Affiliate Site Compliance Basics: The Essential Legal Checklist
Affiliate sites that skip compliance don't fail overnight—they get delisted, fined, or sued. The FTC, state regulators, and platforms enforce affiliate disclosure, data privacy, and advertising rules with increasing precision. This guide covers the five non-negotiable compliance foundations every affiliate operation must establish, the specific actions to take this week, and how to audit your site for the gaps that regulators actually catch.
Why Affiliate Compliance Matters Now
The FTC settled with Amazon Associates publishers in 2023 for inadequate affiliate disclosures. In 2024, state attorneys general began targeting affiliate networks for lax vetting. Google regularly demonetizes and delists non-compliant affiliate sites. This isn't theoretical risk—it's enforcement happening monthly. Compliance protects three assets: your domain authority (delisting kills organic traffic), your revenue (platforms suspend payouts), and your legal standing (fines and liability lawsuits are real). A site that passes compliance review today can operate for years without disruption. One that doesn't can lose everything in weeks.
The Five Foundations of Affiliate Compliance
Affiliate compliance rests on five pillars, each with specific legal requirements and platform consequences. These aren't optional: they're the baseline enforced across Amazon Associates, ShareASale, CJ Affiliate, Impact, and every major network. Skip even one and your site becomes a liability.
| Foundation | Legal Requirement | Platform Consequence | Typical Violation |
|---|---|---|---|
| Affiliate Disclosure | FTC Guides require clear, conspicuous disclosure of material connections before the link | Account suspension, payout hold, delisting | Hiding affiliate status in footer or using 'partner link' instead of 'affiliate' |
| Privacy & Data Collection | GDPR, CCPA, state laws require consent and transparency for cookies, email, analytics | Domain penalty, traffic loss, fines up to 4% of revenue | Collecting emails without opt-in or failing to disclose third-party tracking |
| Content Truthfulness | FTC Act § 5 prohibits deceptive claims; state consumer protection laws follow | Content removal, manual action, demonetization | Overstating product benefits, fake reviews, misleading comparisons |
| Terms & Legal Pages | FTC, state laws, and platforms require disclosure of business model, data use, affiliate relationships | Rejection from ad networks, affiliate program removal | No Terms of Service, missing privacy policy, or vague affiliate disclosures |
| Responsible Advertising | Platform policies (Google, Meta, Amazon) prohibit certain claims and audiences | Ad account suspension, traffic loss, network delisting | Targeting minors, health claims, financial guarantees, or prohibited products |
Foundation 1: Affiliate Disclosure—The FTC Rule and How to Implement It
The FTC's Guides Concerning the Use of Endorsements and Testimonials require that any material connection between you and a product vendor be disclosed clearly and conspicuously before the reader clicks the link. 'Material connection' means you earn a commission or receive free products. 'Clearly and conspicuously' means the disclosure must be visible at first glance, not buried, and stated in plain language. The FTC doesn't mandate specific wording, but it does forbid vague terms like 'partner link,' 'sponsored,' or 'affiliate.' The disclosure must use the word 'affiliate,' 'commission,' or 'earn money from' so a reader understands you have a financial incentive. Platforms enforce this strictly. Amazon Associates requires disclosure 'in a way that is clear and conspicuous to consumers.' Google Ads will suspend accounts for affiliate links without prominent disclosure. CJ Affiliate audits for FTC compliance and removes publishers who fail.
- Add a disclosure statement above every affiliate link
Before each product link or CTA, insert one of these exact phrases: 'As an affiliate, I earn a commission from qualifying purchases' or 'This page contains affiliate links, and I earn a commission if you make a purchase.' Use the same phrasing site-wide for consistency.
Why: Platform audits and FTC enforcement both look for disclosure proximity and clarity. Disclosures at the top of the page or in a footer don't satisfy the 'before the link' requirement.
✓ Checkpoint: A reader encountering the link for the first time should see the disclosure without scrolling past it or searching for fine print.⚠ Pitfall: Placing a single disclosure at the top of a 3,000-word article and assuming it covers all links below. The FTC requires disclosure near each material connection, not once per page. - Create a dedicated affiliate disclosure page
Add a page titled 'Affiliate Disclosure' or 'How We Make Money' to your site navigation. State: (1) that you are a participant in affiliate programs (name them: Amazon Associates, ShareASale, etc.), (2) that you earn a commission when readers click and purchase, (3) that this does not affect the price paid by the reader, (4) that you only recommend products you believe in. Link to this page from your footer and from any article that contains affiliate links.
Why: Regulators and platforms expect a centralized, transparent statement of your business model. This page serves as evidence of good-faith compliance and reduces ambiguity.
✓ Checkpoint: The page is publicly accessible, indexed by Google, and linked from at least two places on your site (footer + article CTAs).⚠ Pitfall: Writing the disclosure in legal jargon or hiding it behind a 'Legal' dropdown. Use plain English: 'We earn money when you buy through our links, but the price you pay doesn't change.' - Audit existing content for disclosure gaps
Use your site search or a tool like Screaming Frog to identify every page with affiliate links. For each, verify: (1) a disclosure statement appears before the first link, (2) the wording includes 'affiliate' or 'commission,' (3) the disclosure is not hidden in a collapsed section or footnote. Create a spreadsheet with URL, current disclosure, and status (compliant/needs fix).
Why: Legacy content often lacks disclosure because standards have tightened. An audit catches gaps before platforms or regulators do.
✓ Checkpoint: Your spreadsheet accounts for 100% of pages with affiliate links. Each row has a 'compliant' or 'needs fix' status.⚠ Pitfall: Auditing only recent articles. Older posts are often the ones platforms flag because they predate your current disclosure practice. - Test disclosure visibility across devices
Open three of your affiliate articles on desktop, tablet, and mobile. Scroll to the first affiliate link. Without zooming or searching, can you see the disclosure? If not, move the disclosure higher, increase font size, or change the layout so it's visible above the fold on all devices.
Why: Mobile users make up 60%+ of traffic. A disclosure that's visible on desktop but buried on mobile fails FTC and platform standards.
✓ Checkpoint: The disclosure is visible in the viewport on first load on all three devices.⚠ Pitfall: Testing only on your own desktop. Use Chrome DevTools or a mobile device to simulate real user experience.
Foundation 2: Privacy, Cookies, and Data Collection Compliance
Privacy compliance is where most affiliate sites fail. You likely collect data three ways: through analytics (Google Analytics, Hotjar), email capture (ConvertKit, Mailchimp), and third-party tracking (ad networks, affiliate pixels). Each triggers different legal requirements depending on your audience's location. If you serve any EU traffic, GDPR applies. If you have California visitors, CCPA applies. If you serve other U.S. states (Virginia, Colorado, Connecticut, Utah), their privacy laws apply. The baseline: you must disclose what data you collect, why, and how long you keep it. You must obtain affirmative consent for non-essential cookies and email collection. You must allow users to opt out and delete their data. Platforms like Google and Amazon also have their own cookie policies. Google Ads suspends accounts that don't comply with GDPR. Amazon Associates requires a privacy policy that discloses affiliate relationships and cookie use.
- Create a Privacy Policy that discloses all data collection
Write or generate a Privacy Policy that explicitly states: (1) what data you collect (IP address, browser type, email, device ID), (2) which tools collect it (Google Analytics, Mailchimp, affiliate networks), (3) why you collect it (analytics, email marketing, affiliate tracking), (4) how long you retain it, (5) that you use cookies and what for, (6) that users can opt out. Use a template generator (Termly, iubenda, or Shopify's Privacy Policy Generator) as a starting point, then customize for your specific tools.
Why: GDPR, CCPA, and platform policies all require a clear, accessible privacy policy. Without one, you're non-compliant by default and vulnerable to penalties.
✓ Checkpoint: Your privacy policy is linked from the footer of every page, is at least 800 words, and specifically names the tools you use (Google Analytics, Mailchimp, etc.).⚠ Pitfall: Using a generic privacy policy template without customizing it to your actual data collection. Regulators check whether your policy matches your site's actual behavior. - Implement a cookie consent banner
Install a cookie consent tool (OneTrust, Cookiebot, or Iubenda) that displays a banner on first visit. The banner must: (1) ask for explicit consent before setting non-essential cookies, (2) allow users to 'Accept All' or 'Reject All' (not just 'Accept'), (3) provide a link to your Privacy Policy, (4) allow users to change preferences later. Test that the banner appears before Google Analytics or email tracking pixels fire.
Why: GDPR and most state privacy laws require affirmative consent for tracking cookies. A banner that defaults to 'accepted' or doesn't allow rejection is non-compliant.
✓ Checkpoint: The banner appears on first visit, blocks analytics until consent is given, and the 'Reject' button is as prominent as 'Accept.'⚠ Pitfall: Installing a banner that 'acknowledges' cookies but doesn't actually block them. If Google Analytics fires before consent, you're still non-compliant. - Audit and disable non-essential third-party scripts
List every third-party script on your site: Google Analytics, Mailchimp, affiliate pixels, ad networks, heat mapping, form tools, etc. For each, determine if it's essential (required for the site to function) or non-essential (marketing/analytics). Remove or disable non-essential scripts that fire before consent. Use Google Tag Manager to load non-essential tags only after consent is granted.
Why: Non-essential scripts that fire before consent violate GDPR and CCPA. Affiliate pixels, in particular, often load automatically and need to be gated behind consent.
✓ Checkpoint: Your cookie consent tool's audit report shows zero non-essential cookies being set before consent.⚠ Pitfall: Assuming affiliate pixels are 'essential' and exempting them from consent. They're not. If they're not required for the page to function, they need consent. - Add a data deletion request process
Create a simple form on your site (or link to your privacy tool's form) that allows users to request deletion of their personal data. When a request comes in, delete the user's data from your email list, analytics, and any other systems where you've stored it. Set a deadline (30 days is standard) and respond to confirm deletion. Document each request.
Why: GDPR, CCPA, and other privacy laws give users the right to request deletion. Without a process, you're non-compliant and liable for penalties.
✓ Checkpoint: A 'Request Data Deletion' link is visible from your Privacy Policy page. You've tested it by submitting a request and confirming deletion.⚠ Pitfall: Ignoring deletion requests or deleting only from one system (e.g., email) while leaving data in analytics. You must delete comprehensively.
0/10 complete
Foundation 3: Content Truthfulness and Avoiding Deceptive Claims
The FTC's primary enforcement tool is Section 5 of the FTC Act, which prohibits unfair or deceptive practices. For affiliate sites, this means you cannot make claims about products that are not substantiated, cannot imply benefits a product doesn't deliver, and cannot mislead readers about your experience with a product. Common violations: claiming a product 'cures' or 'prevents' disease without clinical evidence, stating income guarantees ('earn $5k/month with this tool'), writing fake reviews as if you've tested a product you haven't, or making comparative claims ('this is 10x faster than X') without evidence. These aren't gray areas—they're clear violations that result in content removal and account suspension. The bar for substantiation is high. If you claim a product saves time, you need a source (a study, a timer test, the vendor's documented specs). If you claim it's 'the best,' you must state the criteria ('best for beginners' is defensible; 'best overall' is not without explicit comparison).
- Identify all product claims in your content
Review your top 10 affiliate articles. For each, list every claim made about the product: 'saves 5 hours/week,' 'beginner-friendly,' 'integrates with Zapier,' 'increases productivity,' etc. Note which claims you've verified (tested yourself, sourced from the vendor, found in independent reviews) and which are unsubstantiated.
Why: Unsubstantiated claims are FTC violations. You need to know what you're claiming so you can back it up or remove it.
✓ Checkpoint: You have a spreadsheet of claims and sources. Every claim has a source or is marked 'remove.'⚠ Pitfall: Assuming that because a vendor makes a claim, you can repeat it. You're responsible for substantiation, not the vendor. - Remove or source every unsubstantiated claim
For each unsubstantiated claim, either: (1) add a source (link to a study, the vendor's spec sheet, or a statement like 'according to the vendor'), (2) reframe it as an opinion ('I found it intuitive' vs. 'it's intuitive'), or (3) delete it. Do not use hedge language like 'may' or 'could' to mask a lack of evidence—that's still deceptive.
Why: Sourcing or opinion-framing makes claims defensible. Deleting removes the liability.
✓ Checkpoint: Every claim in your revised content has a source, is clearly marked as opinion, or has been removed.⚠ Pitfall: Using phrases like 'some users report' or 'it's believed to' as a way to avoid substantiation. These are still claims and still need evidence. - Disclose your testing status honestly
For each product you review, state clearly whether you've tested it, used a trial, or are reviewing based on vendor information and user feedback. Do not write 'I tested this for 30 days' if you haven't. If you haven't tested it, write: 'I haven't personally tested this product, but based on user reviews and vendor documentation, here's what you should know.'
Why: Implied personal experience without disclosure is a material misrepresentation under FTC rules.
✓ Checkpoint: Every review includes a sentence about your testing status. You've never claimed to have tested a product you haven't.⚠ Pitfall: Writing reviews in first person ('I found this tool amazing') without disclosing that you're reviewing based on user feedback, not personal use. - Remove comparative claims without evidence
Search your content for phrases like 'the best,' 'fastest,' 'cheapest,' '10x better,' or 'vs. [competitor].' For each, verify you have evidence (a benchmark, a spec comparison, a user study). If not, either add the evidence or change the claim to 'one of the best for [specific use case]' or 'faster than [specific competitor] according to [source].'
Why: Comparative claims without evidence are deceptive. Specific, sourced comparisons are defensible.
✓ Checkpoint: Every comparative claim has a source or has been reframed as a qualified statement.⚠ Pitfall: Claiming a product is 'the best' because you like it. Opinion is fine; 'best' is a factual claim that needs evidence.
Foundation 4: Terms of Service and Legal Pages
You need three pages: a Privacy Policy (covered above), a Terms of Service, and an Affiliate Disclosure page. These aren't optional—platforms require them, regulators expect them, and they protect you legally. Your Terms of Service should cover: your right to change content, limitation of liability, user conduct rules (no scraping, no automated access), dispute resolution, and governing law. Your Affiliate Disclosure page should state which programs you're in and that you earn commissions. Together, these pages signal that you're a professional operation and reduce your liability if something goes wrong.
- Write or generate a Terms of Service
Use a template generator (Termly, iubenda, or Shopify's Terms of Service tool) to create a basic Terms of Service. Customize it to include: (1) your site's purpose (providing affiliate reviews/recommendations), (2) that you earn commissions from affiliate links, (3) that you're not responsible for third-party products or vendor disputes, (4) that you reserve the right to change content, (5) limitation of liability (you're not liable for losses resulting from product purchases), (6) governing law (your state).
Why: A Terms of Service limits your liability and sets expectations. It also signals professionalism to platforms and regulators.
✓ Checkpoint: Your Terms of Service is at least 500 words, mentions affiliate relationships, and is linked from your footer.⚠ Pitfall: Using a generic Terms of Service that doesn't mention affiliate relationships or your specific business model. Customize it. - Create a dedicated Affiliate Disclosure page
Create a new page titled 'Affiliate Disclosure' or 'How We Make Money.' State: (1) 'I participate in affiliate programs including [list them: Amazon Associates, ShareASale, CJ Affiliate, etc.],' (2) 'I earn a commission when you click a link and make a purchase,' (3) 'This commission does not affect the price you pay,' (4) 'I only recommend products I believe in,' (5) 'My recommendations are based on [testing/user feedback/vendor specs].' Link to this page from your footer and your Privacy Policy.
Why: Platforms and regulators expect a transparent statement of your business model. This page is your first line of defense against compliance violations.
✓ Checkpoint: The page is in your main navigation or footer, is at least 300 words, and specifically names the affiliate programs you're in.⚠ Pitfall: Burying this page or writing it in legal jargon. Make it prominent and use plain English. - Link all legal pages from your footer
Add a footer section titled 'Legal' or 'Policies' with links to: Privacy Policy, Terms of Service, Affiliate Disclosure, and Contact. Ensure these links appear on every page of your site.
Why: Regulators and platforms check whether legal pages are easily accessible. A footer link on every page satisfies this requirement.
✓ Checkpoint: All four legal pages are linked from the footer on your homepage and at least two other pages.⚠ Pitfall: Hiding legal pages in a dropdown or sub-menu. They should be one click away from any page on your site.
Foundation 5: Responsible Advertising and Platform Policies
Google Ads, Meta, Amazon Associates, and other platforms all have content policies that go beyond FTC rules. Violating these policies results in immediate account suspension, traffic loss, and payout holds. The most common violations: health claims ('this supplement cures arthritis'), financial claims ('earn $10k/month'), targeting minors with adult products, promoting prohibited categories (weapons, illegal drugs, counterfeit goods), and misleading ads (clickbait headlines, false scarcity). Your site content and your ads must both comply. If your article claims a product 'increases focus by 40%,' that's a health claim that violates Google Ads policy. If your ad says 'Limited time: only 3 left,' that's false scarcity. If you target 13-year-olds with energy drink affiliate links, that's targeting minors with restricted products. The enforcement is automated and swift. Google uses AI to scan content and flag violations. Amazon audits publisher sites quarterly. If you fail, your account is suspended within 48 hours.
| Platform | Key Policy | Violation Example | Consequence |
|---|---|---|---|
| Google Ads | No health claims, financial guarantees, or misleading ads | Promoting a weight-loss supplement as 'proven to reduce belly fat' | Account suspension within 48 hours |
| Amazon Associates | Affiliate disclosure required; no misleading product comparisons | Claiming a product is 'the best' without evidence or affiliate disclosure | Account termination; unpaid commissions forfeited |
| Meta Ads | No health claims, financial claims, or targeting minors with restricted products | Ad promoting a crypto course as 'guaranteed returns' | Ad rejection; account warning or suspension |
| CJ Affiliate | Publisher site must pass compliance review; content must be truthful | Fake reviews or unsubstantiated product claims | Publisher removal; unpaid commissions held |
| ShareASale | No deceptive practices; affiliate disclosure required | Email list with affiliate links but no affiliate disclosure in emails | Account suspension pending investigation |
- Review your top 20 articles for prohibited claims
Search your content for these phrases: 'cures,' 'prevents,' 'treats,' 'guaranteed,' 'earn money,' 'make $,' 'no risk,' 'clinically proven,' 'FDA approved' (if not actually FDA-approved). For each instance, determine if the claim is defensible (sourced, qualified) or prohibited (unsubstantiated, absolute). Remove or reframe prohibited claims.
Why: Google and Meta scan for these exact phrases. Articles containing them are flagged automatically and can trigger account suspension.
✓ Checkpoint: You have a list of flagged phrases and their locations. Each has been either sourced, reframed as opinion, or removed.⚠ Pitfall: Assuming that because a vendor makes a claim, you can use it. You're responsible for compliance, not the vendor. - Audit your ads for misleading headlines and false scarcity
Review every ad you're running (Google Ads, Facebook, etc.). Check for: (1) clickbait headlines that don't match the landing page, (2) false urgency ('only 3 left,' 'offer ends tonight' if not true), (3) misleading images or claims, (4) targeting minors with restricted products (energy drinks, gambling, adult content). If you find violations, pause the ad and revise it.
Why: Misleading ads trigger automated policy reviews and manual audits. Platforms suspend accounts that repeatedly violate these rules.
✓ Checkpoint: Every active ad has a headline that matches the landing page, no false scarcity, and appropriate audience targeting.⚠ Pitfall: Running ads with 'clickbait' headlines because they convert. Platforms will suspend you. Conversion is irrelevant if the account is shut down. - Verify your audience targeting excludes minors for restricted products
If you're promoting energy drinks, supplements, financial products, or other age-restricted items, check your ad targeting. Ensure you're not targeting users under 18 (or under 21 if applicable). Review your site's content to confirm it's not designed to appeal primarily to minors.
Why: Targeting minors with restricted products is a violation across all platforms and can trigger enforcement action.
✓ Checkpoint: Your ad targeting explicitly excludes users under 18. Your site's design and language don't primarily target minors.⚠ Pitfall: Assuming that because a product is legal, you can target anyone. Age restrictions exist for legal and policy reasons.
Building a Compliance System You Can Maintain
Compliance isn't a one-time project—it's an ongoing system. The sites that stay compliant don't do a big audit once and move on. They integrate compliance into their publishing workflow, audit quarterly, and update policies as laws change. The simplest system has three parts: a pre-publish checklist (run before every article goes live), a quarterly audit (review your top content and ads), and a policy update calendar (track when platforms change their rules and update your legal pages accordingly).
0/10 complete
- Schedule a quarterly review date
Mark your calendar: every 90 days (e.g., Jan 15, Apr 15, Jul 15, Oct 15), you will spend 2–3 hours reviewing compliance. Set a calendar reminder 1 week before.
Why: A scheduled review ensures compliance doesn't get deprioritized. It's also a paper trail that shows good-faith effort if a regulator questions you.
✓ Checkpoint: Your calendar has four recurring quarterly review dates.⚠ Pitfall: Treating the review as optional. Schedule it like a client call—non-negotiable. - Review your top 20 articles and top 5 ads
On your quarterly review date, pull your top 20 articles by traffic and your 5 active ad campaigns. Run each through the Pre-Publish Checklist above. Document any violations (missing disclosure, unsubstantiated claims, false scarcity, etc.). Fix violations within 2 weeks.
Why: Your highest-traffic content is what regulators and platforms audit first. Fixing the top 20% of your content fixes most of your risk.
✓ Checkpoint: You have a document dated with the review date, listing each article/ad and its compliance status (pass/fail).⚠ Pitfall: Reviewing only recent articles. Older, high-traffic posts are often the ones with compliance gaps. - Update your Privacy Policy and Terms of Service
Check if any new privacy laws have passed in the states/regions you serve (GDPR, CCPA, VCDPA, etc.). Update your Privacy Policy to reflect any new requirements. Check if your affiliate programs have updated their policies. Update your Terms of Service and Affiliate Disclosure if needed.
Why: Privacy laws change annually. Platforms update policies quarterly. If your legal pages are outdated, you're non-compliant.
✓ Checkpoint: Your Privacy Policy and Terms of Service are dated with the current quarter and year.⚠ Pitfall: Assuming that if you updated your legal pages last year, they're still current. They're not.
Common Compliance Questions
Yes. If you send emails with affiliate links, you must include an affiliate disclosure in the email itself or in a footer that appears on every email. The FTC and CAN-SPAM rules both require this. A single disclosure at the end of the email chain is sufficient, but it must be clear and visible.
Your Next Step: Audit This Week
Compliance doesn't require a complete site rebuild. Start with one action this week: audit your top 10 articles for affiliate disclosure gaps. For each article, verify that a disclosure statement appears before the first affiliate link and uses the word 'affiliate' or 'commission.' Fix any gaps by adding or revising the disclosure. Next week, create your Privacy Policy and Affiliate Disclosure pages using the templates linked in this guide. The week after, set up your quarterly compliance review calendar and run your pre-publish checklist on your next article. Three weeks of small actions builds a compliant site that survives audits, keeps your accounts active, and protects your revenue. Waiting until you're audited means starting from a deficit. Start now.