{"id":1235,"date":"2026-05-28T13:00:00","date_gmt":"2026-05-28T18:00:00","guid":{"rendered":"https:\/\/tolinku.com\/blog\/?p=1235"},"modified":"2026-03-07T03:35:05","modified_gmt":"2026-03-07T08:35:05","slug":"referral-program-compliance","status":"publish","type":"post","link":"https:\/\/tolinku.com\/blog\/referral-program-compliance\/","title":{"rendered":"Referral Program Compliance: Legal Considerations"},"content":{"rendered":"\n

Referral programs pay people to recommend your product. That simple fact triggers a surprisingly broad set of legal requirements. In the US alone, referral incentives intersect with FTC endorsement guidelines, state sweepstakes laws, tax reporting rules, and privacy regulations. Internationally, you add GDPR, anti-spam laws, and country-specific promotional rules.<\/p>\n\n\n\n

Most teams launch referral programs without consulting legal, and most of the time nothing bad happens. But the consequences of non-compliance range from FTC warning letters to class-action lawsuits to regulatory fines. The cost of getting compliance right upfront is a fraction of the cost of fixing it after a regulator notices.<\/p>\n\n\n\n

This guide covers the major compliance areas for referral programs. This is engineering and operational guidance, not legal advice. Work with your legal team for your specific situation. For the general referral program framework, see building referral programs that actually work<\/a>. For fintech-specific compliance, see the fintech referral program guide<\/a>.<\/p>\n\n\n\n

\"Tolinku\nThe referrals page with stats cards, referral list, and leaderboard tabs.<\/em><\/p>\n\n\n\n

FTC Endorsement Guidelines<\/h2>\n\n\n\n

The FTC Endorsement Guides<\/a> require that material connections between endorsers and brands be disclosed. When a user shares a referral link and receives a reward for doing so, that's a material connection.<\/p>\n\n\n\n

What This Means in Practice<\/h3>\n\n\n\n

When a user shares a referral link that earns them a reward, the share message should disclose the incentive. The FTC's standard is that the disclosure must be "clear and conspicuous."<\/p>\n\n\n\n

Compliant share message:<\/strong><\/p>\n\n\n\n

\n

"I use [Product] and love it. If you sign up with my link, we both get $10. [link]"<\/p>\n\n\n\n

Non-compliant share message:<\/strong><\/p>\n\n\n\n

\n

"Check out [Product]! [link]"<\/p>\n\n\n\n

The second message doesn't disclose that the sharer receives a financial incentive for the recommendation.<\/p>\n\n\n\n

How to Implement<\/h3>\n\n\n\n
    \n

  1. Default share messages should include disclosure.<\/strong> When your app generates a pre-written share message, include language like "we both get [reward]" or "referral link" so the incentive is visible.<\/p>\n\n\n\n

    Don't hide the incentive.<\/strong> If the share goes to a landing page, the landing page should also mention that the referrer earns a reward.<\/p>\n\n\n\n

    Social media shares need disclosure in the post itself.<\/strong> A disclosure buried in a link or on the landing page isn't sufficient for social media. The FTC's .com Disclosures guide<\/a> provides specifics for digital advertising.<\/p>\n\n\n\n

    Enforcement<\/h3>\n\n\n\n

    The FTC has issued warning letters and fines for undisclosed paid endorsements. While most enforcement has targeted influencer marketing, the same rules apply to referral programs. The FTC's Operation Full Disclosure<\/a> provides examples of enforcement actions.<\/p>\n\n\n\n

    Privacy Laws<\/h2>\n\n\n\n

    GDPR (EU\/EEA)<\/h3>\n\n\n\n

    If your users include EU\/EEA residents, GDPR<\/a> applies to your referral program. Key requirements:<\/p>\n\n\n\n

    Consent for sharing.<\/strong> When a referrer shares a friend's contact information (email or phone number) through your referral system, you're processing that friend's personal data. You need a lawful basis for this processing, typically the referrer's legitimate interest, but you must also inform the referred person about the data processing.<\/p>\n\n\n\n

    Right to object.<\/strong> The referred person must be able to opt out of further communications. Your referral invitation email must include an unsubscribe mechanism.<\/p>\n\n\n\n

    Data minimization.<\/strong> Only collect the minimum data needed for the referral. If you only need an email to send the invitation, don't also collect the phone number.<\/p>\n\n\n\n

    Right to erasure.<\/strong> If a referred person requests deletion of their data before signing up, you must comply. Delete the referral record and any personal data associated with it.<\/p>\n\n\n\n

    CCPA (California)<\/h3>\n\n\n\n

    CCPA<\/a> gives California residents additional rights:<\/p>\n\n\n\n