Invite/refer a friend programs are in trouble
In May 2020, the Belgium Data Protection Authority fined a social media company 50,000 Euros for operating an "invite a friend" program (see Decision). The DPA found that to operate the "invite a friend" program, which allowed members to invite their contacts, the social media company unlawfully processed the personal data of those contacts.
The DPA found the social media company did not have consent from the non-user contacts to process their data -- which is not surprising because those individuals were not users.
The DPA also found the social media company could not rely on its legitimate interests because the company did not comply with the data minimization principle. The company was storing contact details unnecessarily and the retention period was too long.