Coupons & Promos

One-per-person coupon mechanics

A small constraint that quietly prevents most coupon abuse.

6 min read Updated April 29, 2026

One redemption per customer is the smallest constraint that quietly prevents most coupon abuse. The mechanic is simple, the enforcement is where teams cut corners, and the corners are exactly where the margin leaks.

Why the constraint matters

Most coupon abuse comes from a single pattern: one person, multiple identities. The same buyer creates a second email, a third, a tenth, and stacks first-order codes across them. The discount you intended as a one-time acquisition incentive becomes a recurring 20% off the same household. Multiply that across a few thousand "new" customers and the lift you celebrated in the campaign report is a wash against margin.

One-per-person isn't about catching every offender — it's about making the abuse economically uninteresting. If creating a second account costs five minutes and saves $4, plenty of people will do it. If it requires a new payment instrument and a different shipping address and still gets blocked at checkout, almost no one bothers.

Enforce on multiple identifiers, not just email

Email-only enforcement is theater. Email addresses are free, and most providers treat +tag aliases as the same inbox while merchants treat them as different customers. The fix is to enforce on a stack of identifiers, any one of which trips the limit.

  • Email — normalized. Strip +tag suffixes, lowercase, collapse dots in Gmail addresses. Treat the canonical form as the identity.
  • Payment fingerprint. Most payment processors expose a stable card fingerprint that survives across orders without storing the full PAN. One fingerprint, one redemption.
  • Shipping address. Two orders to the same street address from different emails should at minimum trigger a review, if not a hard block.
  • Device or session signal. Where you have it, a returning device cookie or fingerprint adds a layer without false-positive risk on its own.

The right combination depends on your category and fraud tolerance. A high-margin SaaS trial usually only needs email plus payment fingerprint. A discounted-physical-good campaign needs the address layer too.

Make the failure path graceful

One-per-person enforcement that fires at checkout with a generic "code invalid" message creates support tickets and lost sales from real customers who genuinely forgot they redeemed it. The error needs to be specific and the next step obvious.

  1. Detect the duplicate before checkout completes — at code application, not at payment.
  2. Tell the customer plainly: "this code is one-per-customer and was redeemed on order #1234 on March 3."
  3. Offer a path forward — a different active code if you have one, or a clean checkout without the discount.
  4. Log the attempt. A pattern of duplicate attempts from one identity tells you something.

When to require one-per-person and when to skip it

Not every coupon needs the constraint. A free-shipping code on orders over $75 is largely self-limiting — the threshold prevents the abuse the limit would. A 5% off newsletter code is below the friction threshold for serious gaming.

The codes that need hard one-per-person enforcement are the ones with depth or scarcity — first-order codes above 15%, BOGO offers, free-product giveaways, and any code that pushes a unit below cost. Coupon marketing strategy covers the discount-size thresholds where the math starts losing money on duplicates.

Unique codes don't replace the constraint

A common mistake is assuming unique codes (one code string per customer) eliminate the need for one-per-person enforcement. They don't. A unique code can still be shared, screenshotted, or posted publicly. Without identity-level enforcement at the cart, the second person who tries the shared code will succeed.

The right pairing is unique codes plus identity enforcement: each customer gets their own code, and the cart still verifies that the redeeming identity matches the issued one. The unique code prevents aggregator-style leaks; the identity check prevents one-on-one sharing. Distributing digital coupon codes covers the issuance side of the same flow.

Borrowing the pattern from instant-win promotions

Instant-win and sweepstakes platforms have been solving one-per-person enforcement for years, and the patterns translate directly to coupons — fingerprint-based limits, throttling on suspicious signals, and clean disqualification UX. Instant-win promotion mechanics covers the verification logic those platforms use, which is the same logic a serious coupon program needs.

The mechanic in one paragraph: normalize the email, hash the payment fingerprint, optionally check the address, fail fast and explain why, log the attempt. Pair with unique codes for distribution and the constraint stays intact through campaign and channel changes.

Frequently asked

How much abuse does one-per-person enforcement actually prevent?
On any meaningful first-order discount, expect a noticeable share of attempted redemptions to come from duplicate identities — the exact rate varies by category and discount depth. The mechanic doesn't need to catch all of it; it needs to make the abuse not worth the trouble for most people.
Is it legal to fingerprint payment cards for fraud prevention?
Standard payment processors expose a stable, non-PAN fingerprint specifically for use cases like duplicate detection and fraud signals. Storing and matching that fingerprint is well within normal merchant practice — but check your processor's terms and your privacy policy disclosures.
What about households where two people legitimately share an address?
Treat address as a soft signal, not a hard block, unless the discount is large enough to warrant it. A duplicate address with different emails and different payment instruments is usually a genuine household; a duplicate address with the same payment fingerprint is the same person.
Should we extend one-per-person beyond a single campaign?
Depends on the offer. A "first order" code should enforce one-per-person across all time — the customer's first order is a fact, not a campaign. A "spring 20% off" code only needs to enforce within the campaign window.
How do we handle customers who legitimately need to redeem twice?
Through customer service, with a recorded reason. The mechanic should make the default deny; exceptions are a human decision, not a code-path. A small allowlist for known cases (subscription resubscribes, replacement orders) is fine if it's tracked.
Coupons & Promos
Distributing Digital Coupon Codes Without Code-Sharing Leakage
7 min read
Coupons & Promos
Coupon Marketing Strategy: When and How to Use Discounts
8 min read
Coupons & Promos
Promo Code Strategy: Public, Unique, and Influencer Codes
7 min read
Giveaways & Contests
Instant Win Promotion Mechanics: Setting Odds That Convert
7 min read