Growth hacking and viral marketing – legal requirements

Growth hacking and viral marketing promise start-ups rapid growth and a wide reach with a low budget. In the digital scene in particular, creative campaigns – from ingenious competitions and referral programs to controversial social media campaigns – are seen as a secret recipe for an explosive increase in user numbers and awareness. But what is ingenious from a marketing point of view is often a legal gray area. German law sets clear boundaries: Data protection (GDPR), competition law (UWG) and, in the case of health products, even the Therapeutic Products Advertising Act (HWG) restrict the free development of many growth hacking strategies. This article highlights the legal requirements and pitfalls of such viral growth strategies. It is intended to help founders and marketing managers in German start-ups to implement innovative campaigns in a legally compliant and low-risk manner – and the expertise of an IT and media lawyer is reflected in every section.

GDPR, UWG & Co.: legal framework for viral marketing

General Data Protection Regulation (GDPR): As soon as personal data is used for marketing purposes, the GDPR is relevant. Growth hacking campaigns often collect data – such as email addresses for competitions or recommendations. Strict purpose limitation and consent requirements apply here: people may only be included in advertising or contacted if valid consent (opt-in) has been obtained or another permission applies. For start-ups, this means that newsletter registrations, competition entries or referral registrations must be GDPR-compliant. Consent should be voluntary, specific and informed. It is important that it is not tied to a specific purpose – for example, a competition that can only be entered with simultaneous consent to receive the newsletter violates the GDPR’s prohibition on tying. Participants must also be informed about data processing and their rights (e.g. withdrawal of consent). Without GDPR compliance, there is a risk of warnings and fines from the supervisory authorities, which can be particularly severe for start-ups. Privacy by design is therefore also mandatory in marketing: only collect the most necessary data, store it securely and, above all, use double opt-in procedures to verify consent.

Act against Unfair Competition (UWG): In addition to data protection, the UWG sets the framework for permissible advertising practices. Viral marketing strategies are advertising – and advertising must not be unfair. Among other things, the UWG prohibits misleading statements (Section 5 UWG), aggressive sales methods and, above all, harassment through unsolicited advertising (Section 7 UWG). For Growth Hacking, this means: no spam emails, no unsolicited advertising messages to third parties and no surreptitious advertising. Advertising emails or messages without the express prior consent of the recipient are considered unreasonable harassment and are not permitted. Even modern approaches such as “Tell-a-Friend” functions – where users can recommend friends about a product or service – have been classified by the Federal Court of Justice as inadmissible advertising if the recommendation is sent via the company’s system. Conclusion UWG: Any commercial activity that surprises, deceives or harasses the recipient is risky. Only what is transparently recognizable as advertising and is based on voluntary participation can go viral. In particular, the commercial purpose of campaigns must be obvious – hidden advertising in seemingly private posts (e.g. by influencers without labeling) falls under the UWG’s ban on surreptitious advertising (Section 5a (6) UWG).

Therapeutic Products Advertising Act (HWG): Another layer is added for health start-ups. The HWG regulates advertising for medicinal products, medical devices and medical procedures. Special law beats general law: In addition to the UWG and GDPR, strict special rules apply in the healthcare sector. For example, the HWG prohibits misleading or unobjective advertising for remedies (Section 3 HWG). Promises of cures, exaggerated claims of success or advertising with testimonials from outside the industry may be inadmissible. Example: A health startup may not make unverified claims that its product “heals guaranteed” or use celebrities as advocates without permission. In addition, the HWG completely prohibits lay advertising for prescription drugs – such products may not be advertised to the general public at all, neither offline nor virally online. Influencer marketing in the healthcare sector is therefore particularly tricky: Social media posts must also be HWG-compliant, e.g. with mandatory information (“On risks and side effects…” for medicinal products) and without impermissible healing claims. Start-ups with fitness apps or telemedicine offers are sometimes on the edge of the HWG – the decisive factor is whether a specific remedy or medical purpose is being advertised. Principle: In case of doubt, advertising in the healthcare sector must be particularly cautious and precise in order not to violate the HWG. These strict rules exist alongside the general requirements of the UWG; a violation can result in warnings from competitors or supervisory authorities and high fines.

Checking out gray area tactics: competitions, recommendations, B2B hacks

Sweepstakes as viral drivers: Sweepstakes are a classic growth hack to quickly attract attention and new leads. But there are legal pitfalls lurking. Conditions of participation are essential – participants must be clearly and comprehensibly informed about who the organizer is, what there is to win, how participation works and until when, and above all which rules and restrictions apply. According to the UWG, competitions must not be misleading or unfair. For example, the prize offered must be real and awarded as described; hidden costs or conditions would be unfair. Important: Participation in a competition may not be made dependent on a purchase or payment, otherwise there is a risk that it will be considered an illegal game of chance. In Germany, a competition with an obligation to purchase would possibly be a violation of gambling law (§ 284 StGB prohibits unauthorized lotteries). Therefore, serious promotions are always possible “without stakes”. Equally critical is the frequently seen linking of competitions and newsletters: “Take part by registering for our newsletter.” Caution is required here – according to the GDPR, consent to the newsletter must be voluntary. Participants must therefore have the opportunity to take part in the competition without subscribing to the newsletter. Otherwise, the consent is invalid and the subsequent advertising would be unlawful. Data protection in competitions also means using participant data only for prize processing and the clearly communicated purposes. Separate consent for the use of data for advertising is recommended if this is planned. Finally, social media competitions in particular should observe the platform rules (more on this in a moment): e.g. Facebook does not allow participants to tag themselves in photos or other people’s friends. A practical example: The German start-up Got Bag reached hundreds of thousands of users in 2023 with an Instagram competition (“Win a Van”) – but also made sure to prominently link the conditions of participation and comply with all requirements (free participation, clear deadlines, neutral draw). This kept the viral success legally clean. Remember: competitions generate reach, but without a legal foundation they quickly lead to trouble – transparency and fairness are the be-all and end-all.

Referral marketing and referral programs: “Recommend us and receive a bonus ” – such customer referral programs are worth their weight in gold for growth. But here, too, it is important to maintain a balance between virality and the law. It always becomes problematic when the recommendation is made without the consent of the person referred. A classic no-go: the startup offers a “Tell-a-Friend” button, which existing customers can use to automatically send invitation emails to friends. The courts consider this to be inadmissible advertising – the Federal Court of Justice has ruled that a company that enables such recommendation emails to be sent is liable for them in the same way as for its own advertising emails, unless the friend has expressly consented to receiving them beforehand. In other words, an unsolicited email remains advertising from the company, even if a customer triggers it. Referral systems should therefore be designed in a data protection-friendly way: Personalized invitation links that the satisfied customer can pass on to friends themselves are better than direct emails via the system. If the customer shares the link of their own free will – for example via WhatsApp or in person – this is more of a private matter and the UWG does not apply to private communication between friends. However, the company should never actively use the contact details of friends itself without their consent. From a GDPR perspective, the processing of a third party’s email address is already critical if there is no legal basis. Referral programs should therefore do without direct processing of friends’ data if possible, or at least only take effect after the referred person has registered independently. Double opt-in for onboarding: If the referred person registers via the referral link (e.g. for a newsletter or account), a confirmation process is mandatory in order to prevent misuse. Confirmations of consent must not have any advertising content, otherwise they could also be classified as spam. Many start-ups – such as Neobank N26 – successfully rely on friend referrals: existing customers receive a bonus (e.g. €15) if they convince a friend to become a customer. The decisive factor is that the friend comes voluntarily and has agreed to all data protection and consent requirements when registering. However, it would not be permissible to write to masses of e-mail addresses from the customer’s address book without their consent. The motto here is: recommendations yes, but without harassing third parties. Start-ups should also handle their rewards properly – promised bonuses must be paid, otherwise there is a risk of contractual claims and damage to their image. Contractual clauses in the referral T&Cs (such as “no claim to bonus in the event of abuse”) must be transparent and effective, otherwise they could be ineffective or cause trouble with the T&C control.

Viral B2B strategies: Start-ups are also increasingly relying on viral effects in business-to-business marketing. Tactics such as gated content (high-quality content that can only be accessed after registration), invite-only platforms (limited access to arouse desire) or provocative “rage content” (polarizing content that deliberately stirs up debate) are intended to arouse the curiosity of a specialist audience. These approaches are legally permissible as long as certain limits are observed. Gated content, for example, is basically nothing more than a barter deal: the potential customer receives a white paper or a study, while the startup receives their contact details in return for subsequent contact. Attention DSGVO: It must be clearly communicated why the data is being requested. Anyone who provides their email for a white paper may expect a follow-up email – but not automatically a newsletter subscription. Consent for further contact should therefore be obtained separately. It often makes sense to offer checkboxes on the download form (e.g. “I agree that you may contact me about your products in the future”). Without such consent, the startup may only use the contact data obtained to a very limited extent – in the B2B sector, very targeted individual contact by email may be permissible if there is a legitimate interest and Section 7 UWG does not apply (however, opt-in is always required for advertising, unless it is an existing customer). Limited access/investment-only strategies – such as the hype surrounding exclusive beta access at the time – are permitted in terms of marketing as long as they are not misleading. If scarcity is only artificially feigned without there actually being a limitation, one could discuss whether this is deceptive; as a rule, however, the public will see through such means so that there is no relevant deception. Waiting lists or invitation rounds are legally unproblematic as long as everyone who registers is treated fairly and no discriminatory criteria are used. For example, a SaaS startup could launch a beta phase for invited users only in order to create exclusivity – this is permissible. However, it should make it clear in the terms of use that there is no entitlement to access and that selection may be by lot or objective criteria in order to ensure transparency.

“Rage content” and polarizing campaigns: In B2B marketing, especially on LinkedIn or Twitter, we are seeing a trend towards deliberately posting edgy opinions or controversial theses in order to achieve viral distribution – positive or negative encouragement, the main thing is engagement. Legally, this is not a special legal area as long as the content does not violate general laws. However, the limit is quickly reached when provocation becomes insulting, defamatory or inciting content. Even in the heat of the viral hunt, start-ups must not violate any personal rights. Anyone who publicly denounces or disparages a competitor, for example, could be prosecuted under Section 4 UWG (disparagement of competitors) or even for defamation (Section 186 StGB). Hate-baiting or incitement to extremes can also violate the platform guidelines (many networks prohibit content that promotes hatred or violence). Rage content is therefore a double-edged strategy: although it generates discussion, it harbors high reputational and legal risks. Companies should also bear in mind that an overly aggressive tone of voice on LinkedIn, for example, can damage their reputable image. Recommendation: Use controversial statements with caution, check facts and never post illegal content. Then the worst-case risk is “only” a shitstorm – but not a warning or a ban.

Social media marketing: influencers, ads and platform rules

Influencer marketing and scaling effects: Influencers can help a campaign achieve a breakthrough – their recommendations appear authentic and reach thousands of followers. But this is where the legislator takes a close look. Labelling requirements: In Germany, it is now clearly regulated that influencer contributions that are of a commercial nature must be identified as advertising. There must be no surreptitious advertising. The challenge: Influencers operate in a lifestyle context where personal recommendations and advertising become blurred. German courts have set standards in recent years. For example, the Federal Court of Justice ruled in several cases in 2021 that linking to brands (“tap tags” on Instagram) can be permitted without advertising if the influencer has not received any consideration for the post and the post is not overly promotional. However, as soon as a consideration (payment, free products or other benefits) is involved, the post is considered commercial – in this case, a notice such as “advertisement ” or “advertising” must be clearly visible. Start-ups that work with influencers should definitely record this in a contract: Influencers must provide all labeling required by German law. If the advertising notice is missing, there is a risk of warnings from competition associations or competitors under the UWG. The media supervisory authorities are also interested in influencer advertising and can impose fines. In addition to labeling, content transparency is important: in the health sector in particular (see HWG), influencers may not make any unverified health promises. For example, a health startup may not allow its influencer to advertise the product as a “miracle cure” – in this case, the company is ultimately also liable if false promises of a cure are spread. Data-driven influencer marketing (e.g. tracking the conversion of the influencer campaign using cookies or codes) must also be GDPR-compliant. If, for example, a special tracking link is used, it must be ensured that users have consented to being tracked (keyword cookies/tracking pixels on the landing page). All in all, influencer marketing can scale, but it must be properly labeled and contractually managed so that both sides – startup and influencer – are legally secure.

Social ads and personalized advertising: Virality can often be increased with paid ads – whether on Facebook, Instagram, TikTok or LinkedIn. These social platforms offer powerful targeting options, but also come with their own rules and data protection responsibilities. GDPR and targeting: If a startup places social media ads based on specific user profiles (interests, location, behavior), the data is used directly by the platform provider, but the advertiser must inform users (e.g. in the privacy policy) that they are using targeted advertising on platforms. In the case of custom audiences – for example, if a customer list is uploaded to Facebook in order to target these or similar people – the prior consent of the customers concerned is required. Facebook contractually requires advertisers to ensure that the uploaded contacts have been collected in accordance with the law. Without consent, you are in breach of the GDPR, as sensitive user data is processed for advertising purposes and passed on to third parties (Facebook). Joint responsibility: An important legal aspect is that the European Court of Justice has determined that operators of Facebook fan pages or similar sites are jointly responsible for the processing of user data. This means that a startup that operates a company page on Facebook or launches an advertising campaign there is jointly responsible for data collection (e.g. Insights data, tracking of page visitors). In practice, you should therefore conclude a kind of shared responsibility agreement with the platform operator – Facebook provides corresponding additional conditions – and inform users on your own website. Opt-in/opt-out for tracking: In Germany, telemedia law (especially the TTDSG) requires consent for cookies and pixels that are not necessary. For example, if you place the Facebook pixel on your landing page to measure conversions or enable retargeting, you must obtain permission from visitors in advance (cookie banner). Without opt-in, the pixel call alone may already be inadmissible, as German courts have made clear in cookie rulings.

Platform guidelines and compliance: Each social media platform has its own terms of use and advertising guidelines, which must be kept in mind during viral marketing campaigns. Startups are contractually bound by these rules when they use the platform – a breach can lead to the account being blocked or content being deleted, regardless of the legal situation. Take Facebook/Instagram, for example: Promotional guidelines apply here, which stipulate, among other things, that competitions must include a full exemption from Facebook in the terms and conditions of participation and that they may not be run via private chronicles. For example, a competition post may not request that users share the competition on their own wall or tag friends, as Facebook considers this to be an undesirable spam practice. Instead, requests to like, comment or use official functions (such as the Facebook Poll tool) are permitted. Instagram, a platform belonging to Facebook, handles this in a similar way – you should also be careful there not to encourage participants to tag strangers. TikTok also has community guidelines and advertising policies: viral challenges or hashtag campaigns are popular, but content that violates TikTok’s rules (e.g. dangerous stunts, offensive or political content) will be removed. Anyone who starts a challenge must therefore ensure that it is compatible with the TikTok guidelines. LinkedIn as a professional network does not tolerate automation growth hacks such as bots for sending mass contact requests or messages. A startup that uses scraping or automated tools to generate and approach contacts, for example, is in breach of the LinkedIn terms of use and risks being blocked – in addition, unsolicited sales messages to strangers can be considered illegal advertising (UWG). T&C control: Although the platform T&Cs are generally subject to the law of the respective provider (often Irish law for Facebook/Instagram, US law for LinkedIn with EU exceptions), a German company can also object to ineffective clauses under German T&C law in case of doubt. In practice, however, individual users are hardly in a position to negotiate the contractual terms of large platforms. The focus is therefore on compliance: adherence to the platform rules becomes part of the startup’s compliance strategy. Campaigns need to be planned in such a way that they comply with both German laws and the guidelines of TikTok, Meta, LinkedIn & Co. This not only protects against account bans, but also prevents reputational problems – because a publicly known ban or a deleted post reflects badly on the company’s professionalism.

Practical examples: Growth hacking between legality and innovation

Example 1 – Viral competition coup: A well-known young German company from the sustainability sector, Got Bag, doubled its Instagram followers within a few days with a spectacular competition. A high-quality camper van was raffled off, and participation was linked to typical viral campaigns: Following, liking, sharing, tagging friends. This success shows the potential – but Got Bag also paid attention to the rules. Participation was free of charge and without any further consideration, and the conditions were published transparently. This meant that the campaign was not considered unfair. Lesson learned: Even when aggressively increasing reach, the rules of the game must remain clear and fair. If Got Bag had arbitrarily changed the awarding of the prize or pursued hidden agendas, disappointed participants and legal action would have quickly followed. Instead, the startup communicated openly about the process and kept its word when awarding prizes – turning a growth hack into a success story rather than a legal problem.

Example 2 – Referral program with stumbling blocks (hypothetical): Let’s imagine the FinTech startup PaySmart, which wants to attract new customers through a refer-a-customer program. Existing customer Alice can invite friends via the app and collect a 20 euro bonus for each user they refer. To speed up the process, PaySmart implements a function where Alice simply enters the email addresses of her friends and the system automatically sends an invitation. However, this supposed convenience led to complaints: Friend Bob felt harassed by the unsolicited advertising mail and reported this to the consumer advice center. A short time later, PaySmart received a warning for violating Section 7 UWG (unreasonable harassment through advertising emails). The lesson: The startup would have been better off providing Alice with a referral link that she could forward on her own. This way, the communication remains private and initiated. In the real startup world, some companies have had to learn the hard way that unsolicited invitation emails to third parties are taboo – today, almost all of them rely on self-shared links or at least ask permission before sending referral messages. In our example, PaySmart corrects its program, integrates a double opt-in for newsletter registrations of the referred parties and avoids automated friend letters from now on. This makes referral marketing sustainable and legally compliant.

Example 3 – Influencer campaign of a health start-up: The Berlin start-up FitLife sells a health app that promises exercise-based therapy for back pain. FitLife cooperates with a high-reach influencer to quickly increase awareness. She posts videos on TikTok and Instagram in which she praises her back exercises with FitLife. The campaign goes viral – but FitLife suddenly receives mail from the Wettbewerbszentrale (a very active self-regulatory body in Germany): In one of the videos, there was no indication that it was advertising, even though the influencer was paid by FitLife. In addition, sentences such as “With this app, my back pain is gone forever – guaranteed!” were used. The Wettbewerbszentrale complains of a violation of the HWG due to misleading health advertising. FitLife has to react: The posts in question are immediately deleted or subsequently marked with #advertising. Together with the influencer, new guidelines are drawn up for future posts – every health-related statement is legally checked in advance and absolute promises of healing are avoided. The example shows: When it comes to health products in particular, two regimes strike at once – the UWG (surreptitious advertising) and the HWG (healing promises). Start-ups should make clear agreements with their marketing partners, offer training and, if in doubt, seek expert advice before publication. In this way, influencer marketing can be implemented successfully but compliantly, even in regulated industries.

Example 4 – Gated content in B2B (hypothetical): The SaaS startup DataSecure offers cybersecurity software for companies. To generate leads, it produces a high-profile industry report on the topic of IT security in 2025. Interested parties can download this report free of charge from the website – but must fill out a form with details such as name, company and email. DataSecure plans to have the sales team contact all those who download the report by email and telephone in the following weeks to pitch the software. Legal assessment: The principle of gated content is permissible, but the downstream use of contact data requires care. Ideally, DataSecure has obtained consent in the form, e.g.: “Yes, I would like to be contacted by DataSecure regarding offers and updates.” If such explicit consent has been obtained, the startup may proactively write to or call the leads (in the case of telephone calls, Section 7 UWG also applies: Calls for advertising purposes also require the prior consent of the person called). If DataSecure does not have express consent, it could at best invoke a legitimate interest to make a one-off enquiry by email – in the B2B sector, initial contacts are sometimes tolerated if a concrete interest can be assumed. However, opt-in is always safer. In our example, DataSecure decides to allow users to optionally check a box in the download form for future information. The result: slightly fewer leads consent, but the subsequent marketing contacts are secure. If someone still finds the contact annoying, DataSecure naturally offers an opt-out option at any time (unsubscribe link in emails, option to object to data use) – another important compliance aspect. Conclusion from the example: Even when generating leads via content, data protection and the UWG should be kept in mind. If you base your communication on consent at an early stage, you will avoid later conflicts and demonstrate professionalism.

Legal risks and typical problem areas

Finally, it is worth taking a look at the general risks associated with aggressive growth hacking measures and how they can be countered. The biggest risk factor is certainly warnings. In Germany, competitors or authorized associations (e.g. consumer associations, competition authorities) can issue warnings for competition violations for a fee. An unauthorized advertising email, a misleading advertising statement or a missing influencer reference – all of these can result in a warning within a few days. For start-ups, which usually do not have a large budget for legal disputes, this means costs (for legal fees and possibly contractual penalties) on the one hand and an immense amount of time and nerves to resolve the matter on the other. Court injunction proceedings are also possible if you do not respond appropriately to a warning – this can lead to the prohibition of an entire campaign by court order. This is the worst-case scenario for any marketing campaign.

Fines under the GDPR represent a further risk. Data protection violations – such as sending newsletters without valid consent, insecure competition forms or the unauthorized transfer of user data to advertising partners – can be punished by the data protection authorities with considerable fines. The authorities are also increasingly looking at smaller companies, especially if they are data-driven. Even a five-figure fine can be extremely painful for a start-up. Data protection compliance in marketing should therefore be a matter for the boss: regular checks to ensure that all opt-ins are documented, that data protection declarations are complete and that consent mechanisms are working, for example when using tracking tools.

Typical problem areas in the implementation of such strategies can be summarized: Firstly, consent management – it is often not the will of the customer to participate that is lacking, but the clean obtaining and logging of consent. A startup must be able to prove at any time that person X explicitly agreed to receive marketing on date Y. In technical terms, this means keeping the relevant logs. Secondly, the design of campaign mechanics: creative ideas sometimes come up against invisible walls. For example, a viral competition can be restricted by platform rules or legal requirements (think of the Facebook policy against “share and win”). The problem here is often ignorance – many founders are marketing experts, but not lawyers. The solution is to seek legal advice early on or consult specialized blogs/sources to avoid pitfalls. Thirdly, the area of contracts and terms and conditions: When cooperating with influencers, there should be written agreements that regulate the obligations (labeling, content coordination, liability for legal violations). The same applies to referral programs or bonus campaigns – general terms and conditions should be formulated in a legally compliant manner. Start-ups often fall into the trap of using templates to save time or even acting without clear rules. This can take its toll if a dispute arises. The control of general terms and conditions by courts can also become an issue if, for example, conditions of participation are too one-sided; in this case, clauses will be interpreted to the detriment of the person setting them up.

Finally, the compliance aspect must not be forgotten: Legal marketing is part of a company’s overall compliance. Startups must show investors and cooperation partners in particular that they are acting responsibly. A minor breach of the law at the wrong moment (such as during a due diligence review) can cast a huge shadow over the company. Reputation is at stake here – the best viral growth is of no use if the reputation of “legal trickery” suffers at the same time. In the digital age, word gets around quickly, even among consumers, if a company is using questionable methods. It is better to grow creatively but honestly. This also includes communicating transparently when in doubt: e.g. disclosing why certain data is being requested or responding quickly and openly to criticism from the community.

Conclusion: Growth hacking and viral marketing remain important tools for start-ups to assert themselves against established competitors. The legal requirements are no reason to forego such strategies – on the contrary, they provide a framework that ultimately strengthens user trust. Those who comply with the GDPR, respect the UWG and are familiar with industry-specific laws such as the HWG can run strong campaigns while remaining legally compliant. The support of a lawyer experienced in media and IT law can help to steer ideas in a legally compliant direction without losing the creative core. This is how the balancing act between viral buzz and compliance is achieved – and a start-up can move on to the next round of growth with a clear conscience.