What is the legality of online promotions?

Overview: Why legality matters for online promotions

Online promotions—giveaways, sweepstakes, contests, coupon codes, referral programs, loyalty points, affiliate offers, sponsored posts, and influencer collaborations—can turbocharge growth. But they sit at the intersection of advertising law, consumer protection, data privacy, and sector-specific regulations. Missteps can trigger regulator investigations, platform account bans, class-action lawsuits, refunded revenues, and reputational damage.

Compliance isn’t just about avoiding fines. Clear rules increase trust, conversion rates, and long-term brand equity. This guide explains the legality of online promotions, including the difference between sweepstakes and contests, disclosure duties for endorsements, email/SMS requirements, privacy obligations, and best practices for running compliant promotional campaigns across jurisdictions.

Legal foundations: Truthful advertising and consumer protection

Across jurisdictions, the baseline is consistent: advertising must be truthful, not misleading, and substantiated. Regulators can act even if you didn’t intend to deceive.

• United States: Federal Trade Commission (FTC) Act prohibits unfair or deceptive acts or practices. State attorneys general enforce similar laws.
• European Union: Unfair Commercial Practices Directive (UCPD) and national consumer laws prohibit misleading actions and omissions.
• United Kingdom: The Consumer Protection from Unfair Trading Regulations (CPRs) and the ASA/CAP Codes govern non-broadcast advertising, sales promotions, and direct marketing.
• Canada: Competition Act and Canadian Code of Advertising Standards.
• Australia: Australian Consumer Law (ACL) bans misleading or deceptive conduct in trade or commerce.

Key principles you must follow in any online promotion:

• Be clear and conspicuous: Disclosures must be easily noticeable and understandable on all devices (including mobile).
• Don’t omit material information: Eligibility limits, end dates, significant conditions, or material connections must be explained.
• Substantiate claims: Have competent and reliable evidence for claims, especially health, performance, environmental, or price savings claims.
• Avoid bait-and-switch: Don’t advertise a product or prize to lure consumers if you don’t intend to provide it as advertised.

Influencer, affiliate, and native advertising disclosures

Endorsements must reflect honest opinions and typical experiences. When there’s a “material connection” (payment, free products, affiliate commissions, family, or employment), you must disclose it clearly.

• FTC Endorsement Guides (US): Disclose with clear, simple labels such as “Ad,” “Sponsored,” or “Paid partnership.” Hashtags like #ad placed at the beginning are effective. Avoid burying disclosures in bio links or at the end of long captions. Video and audio need on-screen and verbal disclosures.
• ASA/CAP Code (UK): Labels must be “obviously identifiable.” “Ad” or “Advert” is preferred. The brand has joint responsibility with the influencer.
• EU national authorities apply similar principles under UCPD; disclosures must be immediate and unambiguous.
• Affiliate marketing: Disclose affiliate relationships near the link (e.g., “We may earn a commission from qualifying purchases”). Some programs (e.g., Amazon Associates) require specific wording.
• Native advertising: Sponsored content that looks like editorial must be prominently labeled as advertising.

Reviews and testimonials:

• Don’t post or procure fake reviews, suppress negative reviews, or offer undisclosed incentives for positive reviews.
• Make sure “typical results” are not overstated; if results vary, clarify what typical consumers can expect.
• In 2024 the FTC finalized a rule targeting fake reviews and undisclosed review practices; penalties can be significant. Check the latest enforcement updates.

Sweepstakes, contests, lotteries, and giveaways

Promotions that award prizes are highly regulated. Understand the legal categories:

• Lottery: Prize + Chance + Consideration (payment or substantial effort). Private lotteries are generally illegal unless specifically authorized (e.g., state lotteries, licensed raffles by charities).
• Sweepstakes: Prize + Chance, but no consideration. “No purchase necessary” and a free alternative method of entry (AMOE) are required in many jurisdictions.
• Contest/Game of skill: Prize + Skill, minimal or no chance. You must have objective judging criteria and retain records. Some jurisdictions still regulate skill contests.

Core requirements for compliant giveaways:

• Official rules: Include eligibility (age, location), start/end dates, how to enter, odds of winning, prize descriptions/values, how winners are selected/verified, restrictions, sponsor identity, privacy practices, and dispute resolution/venue.
• No purchase necessary: Offer a free, equally prominent AMOE. Don’t penalize non-purchasers with worse odds.
• Avoid unlawful consideration: Requiring a purchase, excessive effort, or paid postage can convert a sweepstakes into a lottery.
• Registration/bonding (US): New York and Florida require registration and bonding for sweepstakes with total prize value above $5,000; Rhode Island requires registration for certain in‑store retail promotions over $500. Lead times apply.
• Canada/Quebec: Quebec has additional language and filing rules for promotions open to Quebec residents. Consider offering a mathematical skill-testing question to avoid pure chance issues.
• Taxes: In the US, sponsors may need to issue IRS Form 1099‑MISC for prizes ≥ $600; disclose tax responsibilities in the rules.
• Social media terms: Platforms have their own promotion rules. For example, Facebook and Instagram require a complete release of the platform by each entrant and prohibit inaccurately tagging content; YouTube and TikTok have specific prohibitions and disclosure rules. Don’t imply the platform endorses your promotion.
• Eligibility and geofencing: If restricted to certain states/countries or age groups, enforce using geolocation and age verification as needed.
• Winner selection and notice: Document random drawings or scoring criteria, contact timelines, and alternative winners if unresponsive.
• UGC rights and moderation: If entrants upload content, specify usage rights, prohibited content, and takedown procedures. Obtain consent to use names/likenesses.

Common pitfalls:

• “Tag three friends to enter” may be restricted by platform policies and some national advertising codes.
• Requiring entrants to pay shipping/handling to claim a prize can be treated as consideration.
• Not offering a free entry method in a sweepstakes open to the US.
• Running a global promotion without excluding countries with prohibitions or added requirements.

Email and SMS: CAN-SPAM, CASL, GDPR, TCPA

Email marketing

• CAN-SPAM (US): No prior opt-in is required for commercial email, but you must have accurate headers, non-deceptive subject lines, a physical postal address, clear identification of the message as an advertisement when applicable, and a one-click unsubscribe processed within 10 business days. No sale or transfer of emails after opt-out for marketing.
• CASL (Canada): Requires express consent (or limited implied consent) before sending commercial electronic messages. Identify the sender, include contact details, provide a working unsubscribe mechanism that remains functional for at least 60 days, and honor opt-outs promptly. Heavy penalties apply.
• GDPR/ePrivacy (EU/UK): Generally requires prior consent for direct marketing emails to individuals unless a narrow “soft opt‑in” applies (existing customer relationship + similar products + easy opt‑out). Maintain records of consent.

SMS/text marketing

• TCPA (US): Promotional texts typically require prior express written consent. Keep proof of consent, identify your brand in each message, and include clear STOP/HELP instructions. Respect the National Do Not Call Registry for telemarketing. State mini-TCPA laws may add stricter rules.
• CTIA guidelines (industry): Disclose message frequency, fees (“Msg & data rates may apply”), opt‑in flow, HELP/STOP commands, and link to terms and privacy policy.
• Canada, EU/UK, Australia: Treat SMS like email—obtain consent, provide identification and easy opt-out, and avoid messaging at inappropriate times.

Privacy, cookies, tracking, and “Do Not Sell/Share”

Promotions often collect personal data (names, emails, phone numbers, social handles, IP addresses, geolocation). You need a compliant privacy program.

• GDPR (EU) and UK GDPR: Have a lawful basis (consent, legitimate interests, contract, etc.), provide transparent notices, honor data subject rights, and implement data minimization and security. For cookies/trackers used for advertising, obtain prior consent per ePrivacy rules.
• CCPA/CPRA (California) and other US state privacy laws: Provide notice at collection, offer a “Do Not Sell or Share My Personal Information” mechanism if you engage in cross‑context behavioral advertising or sell personal information, honor Global Privacy Control signals, and have contracts with service providers.
• International transfers: Use appropriate safeguards (e.g., EU SCCs) when transferring data across borders.
• Cookie consent: Implement a consent banner with granular choices and a cookie policy; respect user choices and provide a way to change them.

Best practices:

• Separate consent: Don’t bundle contest entry with consent to marketing unless permitted; provide a clear choice.
• Retention limits: Keep data only as long as needed for the promotion and legal obligations.
• Vendor due diligence: Ensure your email/SMS, analytics, and adtech vendors meet applicable privacy/security standards.

Claims: Substantiation, health/green claims, pricing, and reviews

Marketers must be able to prove claims at the time they’re made.

• Health and performance claims: Require competent and reliable scientific evidence. For drugs, devices, or significant health benefits, additional FDA/EMA or national approvals and “fair balance” may apply. Avoid unapproved disease claims for supplements.
• Environmental (“green”) claims: The FTC Green Guides (US) and EU/UK rules prohibit vague terms like “eco-friendly” or “sustainable” without support. Be specific about the attribute (e.g., “packaging contains 50% recycled content”). Keep lifecycle evidence on file.
• Price and savings claims: “50% off” must refer to a genuine, recent, non-inflated reference price. Don’t use drip pricing. EU’s Omnibus rules and UK pricing practices guidance have strict requirements for announcing price reductions.
• Comparative advertising: Ensure comparisons are accurate, current, and verifiable; don’t disparage competitors with false statements.
• Free claims: “Free” should mean no unavoidable costs beyond reasonable, disclosed fees (e.g., optional shipping upgrades). Don’t condition “free” on unrelated purchases.
• Reviews and ratings: Don’t use fake or filtered reviews. Disclose incentivized reviews. Keep moderation policies impartial.

Marketing to children and age-gated content

• COPPA (US): Collecting personal information from children under 13 requires verifiable parental consent, a child‑directed privacy notice, and data minimization.
• GDPR: Child consent age varies by country (usually 13–16). Implement age checks and parental consent where required.
• UK Age-Appropriate Design Code: Demands high-privacy defaults and data minimization for under‑18s; impacts ad personalization and nudge techniques.
• Restricted products (alcohol, gambling, vaping): Use robust age-gating and avoid targeting minors or using youth-oriented creative.

Regulated industries: Finance, health, alcohol, gambling

• Financial promotions: In the US, securities and investment promotions may be subject to SEC and FINRA rules; in the UK, the FCA requires fair, clear, and not misleading promotions and, for some categories, prior approval by an authorized firm. Disclose risks; avoid guaranteed returns.
• Healthcare and pharmaceuticals: HIPAA limits the use of protected health information. Medical device and drug promotions may require balanced risk disclosures and compliance with FDA/EMA national rules. Avoid unapproved claims.
• Alcohol: Follow local alcohol beverage control (ABC) laws and self-regulatory codes. Avoid targeting underage users; add responsibility messages; comply with content restrictions.
• Gambling and sports betting: Licensing, geofencing, and age verification are often required. Include responsible gaming messages and helplines. Bonus offers must disclose wagering requirements.
• Tobacco and vaping: Severe restrictions or bans on online advertising in many jurisdictions. Check local laws before running any promotions.

Intellectual property and publicity rights

• Trademarks and copyrights: Don’t use third-party logos, images, video, or music without permission or a license.
• Right of publicity: Using someone’s name, image, or voice in a promotion typically requires a written release. This includes influencers, winners, and UGC participants.
• UGC licenses: Spell out the scope (where, how long, what media), whether you can edit content, and moral rights waivers where applicable.
• Infringement risks: Keyword advertising using competitors’ trademarks is regulated differently by country and platform; avoid confusion as to source or endorsement.

Platform and app-store policies

Beyond the law, platforms have contractual rules that can be stricter:

• Meta (Facebook/Instagram): Clear rules on tagging, inaccurate engagement, prohibited content, special ad categories (credit, housing, employment).
• Google Ads: Bans on misrepresentation, unapproved health claims, restricted financial services; strict destination requirements.
• TikTok, X, YouTube, Snapchat, LinkedIn: Each has specific ad policies, disclosures, and prohibitions.
• App stores (Apple/Google Play): Requirements for in‑app contests, loot boxes, disclosures, and mechanisms for selection/winner verification.

Violations can lead to ad disapprovals, account suspensions, and loss of remarketing features.

Global snapshot: US, EU/UK, Canada, Australia

United States

• FTC Act governs deceptive/unfair practices; Endorsement Guides; state UDAP laws.
• CAN-SPAM (email), TCPA (SMS/telemarketing), COPPA (children), state privacy laws (e.g., CCPA/CPRA).
• NY/FL sweepstakes registration/bonding over $5,000; RI retail registration above $500.

European Union and United Kingdom

• UCPD and national consumer laws; ASA/CAP Codes (UK) for marketing content.
• GDPR and ePrivacy for data and cookies; PECR (UK) for electronic marketing.
• Pricing transparency and green claims under EU/UK guidance; UK CPRs.

Canada

• • CASL for electronic messages; Competition Act for misleading advertising.
  • Quebec has special contest requirements; consider bilingual rules and filings.
  • Privacy laws: PIPEDA and provincial statutes; evolving modernization efforts.

Australia

• • • Australian Consumer Law; Spam Act 2003 for commercial electronic messages.
    • State permits for “trade promotion lotteries” may be required depending on prize value and game type.

Tip: If you can’t localize for each jurisdiction, limit eligibility to geographies you can support and clearly state exclusions.

Taxes, permits, and recordkeeping

• Prize valuation: Disclose approximate retail value (ARV). Winner taxes vary by country; in the US, sponsors may issue Form 1099‑MISC for prizes ≥ $600.
• Duties/fees: Clarify who pays shipping, import duties, or travel costs. Avoid creating hidden consideration.
• Permits: Some jurisdictions require permits/registrations for chance-based promotions; check state/provincial rules.
• Records: Keep official rules, winner lists, consent logs, claim substantiation, and audit trails for drawings/scoring.

Dark patterns and deceptive design

Regulators increasingly target manipulative UX that subverts user choice.

• Don’t precheck consent boxes or make opt-outs hard to find.
• Avoid confusing countdown timers, fake scarcity, or misleading urgency.
• Honor Global Privacy Control and make “unsubscribe” and “do not sell/share” easy.
• Don’t gate key features behind unrelated consent or bundle multiple consents.

Compliance checklist for online promotions

• Define your promotion type: sweepstakes, contest, coupon, referral, loyalty, affiliate, or sponsored post.
• Map applicable laws by audience location: advertising, privacy, email/SMS, and sector rules.
• Draft clear official rules and terms: eligibility, AMOE, timing, prizes, odds, selection, taxes, privacy.
• Create disclosures: #ad labels, affiliate disclaimers, review guidelines, material connection statements.
• Obtain proper consents: email/SMS opt‑ins, cookie permissions, child/parental consent if applicable.
• Prepare substantiation: keep evidence for claims (health, green, savings, performance).
• Age and geo-controls: enforce eligibility with age gates and geofencing; exclude restricted locations.
• Vendor and platform compliance: ensure your martech stack and ad platforms meet policy requirements.
• Data governance: minimization, retention, security, “do not sell/share” workflows, and rights handling.
• Tax and filings: handle registrations/bonding, prize valuation, and winner tax documentation.
• Training and approvals: brief influencers/affiliates; review content before launch; monitor in flight.
• Post-campaign: publish winner lists if promised; fulfill prizes; retain records for audits.

FAQs

Is “like, comment, and share to win” legal?

It depends. You must comply with platform rules and local law. In the US, include “no purchase necessary,” eligibility limits, and official rules. Some platforms discourage requiring shares or tagging. Consider an AMOE and disclose that the platform doesn’t sponsor your promotion.

Can I require entrants to pay shipping for a free prize?

Charging mandatory fees can be treated as consideration, risking an illegal lottery. If you must charge, keep it genuinely optional and clearly disclosed—or better, cover shipping.

Do I need consent to email promotion entrants?

Under CAN-SPAM you don’t need prior consent but must include required disclosures and opt‑out. Under CASL and GDPR/ePrivacy, you typically need prior consent (with limited exceptions). Best practice: get explicit, separate opt‑in for marketing.

What should influencer disclosures say?

Use clear labels like “Ad,” “Paid partnership,” or “Sponsored.” Place disclosures upfront in text and on-screen for videos. Avoid ambiguous tags (#partner, #sp) alone. Disclose affiliate relationships near each link.

What are the rules for selecting a winner?

For sweepstakes, use a fair random drawing and document the process. For contests, use objective criteria and impartial judges. State the method in the official rules and stick to it.

Can I run one global promotion?

You can, but compliance becomes complex. Many brands limit eligibility to fewer jurisdictions or run separate localized promotions to meet registration, language, privacy, and age requirements.

What happens if I violate these rules?

Consequences include regulator fines, platform bans, refund requirements, class actions, and reputational harm. Some violations can trigger per-message or per-violation penalties.