← Back to All Patterns
● HIGH#DW-011Forced Action

Friend Spam

Apps that request contact access then send mass messages or invitations on your behalf without clear, informed consent.

What Is Friend Spam?

Friend Spam occurs when an app requests permission to access your contacts — often framed as "Find Friends" — then uses that access to send unsolicited invitations to every contact. These messages appear to come from the user, exploiting trust between the user and their contacts to drive sign-ups.

Landmark Cases

  • LinkedIn ($13M settlement, 2015) — Sent up to 3 follow-up "reminder" emails to non-users who were imported as contacts. Users didn't realize they'd authorized LinkedIn to send these messages.
  • Path ($800K FTC fine, 2013) — Secretly uploaded users' entire address books without consent. Required to delete all contact data and implement comprehensive privacy program.
  • Facebook (2012–2014) — "Find Friends" feature uploaded entire contact lists, then used those contacts for ad targeting and friend suggestions beyond stated purpose.
  • Candy Crush / FarmVille — Sent game invitations to every contact on phone and social media, creating floods of unwanted notifications that damaged personal relationships.

Severity Assessment

7.0

High — Causes reputational harm to users, privacy violations through mass collection of non-user contact data, and spam to non-consenting recipients. LinkedIn's $13M settlement demonstrates the legal severity.

Legal Status

🇺🇸 CAN-SPAM Act

Emails sent to contacts without consent may violate CAN-SPAM. Making messages appear from the user rather than the company raises deceptive practices concerns.

🇪🇺 GDPR

Uploading and processing non-user contact data without consent violates GDPR. "Friend spam" typically lacks any valid legal basis for processing.

🇺🇸 CCPA

Companies collecting contact book data must disclose this practice, and non-user contacts have rights over their collected personal data.

Remediation

  1. Explicit opt-in per message — Users must choose which contacts to invite and approve each message.
  2. Preview before sending — Show the exact message and recipient list before confirmation.
  3. No automatic follow-ups — Never send reminder emails without additional explicit consent.
  4. Minimal data retention — Delete unmatched contacts immediately after matching.

Contact permissions audit? Book a UX audit →