Compliance

Compliance without paranoia 2026 — FTC, EU, UK, and what triggers manual review

A practitioner's reference to FTC, EU, and UK ad-substantiation rules, recent enforcement (Goli, BetterHelp, AGAG settlements), Outbrain and Taboola advertiser-policy updates, and what specifically triggers manual review on the major networks. Cites real FTC enforcement actions, NAD decisions, and each network's published policy.

By Eyal RosenthalMay 7, 202617 min readAI-assisted research

Compliance is a category most affiliate operators get wrong in two opposite directions. They either ignore it entirely until a network ban or a regulator letter forces engagement — too late, expensive — or they over-rotate into paranoia, refusing to run any creative that has any edge to it, leaving meaningful CPA on the table because they've assumed the strictest reading of every rule. Neither extreme is operationally correct.

The middle path requires actually understanding what the rules say, what the enforcement record looks like, and what specifically triggers manual review on the major ad networks. This piece is the practitioner's reference: FTC + EU + UK rules, recent enforcement (Goli, BetterHelp, AGAG settlements as the canonical examples), Outbrain and Taboola advertiser-policy specifics, and the operational signals that determine whether your campaign sails through or gets human-reviewed.

The legal foundation — what the law actually says

Three regulatory frameworks dominate the affiliate-advertising compliance landscape in 2026: FTC in the US, the EU's Unfair Commercial Practices Directive (UCPD) and various member-state implementations, and the UK's CAP/BCAP codes administered by the ASA.

Federal Trade Commission (US) — The FTC's authority over advertising rests on Section 5 of the FTC Act prohibiting "unfair or deceptive acts or practices." For advertising specifically, the relevant references:

The FTC Endorsement Guides — refreshed in 2023 — define when influencer or testimonial content has to be disclosed as paid.
The FTC's "Native Advertising: A Guide for Businesses" is the foundational document for native-ad disclosure rules.
The FTC's 2024 final "Made in USA" rule is one example of a category-specific rule that affiliate operators can run into.
The Restore Online Shoppers' Confidence Act (ROSCA) covers free-trial / continuity / negative-option marketing — directly relevant to many CPA offers.

European Union — The Unfair Commercial Practices Directive (2005/29/EC) is the foundational EU law. Each member state has implementation. The Digital Services Act (DSA) adds platform-level obligations that affect affiliate operators indirectly through what platforms are required to monitor. GDPR consent rules affect lead-gen offers because they determine when user consent is valid.

United Kingdom — The Advertising Standards Authority administers the CAP Code (non-broadcast) and BCAP Code (broadcast). The ASA's rulings database is searchable and is one of the most useful real-world references for what's actually being enforced in 2026.

Recent enforcement — the cases that matter

The case law of recent FTC and ASA actions is more useful than the rulebooks themselves for understanding where the enforcement edge actually is.

FTC v. Goli Nutrition (2024-2025) — Goli Nutrition, the apple-cider-vinegar gummy company, had a major chapter of FTC scrutiny over weight-loss and immune-system claims and over alleged use of fake reviews. Public coverage and the FTC's own press releases have documented the dynamics. The lessons for affiliate operators: weight-loss claims tied to consumer products are a high-risk category; review-authenticity is increasingly scrutinized.

FTC v. BetterHelp (2023, settled $7.8M) — The FTC's enforcement action against BetterHelp charged the online-therapy company with sharing user mental-health data with Facebook and other platforms for advertising purposes despite privacy promises. The settlement is a watershed for "data sent to ad platforms" risk — affiliate operators who pass user data to Meta CAPI or similar without clear consent are running on similar terrain.

FTC v. Sunday Riley (2019, expanded settlement context) — The Sunday Riley fake-review settlement at the FTC was narrower in dollars but doctrinally important: the FTC made clear that paying or directing employees / agents to write reviews is a Section 5 violation. The doctrine extends naturally to incentivized affiliate-driven reviews on aggregator sites.

The "AGAG" / SkinnyCo / similar weight-loss settlements — A series of weight-loss-supplement settlements over the past five years (the FTC's case index is searchable) have established the range of "what's a substantiation violation" in the supplements space. The pattern: claims of specific pound-loss in specific time-frames without controlled human studies are routinely ruled inadequately substantiated.

ASA rulings on affiliate disclosures (UK, 2023-2025) — The ASA's recent rulings on influencer and affiliate content have established that "#ad" or "Sponsored" must be disclosed prominently and unambiguously. The pattern: hidden disclosures (small text, gray-on-gray, below-the-fold) consistently get ruled against.

Italian AGCM, French DGCCRF, German VZBV cases — EU member-state enforcement varies. The general 2024-2025 pattern: enforcement is increasing, particularly around influencer marketing on Instagram and TikTok, and member-state authorities are increasingly coordinating across borders.

The cumulative direction: enforcement is real, growing, and biased toward consumer-protection categories (health, finance, weight loss, online services) and toward disclosure violations (failure to label sponsored content). Operators in those categories who don't have clear documentation are at higher risk.

What "substantiation" actually means

The single most-misunderstood compliance concept. The doctrine: when you make a factual claim in advertising, you must have a "reasonable basis" for the claim before you make it. The standard is sometimes called "competent and reliable evidence."

For different claim categories:

General product features. Reasonable basis = product spec, technical documentation, internal QA testing.
Performance / efficacy claims. Reasonable basis = controlled testing appropriate to the claim. "Faster than X" needs side-by-side comparison testing.
Health and weight-loss claims. Reasonable basis = peer-reviewed scientific studies on the specific product / formulation, not on the general ingredient class. This is the high bar.
Earnings / income claims. Reasonable basis = verifiable typical results from real users, not cherry-picked top-performers.
Testimonials. Each testimonial has to either be from a real user describing real experience, or be clearly disclosed as fictional.

The substantiation requirement is what catches affiliate operators most. The "5 weight-loss tricks doctors don't want you to know" creative is a substantiation problem because the implicit claim — "this product produces weight loss" — requires substantiation that affiliate landing pages typically don't have.

What triggers manual review on the networks

Each major network has both an algorithmic filter and a human-review escalation path. The algorithmic filter catches obvious violations; the human review catches the borderline cases. The triggers for human review, aggregated from operator experience and from each network's published policies:

Outbrain — Their Acceptable Use Policy and advertiser help describe the categories. The triggers for human review:

New accounts in their first 30-90 days. Effectively all creatives go through human review during the warm-up window.
Health, supplement, financial-services, and CBD-adjacent verticals trigger human review on every creative regardless of account age.
Use of certain keywords ("doctors hate," "miracle," "secret," before/after, "lose X pounds," "guaranteed") trigger human review.
Aggressive image content (graphic medical, weight-loss imagery, certain lifestyle imagery) triggers human review.

Taboola — Their advertiser policy covers similar ground with broadly similar triggers. Taboola's enforcement on specific verticals has historically tracked Outbrain's roughly within 6-12 months — meaning a vertical Outbrain has tightened on tends to get tightened on Taboola in the following year.

RevContent — Their advertiser help describes more permissive policies but human review still happens on borderline categories. The trigger pattern is generally similar but the threshold is higher.

Tier-2 and Tier-3 inventory.">MGID — Similar structure with geo-conditional enforcement that varies by market.

Meta (Facebook / Instagram) — Meta's Advertising Policies describe the categories. Triggers for human review:

New ad accounts (warm-up period).
Specific verticals: financial services, health/medical, alcohol, online dating.
Use of certain image-recognition flagged content (faces, body parts in certain contexts, before/after).
Use of certain text patterns (claims about personal characteristics, before/after copy).

TikTok Ads — TikTok's policy is similar in structure with TikTok-specific sensitivities (younger user-base means stricter rules on cosmetics-tied-to-appearance claims, weight-loss, certain financial offers).

Google Ads — Google's advertising policies are the most detailed of any platform, with specific rules for hundreds of vertical sub-categories. Google's algorithmic enforcement is the most aggressive of the major platforms; the human-review path is correspondingly harder to navigate.

Specific creative patterns that fail review

The patterns that consistently trigger violations across networks:

Implicit health claims via image. A weight-loss product paired with a before/after image is a claim even if the headline says nothing. The image is the claim.
Earnings claims with specific numbers. "Make $500 a day from home" is a substantiation problem. "Discover work-from-home opportunities" is not.
Implicit medical authority. "Doctor recommended" without a real doctor recommending it. "Dermatologist tested" without dermatologist testing.
Fake countdown timers and scarcity. A countdown that resets when the page reloads. Stock-counters showing "Only 3 left!" that don't update.
Fake reviews / testimonials. Stock photos paired with reviews. Reviews from people who don't exist. Reviews paid for in violation of FTC and ASA rules.
Fake before/after images. AI-generated transformations presented as real users.
Cloaking — ads that show one experience to reviewers and another to users. This is the hard ban category. All major networks treat detected cloaking as account-termination grounds.
Affiliate offer disclosure failures. Native ad → lander → offer chain where the user is not clearly informed they are being directed to an offer.

The pattern: each of these is both a legal-compliance issue and a network-policy issue. Networks enforce because they can be sued or fined upstream — the FTC has authority over advertising platforms as well as advertisers.

How to operate cleanly without leaving money on the table

The operational frame: clean compliance is a competitive advantage, not just a defensive posture. Operators who can scale on Outbrain at $0.20 CPC are competing with operators who can only scale on RevContent at $0.10 CPC; the Outbrain economics are typically better when audience quality is factored in. The price of admission is keeping your account healthy.

Practical rules:

Stay several steps inside the line, not on it. If a vertical or claim is borderline, don't be the test case. Let other operators be the test case. You'll learn from their bans.
Read the network policies regularly. Outbrain, Taboola, Meta all publish policy update logs. Subscribe to them. Read updates within the week they're published.
Keep substantiation files. When you claim a product does X, have the evidence in a file you can produce on demand. The act of building the file forces clarity about which claims are defensible and which aren't.
Disclose clearly. "Sponsored," "Ad," "Paid promotion" — clearly visible, on every relevant touchpoint. The marginal cost of clear disclosure is essentially zero; the marginal benefit is meaningful network and regulatory protection.
Avoid the high-risk language list. "Doctors hate," "miracle," "guaranteed," "shocking," "you won't believe" — these are the words that get accounts auto-flagged. There are equally good non-flagged variants for almost every angle.
Document compliance review. Have a person in the operation whose explicit job is to review creative against the network policy and the FTC / ASA rule before launch. The cost is small; the cost of getting one wrong is large.

A note on AI-generated creative and compliance

The 2024-2025 explosion of AI-generated creative introduces specific compliance dimensions worth covering separately.

AI-generated faces and persons. If the AI-generated image looks like a real person, you have a likeness/right-of-publicity exposure. If the AI image is presented as a real user testimonial, you have an FTC fake-testimonial exposure.
AI-generated reviews. Per the FTC's 2024 Final Rule on Reviews and Testimonials (reference), fake reviews including AI-generated ones are explicitly prohibited.
AI-generated before/after. Particularly aggressive risk — the FTC's substantiation doctrine doesn't allow synthetic representations of efficacy.
Disclosure of AI usage. As of mid-2025, the FTC has signaled (through staff guidance) that AI-generated content used in advertising should be disclosed where the synthesis could mislead consumers about who or what they're seeing.

The implication: AI tools have lowered the cost of producing compliant creative meaningfully (faster iteration, cheaper variants), but they've created entirely new compliance categories. Operators who use AI to generate the underlying assets need policy discipline that didn't exist a few years ago.

What the next 12-24 months are likely to bring

Forward-looking and necessarily speculative, but trends visible in the enforcement record:

Stricter platform-level enforcement under DSA. EU platform-level obligations under the Digital Services Act create incentives for platforms (Meta, Google, TikTok) to be more aggressive in pre-publication review.
Cross-border enforcement coordination. EU member states are increasingly coordinating; FTC and ASA have informal information-sharing relationships. A campaign that gets flagged in one jurisdiction is increasingly likely to be flagged in the others.
More aggressive enforcement on AI-generated content. Both at the FTC level and at the platform level. Expect specific guidance and specific enforcement actions in the 2025-2026 window.
Health and finance verticals tighten further. The trajectory of the past five years is more enforcement, more scrutiny, narrower allowable claim space. No reason to expect that trajectory to reverse.
Privacy / data-flow enforcement (BetterHelp-style cases). The dimension where data is being passed to ad platforms in violation of stated privacy promises is an increasingly scrutinized area. Operators using Meta CAPI, TikTok Events API, or similar should review their consent flows.

Where the public data is honestly thin

What I could not source cleanly:

A precise rate-of-enforcement-by-vertical breakdown. The FTC publishes case-by-case but not aggregate rates.
A platform-by-platform false-positive rate on auto-flagging. None published.
Specific dollar-level financial impact of compliance violations on affiliate operators across the industry. Anecdotal.

If you have a citable source for any of the above, the email at the bottom is real.