In the UK, cookie consent is governed primarily by the Privacy and Electronic Communications Regulations (PECR), which require explicit consent for cookies, regardless of how innocuous they may seem, such as the kind used in most affiliate marketing practices.
But across the Atlantic, the picture differs. “They don’t have (an equivalent) law,” says Steven Brown, Founder & Chief Executive of Moonpull.
Instead, laws like California’s CCPA take a more flexible approach. If you're doing something that involves personal information, then consent is required. But, there’s no overall requirement for cookie consent regardless of data type.
“What that means is that the US affiliate industry is considering earlier than the UK and European affiliate industry whether affiliate tracking involves personal information, and therefore going through the hoops of whether that needs consent or not,” says Brown.
The challenge of exemptions and essential cookies
In the UK, the ICO has carved out one exemption where cookies are deemed “strictly necessary” – those used by cashback and loyalty sites to track user activity in a way clearly consented to by the user. This means that certain affiliate cookies are viewed as essential, but not all of them.
The US does not currently have this concept of “strictly necessary” cookie exemptions. Instead, companies must navigate broader personal data regulations, often relying on legal counsel to understand compliance in complex scenarios.
A shifting industry perspective
Brown explains that in the US, legal teams are also beginning to understand the implications of consent laws on affiliate marketing.
He says that affiliate marketers should stay alert to how different brands and networks interpret these regulations. Legal uncertainty persists, as illustrated by conflicting opinions on whether IP addresses count as personal information.
The ICO’s recent update and what it means
Brown sees the ICO’s recent update on the Data Use Agreement (DUA) as a positive step, providing clarity that some affiliate cookies can be set without consent under PECR.
The update builds on the earlier exemption granted for cashback sites, and the hope is that it will extend the “strictly necessary” cookie status to a broader range of affiliate publishers.
“It’s great because it gives certainty that the cookie can be set from a PECR perspective, without asking for consent – that’s my understanding,” says Brown.
However, he cautions that this may also shift focus toward whether affiliate marketing involves personal data, which could in turn cause more complications.
How Moonpull helps
Moonpull’s platform helps marketers monitor and manage hundreds of thousands of affiliate links at scale. Beyond tracking commissions and attribution fairness, the platform advises marketers on consent and compliance risks, helping them focus their resources efficiently on the most critical areas.
Our readers can enjoy a 15% discount on a Moonpull membership.
You can sign up for Moonpull via our paid link here.
