Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Talkable is a referral marketing platform that enables e-commerce businesses to run refer-a-friend programs. It tracks referral links, advocate and friend identities, and purchase conversions using cookies and pixel tracking. Because Talkable collects and shares personal data of both the referring customer and the referred friend, it raises specific GDPR concerns around third-party data collection, prior consent, and US data transfers.
Talkable is a referral marketing platform designed for e-commerce businesses that want to run structured refer-a-friend programs. It enables merchants to create, manage, and optimise referral campaigns where existing customers (advocates) share personalised referral links with friends, earning rewards when those friends make a purchase. Talkable tracks the full referral funnel from share to conversion using cookies, tracking pixels, and email link parameters. The platform is used by major e-commerce brands and integrates with Shopify, Magento, and custom storefronts.
Talkable collects data on both the advocate (existing customer) and the referred friend. For advocates, it collects name, email address, purchase history, referral activity, and reward redemption data. For referred friends, it collects the email address shared by the advocate, IP address, browser information, and purchase conversion data. Referral tracking cookies and pixels are set to attribute conversions to specific advocates. The collection of a friend''s email address before they have interacted with the business is a particularly sensitive GDPR issue.
Talkable raises several distinct GDPR challenges. First, the collection of a friend''s email address by the advocate and its transmission to Talkable constitutes processing of a third party''s personal data, requiring a transparent legal basis. The referred friend must be informed of this processing, typically through a privacy notice in the referral email. Second, referral tracking cookies are non-essential and require prior consent under the ePrivacy Directive. Third, the transfer of both advocate and friend data to US servers must be covered by appropriate safeguards.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
Consent under Article 6(1)(a) GDPR is required for non-essential referral tracking cookies. For the processing of advocate data, contract performance may apply if the referral program is part of the customer relationship. For the processing of the referred friend''s email, the advocate must be informed that sharing a friend''s contact data is subject to GDPR, and the friend must receive a privacy notice upon first contact. Referral emails must include an unsubscribe link and a clear privacy disclosure.
Talkable is a US company and processes all referral data on US infrastructure. This constitutes a third-country transfer under GDPR Chapter V for both advocate and friend data. Standard Contractual Clauses are the applicable transfer mechanism. Organisations must document this transfer in their Records of Processing Activities, sign a Data Processing Agreement with Talkable, and disclose the US transfer in their privacy policy.
To deploy Talkable compliantly: obtain consent before loading referral tracking cookies; inform advocates that sharing a friend''s email is subject to GDPR and that the friend will receive a referral email with a privacy notice; include a clear privacy notice and unsubscribe mechanism in all referral emails sent to friends; update your privacy policy to describe the referral program data flows; sign a DPA with Talkable; document the US transfer in your RoPA; and ensure friends can exercise their right to erasure by requesting removal from the referral program.
Websites using Talkable must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is advisable when Talkable is used at scale to collect and share personal data of both existing customers (advocates) and new prospects (referred friends). The collection of friend email addresses before those individuals have interacted with your business, combined with US data transfers, creates a risk profile that warrants formal assessment.
Sample consent text
We use Talkable to power our refer-a-friend program. Talkable collects your name, email address, and referral activity data to track referrals and process rewards. When you refer a friend, their contact details are also shared with Talkable. This data may be transferred to the United States. Please accept to participate in our referral program.
Third-party domains contacted
www.talkable.comd2jjzw81hqbuqv.cloudfront.netapi.talkable.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| talkable_visitor | persistent | 1 year | Referral tracking identifier used to attribute website visits and purchases to specific referral links and advocates |
| talkable_ref | session | Session | Session-level referral source cookie used to track the active referral link click through to conversion |
Talkable places tracking cookies for advertising — comply with GDPR using FlowConsent.
Talkable sets referral tracking cookies to attribute website visits and purchases to specific referral links and advocates. It also uses tracking pixels in referral emails to record when emails are opened and links are clicked. These are non-essential tracking cookies that require prior consent under the ePrivacy Directive before the Talkable script loads.
Yes. Talkable sets non-essential referral tracking cookies that require prior consent under the ePrivacy Directive. Additionally, the collection of a referred friend's email address by the advocate and its transmission to Talkable requires a transparent legal basis. The friend must be informed of this processing in the referral email they receive.
Multiple bases apply. Consent (Art. 6(1)(a)) is required for tracking cookies. Contract performance (Art. 6(1)(b)) may apply for processing advocate data as part of the customer relationship and reward fulfilment. For the processing of the referred friend's email before any relationship exists, a carefully documented legitimate interest or the friend's own consent obtained via the referral email may be needed.
Yes. Talkable is a US company and processes all referral program data on US infrastructure. This is a third-country transfer under GDPR Chapter V. Standard Contractual Clauses apply as the transfer mechanism. Both advocate data and friend data are subject to this transfer, which must be documented in your Records of Processing Activities and disclosed in your privacy policy.
A DPIA is advisable when Talkable is used at scale to collect and process personal data of third parties (referred friends) who have not yet interacted with your business. The combination of collecting friend email addresses before consent, referral tracking across sessions, and US data transfers creates a risk profile that warrants assessment, particularly given the novel data subject relationship.
Block Talkable tracking cookies until consent is obtained. Inform advocates in the referral flow that sharing a friend's email is subject to GDPR. Include a clear privacy notice, data controller identity, and unsubscribe link in all referral emails. Update your privacy policy to describe the referral data flows for both advocates and friends. Sign a DPA with Talkable. Document the US transfer in your RoPA. Provide a way for referred friends to request erasure of their data.
Mention Me is a UK and EU-focused referral marketing platform with stronger GDPR compliance tooling. Buyapowa offers EU data processing options. For lighter referral functionality, building a simple refer-a-friend mechanism natively within your e-commerce platform (Shopify, WooCommerce) keeps data within your own infrastructure and avoids third-party data sharing concerns.
Add a section on your referral program in your privacy policy. Describe Talkable as the referral platform processor, explain the data collected from advocates (name, email, referral activity) and referred friends (email shared by advocate, IP, conversion data), state the applicable legal bases, disclose the US transfer with SCC safeguard, and explain how both advocates and friends can exercise their data rights including erasure from the referral program.