Privacy FAQs for Brand Partnerships
Privacy laws are complicated and constantly evolving. We have prepared this guide to help you, the Brand, understand how GDPR and CCPA apply to our services. This guide also provides best practices for protecting the privacy of your contacts on our platform and services.
*** Please consult your legal advisor. We are not your lawyers and privacy law requirements may differ depending on your situation ***
What is the GDPR?
The General Data Protection Regulation is a data protection and privacy law. GDPR governs the personal data of individuals in the European Economic Area (this includes Europe, Norway, Iceland, and Liechtenstein) and the United Kingdom. We will call this “Europe” for short.
You may be required to follow GDPR if you are located in Europe, market to Europe, or collect personal data from Europe.
Who is the controller or processor under GDPR?
The GDPR has different requirements for “controllers” and “processors.”
Controllers decide the “means and purposes” of processing – i.e., controllers decide what data to collect and how to use the data. Processors collect, store, or process data on the controllers’ behalf.
When you upload your European contacts to our services, or engage in sales transactions, you are the controller and we are the processor.
What is the CCPA?
The California Consumer Privacy Act of 2018 is a data protection and privacy law. CCPA governs the personal data of California residents.
You may be required to follow CCPA if you do business in California and meet one of the following three requirements:
- Annual revenues of over 25 million
- Annually buy, sell, receive, or share the personal information of over 50,000 California residents, households, or devices, OR,
- Derives >50% of revenue from selling personal information
Who is the business or service provider under CCPA?
The CCPA has different requirements for “businesses” and “service providers.”
Businesses decide the “means and purposes” of processing – i.e., Businesses decide what data to collect and how to use the data. Service providers collect, store, or process data on the controllers’ behalf.
When you upload your Californian contacts to our services, or engage in sales transactions, you are the business and we are the service provider.
What are my responsibilities under GDPR or CCPA?
As the controller or business, you are responsible for:
- Determining whether you have a lawful basis for using your contacts’ data.
- Providing privacy notices to your contacts.
- Providing cookie notices to your contacts, if required by law.
- Responding to privacy requests from your contacts.
- Following email marketing laws that apply to you.
- Protecting the security of personal data in your Brand’s environments and systems.
How does Carro assist with my responsibilities under GDPR or CCPA?
We assist you with your GDPR and CCPA responsibilities by:
- Assisting you in correcting, deleting, or extracting personal data about your contacts from our platform or services. Please refer to this Shopify guide on how to make a customer privacy request from your Shopify admin dashboard. We will receive an alert from Shopify and process your request on the Carro platform.
- Protecting the security of data in our environment and systems. See About Security.
- Keeping your information confidential and only using the personal data you provide to perform services on your behalf.
- Where required, provide model clauses for the transfer of European personal data.
What should I put in my privacy notice?
If you collect information from your contacts offline or from other sources, you may also be required to provide a separate notice at these other points of collection.
The privacy notice should explain how you use and share your contacts’ personal data. This includes informing your contacts that you will be sharing information with us or providers like us.
GDPR, CCPA, and other privacy laws have other privacy notice requirements. Please consult with your legal advisor regarding the requirements for your specific situation.
Do I need a cookie banner?
The ePrivacy Directive in Europe is also known as the “cookie law.” If your Brand is covered by GDPR, then your Brand is covered by Europe’s cookie law. This cookie law requires consent for any non-necessary cookies.
In addition to the cookies that we may set on your website, your Brand website may drop its own cookies. Your Brand is responsible for understanding the cookies that your Brand website uses and complying with any cookie banner requirements.
GDPR, CCPA, and other privacy laws may have other requirements regarding cookies. Please consult with your legal advisor regarding all the requirements for your situation.
What are best practices for responding to privacy requests from my contacts on Carro?
The GDPR, CCPA, and other privacy laws may require you to honor requests to correct, delete, or get a copy of personal data. In addition, you are responsible for honoring requests to opt out of marketing communications.
You are responsible for responding to a contact’s request directly. This includes processing the customer’s privacy request on your Shopify admin dashboard (see this Shopify guide to learn more). We will receive an alert from Shopify and process your request on the Carro platform. If you have stored the customer’s data outside of Shopify, this may also involve accessing, deleting, or correcting the contact’s information in your Brand’s environment and systems.
We collect your Influencer contact’s public social media information to provide our services to you. If your contact wishes to delete or correct public social media information, please encourage them to contact the relevant social media provider directly.
If your contact has a privacy request or complaint regarding our services, please submit the information to our website here: Privacy Questions.
If you receive a privacy request or complaint from an Influencer on our platform, who is not one of your contacts, please have the Influencer submit the information to our website here: Privacy Questions.
What are best practices for communicating with contacts and influencers on Carro?
We believe that Brands should respect the privacy of all individuals on our platform.
In addition, our Additional Terms for Brands require you to have a prior relationship with any contacts that you upload into our platform. Our service is designed to foster relationships with Influencers that are already part of your network.
If you contact an Influencer that does not have a prior relationship with you, this reflects badly on your Brand, our service, and is a violation of our terms.
When communicating with your contacts:
- Let them know who you are and the purpose of your communication.
- Refrain from repeated communications if you have not received a response.
- Honor any requests to stop or opt out of further communications.
What solution do we offer for cross-border data transfers?
Under the GDPR, personal data may only be transferred outside Europe in certain circumstances, such as to a country whose data protection laws are deemed "adequate" by the European Commission, or by relying on an approved data transfer mechanism.
We are located outside of Europe. As noted in our Additional Terms for Brands, you may request that we sign Standard Contractual Clauses (SCCs) for restricted transfers of European data. To request a copy of the SCCs, please contact us at firstname.lastname@example.org.