connected to the referral transaction and are not intended to subscribe people to ongoing marketing or newsletters.
On that basis, our general position is that:
Advocate referral emails are transactional program emails
Opt‑in consent and unsubscribe links are not required for these specific transactional messages under many regulatory frameworks.
Due to this, by default:
Advocate friend widgets do not include a marketing opt‑in feature.
Referred friends are not treated as opted‑in to your general marketing programs.
Advocate transactional emails do not include an unsubscribe option.
This position assumes that:
You do not treat participation in the referral program as marketing consent
You do not automatically add these recipients to broader marketing send lists solely because they participated in the referral program.
Your legal team should confirm this classification for the jurisdictions in which you operate.
Some teams argue that an opt‑in checkbox is mandatory for GDPR compliance. In practice, there is a distinction between transactional and marketing communications.
For transactional referral emails only (for example, invitations, reward or status messages):
These emails are seen as necessary to operate the referral program.
These messages are not used to enroll people into ongoing marketing.
On that basis, a marketing opt‑in for these specific transactional emails is often not required.
For marketing activities (for example, newsletters, general promotions, or campaigns that go beyond the referral event):
Opt‑in is typically required under GDPR and e‑privacy rules.
This consent and subsequent unsubscribe handling are managed in your own CRM, marketing automation, or consent management tools, not in Advocate.
Advocate’s default approach is intended to be compatible with GDPR when:
Emails are used solely to operate the referral program
You do not infer marketing consent from referral participation.
If your internal policies or regulator guidance are stricter (for example, opt‑in required before any email is sent), your legal team should define how you use Advocate and any additional consent steps you need.
Yes. Advocate is used by multiple brands operating in the UK and across Europe. Common patterns among these brands include:
Treating Advocate referral emails as transactional and separate from general marketing.
Managing marketing consent and preferences centrally in CRM, marketing automation, or consent management platforms.
Only adding referred friends to marketing send lists when:
Explicit marketing consent has been collected
Another lawful basis has been confirmed by your legal team.
Exact configurations and legal positions vary by brand, sector, and market. Your legal and privacy teams are responsible for defining your own approach.
Advocate referral emails are designed as transactional program messages. They are not intended to be used as ongoing marketing or promotional campaigns. For that reason, they do not include an unsubscribe option by default.
If you plan to import referral participants into your CRM, and send them marketing or promotional campaigns, then you must:
Obtain and record valid marketing consent where required (for example, via an opt‑in checkbox).
Manage unsubscribe and opt‑out preferences in your CRM, ESP, or consent management platform.
Include unsubscribe links in your marketing emails in accordance with applicable laws (for example, GDPR/e‑privacy, CCPA/CPRA, CAN‑SPAM).
This consent and unsubscribe handling is managed in your systems outside of Advocate.