An international operation has found that the affiliate marketing industry has significant issues to overcome in terms of compliance with rules concerning privacy and unsolicited communications.

Affiliate marketing is a commercial arrangement allowing a company to generate business by allowing other organisations (“affiliates”) to promote their products or services. For example, an online retailer may pay commission to an external website for traffic or sales generated from its referrals, by hosting links on its own site or sending links out via email or text message.

A global intelligence-gathering operation by the Unsolicited Communications Enforcement Network (UCENet), involving nine agencies from five countries, visited 902 websites and also examined 6,536 consumer complaints related to affiliate marketing in their respective databases. The issues they found included:

Apparent lack of self-regulation: A majority of participants noted that most of the publicly available terms of services between the affiliates, the merchants, and the affiliate platforms lacked appropriate unsolicited communication guidelines establishing what is permissible.

Lack of consent: Some participating countries that have an opt-in unsolicited communication regime noted that affiliates generally do not possess the consent of the consumer to send electronic communications.

Misleading advertising: Many participants noted the prevalence of misleading advertising in the affiliate marketing ecosystem. Within minutes of beginning their research, sweepers were exposed to some form of misleading advertising.

Affiliate marketing platforms: Some affiliate marketing platforms, which operate as a third party agent handling interactions and payments between merchants and affiliates, have a short lifespan (often less than a year) and conceal their physical location, potentially making enforcement a challenge.

Of the 902 international websites visited during the sweep, 221 were flagged for further action. However, the operation also found many examples of good practice in the industry, demonstrating that compliance with laws on unsolicited marketing can be easily achieved.

The UCENet Sweep 2017 was jointly led by the UK’s Information Commissioner’s Office (ICO) and the Canadian Radio-Television and Telecommunications Commission (CRTC).

Notes to Editors

  1. The Information Commissioner’s Office upholds information rights in the public interest, promoting openness by public bodies and data privacy for individuals.
  2. The ICO has specific responsibilities set out in the Data Protection Act 1998, the Freedom of Information Act 2000, Environmental Information Regulations 2004 and Privacy and Electronic Communications Regulations 2003.
  3. The Privacy and Electronic Communications Regulations (PECR) sit alongside the Data Protection Act. They give people specific privacy rights in relation to electronic communications. There are specific rules on:
    • marketing calls, emails, texts and faxes;
    • cookies (and similar technologies);
    • keeping communications services secure; and
    • customer privacy as regards traffic and location data, itemised billing, line identification, and directory listings.

      We aim to help organisations comply with PECR and promote good practice by offering advice and guidance. We will take enforcement action against organisations that persistently ignore their obligations.
  4. The organisations which took part in the UCENet Sweep 2017, which was carried out in June and July, included:
    • Authority for Consumers & Markets (Netherlands)
    • Canadian Radio-television and Telecommunications Commission
    • Claims Management Regulation Unit (U.K.)
    • Gibraltar Regulatory Authority
    • Information Commissioner’s Office (U.K.)
    • Information and Data Protection Commissioner (Malta)
    • Office of the Privacy Commissioner (Canada)
    • Phone-paid Services Authority (U.K.)
    • The Gambling Commission (U.K.)
  5. To report a concern to the ICO telephone our helpline 0303 123 1113 or go to