Affiliate Compliance & FTC Disclosure · The Legal Framework

Disclosure of the commercial relationship between a publisher and an advertiser is legally required in virtually every jurisdiction where affiliate marketing operates. The principle is fundamental: consumers have the right to know when a recommendation is commercially motivated, so they can factor that into how they weight the advice. An undisclosed affiliate relationship is considered a deceptive trade practice under US and UK consumer protection law.

The FTC's Endorsement Guides (16 CFR Part 255, updated most recently in 2023) and the UK's ASA/CAP Code provide the detailed requirements. Both are based on the same principle: the material connection between an endorser and a brand must be disclosed clearly and conspicuously. A material connection exists when: the publisher receives payment, free products, or other benefits in exchange for the recommendation — regardless of whether the endorsement is positive or whether the publisher was asked to make it.

Non-compliance consequences: FTC enforcement actions against publishers and advertisers have included civil penalties, consent orders requiring programme changes, and documented public investigation that can generate significant negative press coverage even without formal penalties. The FTC's documented willingness to pursue both publishers and the advertisers whose programmes they participate in means compliance is a programme-wide responsibility, not just a publisher responsibility.

The FTC's Guides Concerning the Use of Endorsements and Testimonials in Advertising (the Endorsement Guides) were originally issued in 1980 and substantially updated in 2009 and again in 2023. The 2023 updates specifically address social media, influencer marketing, and affiliate marketing in digital contexts.

The core requirements from the Endorsement Guides relevant to affiliate marketing:

Material connections must be disclosed. A "material connection" includes payment, free products, discount codes, or any other compensation that might affect how the endorsement is received. Affiliate commissions are a material connection by definition — they must be disclosed.

Disclosure must be clear and conspicuous. The disclosure must be placed where consumers will see it before engaging with the affiliate content — not buried in small print at the bottom of the page, not hidden behind a "more" button, and not using coded language that most consumers would not recognise as a disclosure.

Disclosures must be adequate on their own. A disclosure on a general disclaimer page does not satisfy the requirement for a specific post or article containing affiliate links. Each piece of content containing affiliate links must contain its own disclosure.

Social media has additional requirements. For social media posts containing affiliate links, the disclosure must appear within the post itself — not in a bio or profile. Hashtags like #ad, #sponsored, or #partner are acceptable disclosures if they appear clearly in the post. #affiliate alone may not be sufficiently clear for all audiences according to FTC guidance.

The FTC does not mandate specific disclosure language but provides guidance on what meets the "clear and conspicuous" standard. Accepted disclosure formats that meet FTC guidance:

• At the top of blog posts: "This post contains affiliate links. If you purchase through our links, we may earn a commission at no additional cost to you." Placed before the first affiliate link in the content.
• Within product mentions: "[Product name] (affiliate link)" or "[Product name] — we earn a commission if you buy." Inline disclosure at the point of the affiliate link itself.
• In social media posts: "#ad" or "#sponsored" at the beginning of the post (not buried at the end or hidden among other hashtags).
• In video content: A verbal disclosure at the start of the video ("This video contains affiliate links in the description") plus a visual disclosure overlay during any product mentions.

Not acceptable as standalone disclosures: a general disclaimer page linked from the site footer; a disclosure in the site's About page only; small print disclosure at the bottom of a long article; using the word "partner" without explaining the commercial nature of the relationship (FTC guidance notes that many consumers do not understand "partner" to mean paid commercial relationship).

In the UK, the Advertising Standards Authority (ASA) enforces the Committee of Advertising Practice (CAP) Code, which governs all digital advertising including affiliate marketing. The Competition and Markets Authority (CMA) also has enforcement powers over undisclosed commercial content under consumer protection law.

CAP Code requirements for affiliate marketing: any communication that is commercial in nature (where the publisher receives payment or compensation) must be clearly identified as an advertisement before the consumer reads or views it. The ASA's documented guidance specifically states that "affiliate links" must be identified as advertising — the word "Ad" or "Affiliate" must appear prominently before the content.

UK-specific enforcement: the ASA has conducted documented investigations and issued rulings against publishers and advertisers for inadequate affiliate disclosure. The CMA has also issued formal advice and enforcement notices to major social media platforms regarding undisclosed commercial content. UK affiliate programmes that actively monitor publisher compliance and respond to disclosure failures are in a significantly better regulatory position than those that treat compliance as entirely the publisher's responsibility.

The General Data Protection Regulation (GDPR) applies to affiliate marketing data processing in two key areas: tracking cookies and conversion data transmission.

Cookie consent: Affiliate tracking cookies that collect user data require valid consent under GDPR — they are not "strictly necessary" cookies and cannot be set without the user's consent in the EU/UK. Advertisers running affiliate programmes must ensure their cookie consent mechanisms cover affiliate tracking cookies, and that affiliate networks implement consent-based cookie setting. Running affiliate tracking on EU users without valid consent is a GDPR violation — the ICO and other data protection authorities have issued documented fines for cookie consent violations.

Conversion data: The data sent from the advertiser to the network when a conversion occurs — including order IDs, order values, and any customer identifiers — is personal data under GDPR. The advertiser is the data controller; the network is a data processor. A Data Processing Agreement (DPA) between the advertiser and network is required under GDPR Article 28.

The California Consumer Privacy Act (CCPA, amended by CPRA) grants California residents rights over their personal data — including the right to opt out of the "sale" of their personal information. The sharing of user data with affiliate networks for tracking and attribution purposes may constitute a "sale" under CCPA's broad definition, depending on the commercial arrangement.

Practical CCPA compliance for affiliate programmes: provide a "Do Not Sell or Share My Personal Information" option; honour opt-out requests by ceasing to share tracking data with the network for opted-out users; update privacy policy disclosures to accurately describe affiliate tracking data sharing; and verify that affiliate network agreements include CCPA service provider terms.

Advertisers can be held liable for their affiliates' non-compliant promotional practices. FTC documented guidance explicitly states that advertisers are responsible for ensuring that their affiliate marketing programmes comply with the Endorsement Guides — they cannot simply disclaim responsibility by pointing to their programme terms.

The documented FTC enforcement approach: advertisers have received warning letters and, in some cases, formal enforcement actions for affiliates making false claims or using deceptive promotional tactics — even when the advertiser did not directly instruct or know about the specific practice. The principle is that advertisers benefit from affiliate promotions and therefore share responsibility for their compliance.

This makes compliance monitoring a core advertiser responsibility, not just a publisher responsibility. Programme terms that prohibit deceptive claims and require disclosure are a necessary first step — but only sufficient as a defence if the advertiser also actively monitors for violations and terminates non-compliant publishers.

A compliance-first affiliate programme incorporates these elements:

1. Programme terms that clearly specify disclosure requirements. The programme terms should specify the exact disclosure language required (or a minimum standard), where it must appear, and that it must be present in every piece of affiliate content containing affiliate links.
2. Publisher acceptance of compliance terms. Publishers must actively accept the programme terms as part of joining — including the disclosure requirements. Acceptance creates a documented record that the publisher was informed of compliance obligations.
3. Pre-launch review of initial publisher content. For new publishers, review their initial content before it goes live to confirm disclosure compliance. This is most practical for high-value publishers; for network-sourced publishers at scale, periodic sampling is necessary.
4. Ongoing compliance monitoring. Regular audits of publisher content using a combination of manual review and monitoring tools that identify affiliate links on publisher sites without required disclosures.
5. Documented response to violations. When non-compliance is identified, document the finding, contact the publisher with specific correction requirements, and if corrections are not made, suspend or terminate the publisher. Document all actions taken.

Compliance monitoring at scale is operationally challenging — a large affiliate programme may have hundreds or thousands of active publishers producing content across many platforms. Practical monitoring approaches:

Network monitoring tools. CJ Affiliate, Awin, and Impact all provide publisher content monitoring tools that can identify affiliate links in publisher content and flag missing disclosures. These tools are imperfect but provide systematic coverage at scale.

Manual sampling. Monthly sampling of top publishers' content — checking 5–10 posts from each of the highest-volume publishers — provides a quality check beyond automated monitoring.

Google Alert monitoring. Setting Google Alerts for affiliate link patterns and the programme's branded terms can surface publishers creating content about the programme that may not have been identified through network monitoring.

Consumer complaint monitoring. Complaints about affiliate publishers' practices often surface through social media, review platforms, or directly to the advertiser's customer service. A monitoring process for affiliate-related complaints enables rapid response.

The FTC has published documented enforcement actions against advertisers and publishers for affiliate marketing compliance failures. Key documented cases:

FTC vs. Lore (2020). The FTC took action against a multi-level marketing company for income claims made by affiliates — demonstrating that affiliates' promotional claims can create liability for the advertiser.

FTC vs. NGL Labs (2023). The FTC took action related to misleading engagement metrics and undisclosed commercial relationships — indicating increased scrutiny of digital promotion practices including affiliate-adjacent arrangements.

UK ASA Rulings. The ASA has published numerous documented rulings against publishers and brands for inadequate disclosure on social media and blog content — providing specific guidance on what constitutes inadequate disclosure in UK-specific contexts. The ASA's website publishes all rulings, providing a searchable database of compliance case studies.

These documented cases establish that enforcement is not hypothetical — regulators on both sides of the Atlantic are actively investigating and acting on affiliate compliance failures. Programmes with documented compliance policies, monitoring, and response processes are substantially better positioned than those without.

Sources & Further Reading