Referral program UTM tracking
Referral programs need their own UTM medium so referred traffic is not confused with organic referrers. This page shows how to label the referral channel and explains why you must not encode individual user IDs in UTM — it leaks personal data and invites abuse.
Give the program its own medium
Distinguish your formal referral program from generic referral traffic (other sites linking to you) by using a clear, agreed medium value:
- utm_source=<program name, e.g. refer-a-friend>
- utm_medium=referral (kept distinct and documented)
- utm_campaign=<the specific program push>
- utm_content=<optional, generic placement label only>
Never encode the referrer's identity
It is tempting to put the referring user's ID in the URL so you can credit them. Do not do this in a UTM. The parameter is visible in the address bar, browser history, and every server log, so a raw user ID becomes exposed personal data. Sequential or guessable IDs also let bad actors enumerate accounts or fabricate referrals.
The safe pattern is an opaque referral code that your backend maps to a user privately, or handling the credit entirely server-side. Keep the UTM to generic, non-identifying campaign labels.
How it appears in analytics and logs
A visit with utm_medium set to your referral label confirms it came from the referral program, not an unrelated site linking to you. Keeping the program separate prevents it being lumped into ordinary referral traffic.
Diagnostic use case
Tag referral-program links with a distinct medium so program-driven visits are separated from generic referrer traffic in reports.
What WebmasterID can help detect
WebmasterID reads the referral utm_medium at ingest and attributes the visit to the program channel, so referral-program traffic is measurable as a distinct source without exposing who referred whom.
Common mistakes
- Putting a referrer's user ID or email directly in a UTM parameter.
- Using utm_medium=referral for both the program and unrelated inbound links, merging them.
- Relying on guessable codes that let people enumerate or fake referrals.
Privacy and accuracy notes
Do not put a referring user's ID, name, or email in a UTM. Those values are public and logged; an exposed user ID is personal data and can be guessed or enumerated to abuse the program. Handle the referrer identity server-side, behind your own code.
Related pages
- Partner / co-marketing UTM tracking
Co-marketing only measures cleanly when both partners tag links the same way. This page shows how to agree a shared utm_source naming and campaign convention up front, so a joint campaign aggregates instead of fragmenting across two different schemes.
- UTM naming conventions that survive reporting
Most UTM data problems are naming problems. Because tools treat utm_source=Reddit and reddit as different values, inconsistent casing and spelling fragment one campaign across many rows. This page gives a convention — lowercase, hyphenated, documented allow-list — that keeps reports clean.
- Privacy-first analytics
Attribution that avoids exposing personal data in campaign URLs.
Sources and verification notes
- MDN — URL search paramsUTM values live in the public query string and are logged.
Last reviewed 2026-06-24. Facts are checked against primary/official sources where available; uncertain specifics are marked “Data not yet verified” rather than guessed.