What about “refer-a-friend” or referral programs?

Referral programs create a consent gap. The person making the referral has given you an email address, but the referred individual hasn't consented to receive marketing. This creates compliance risk, especially under GDPR and CASL.

The safest approach: send a single, clearly identified referral message that explains who referred them and gives them the opportunity to opt in. Don't add them to your marketing list automatically. The referral email should focus on the invitation, not promotional content, and must include a way to decline further contact.

Under CAN-SPAM, a single referral message may be permissible if it meets all other requirements (physical address, unsubscribe mechanism, accurate headers). But stricter jurisdictions like the EU and Canada require consent before any commercial messaging.

Your customer's enthusiasm doesn't transfer consent. The referred person is a stranger until they say yes themselves.