All Collections
How can my Store be GDPR and CCPA Compliant When Using Carro's Brand Partnerships?
How can my Store be GDPR and CCPA Compliant When Using Carro's Brand Partnerships?

What are my responsibilities under GDPR or CCPA?

David Rice avatar
Written by David Rice
Updated over a week ago

Privacy laws are complicated and constantly evolving. We have prepared this guide to help you, the Brand, understand how GDPR and CCPA apply to our services. This guide also provides best practices for protecting the privacy of your customers on our platform and services.

*** Please consult your legal advisor. We cannot provide legal advice and privacy law requirements may differ depending on your situation. ***

What is the GDPR?

The General Data Protection Regulation is a data protection and privacy law. GDPR governs the personal data of individuals in the European Economic Area (this includes Europe, Norway, Iceland, and Liechtenstein) and the United Kingdom. We will call this “Europe” for short.

You may be required to follow GDPR if you are located in Europe, market to Europe, or collect personal data from Europe.

What is the CCPA?

The California Consumer Privacy Act of 2018 is a data protection and privacy law. CCPA governs the personal data of California residents.

You may be required to follow CCPA if you do business in California and meet one of the following three requirements:

  • Annual revenues of over 25 million

  • Annually buy, sell, receive, or share the personal information of over 50,000 California residents, households, or devices, OR,

  • Derives >50% of revenue from selling personal information

What are my responsibilities under GDPR or CCPA?

We believe in fostering relationships between Brands to improve their business. These relationships are founded on mutual trust and respect.

To foster this environment, our Additional Terms for Brands requires each participating Brand to comply with privacy laws and respect each other’s customer data. You are responsible for:

  • Providing a privacy notice to your customers.

  • Disclosing your data sharing practices with partner Brands in your privacy notice.

  • Providing cookie notices to your customers, if required by law.

  • Responding to customer privacy requests directed to your Brand.

  • Reasonably assisting your partner Brand with privacy requests directed to both of you.

  • Following email marketing and privacy laws that apply to you.

  • Protecting the security of customer personal data in your Brand’s environments and systems.

How does Carro assist with my responsibilities under GDPR or CCPA?

We assist you with your GDPR and CCPA responsibilities by:

  • Assisting you in correcting, deleting, or extracting personal data about your customers from our platform or services. Please refer to this Shopify guide on how to make a customer privacy request from your Shopify admin dashboard. We will receive an alert from Shopify and process your request on the Carro platform.

  • Protecting the security of data in our environment and systems. See About Security.

  • Keeping your information confidential and only using the personal data you provide to perform services on your behalf.

  • Where required, provide model clauses for the transfer of European personal data.

What should I put in my privacy notice?

We require Brands to provide a privacy notice to their customers. This privacy notice is usually your website privacy policy.

If you collect information from your customers offline or from other sources, you may also be required to provide a separate notice at these other points of collection.

The privacy notice should explain how you use and share your customers’ personal data. This includes informing your customers that you will be (i) sharing information with service providers like us and (ii) sharing and receiving information from partner Brands.

GDPR, CCPA, and other privacy laws have other privacy notice requirements. Please consult with your legal advisor regarding the requirements for your specific situation.

Do I need a cookie banner?

The ePrivacy Directive in Europe is also known as the “cookie law.” If your Brand is covered by GDPR, then your Brand is covered by Europe’s cookie law. This cookie law requires consent for any non-necessary cookies.

Please refer to our Cookie Policy for a list of cookies that we use in our services. In addition to the cookies that we may set on your website, your Brand website may drop its own cookies. Your Brand is responsible for understanding the cookies that your Brand website uses and complying with any cookie banner requirements.

GDPR, CCPA, and other privacy laws may have other requirements regarding cookies. Please consult with your legal advisor regarding all the requirements for your situation.

What are best practices for responding to privacy requests from customers on Carro?

The GDPR, CCPA, and other privacy laws may require you to honor requests to correct, delete, or get a copy of personal data. In addition, you are responsible for honoring requests to opt-out of marketing communications.

You are responsible for responding to a customer’s request directly. This includes processing the customer’s privacy request on your Shopify admin dashboard (see this Shopify guide to learn more). We will receive an alert from Shopify and process your request on the Carro platform. If you have stored the customer’s data outside of Shopify, this may also involve accessing, deleting, or correcting the customer’s information in your Brand’s environment and systems, and notifying the partner Brand of the request if it relates to the partner Brand’s products and services.

If your customer has a privacy request or complaint regarding our services, please submit the information to our website here: Privacy Questions.

What are best practices for communicating with customers?

We believe that Brands should respect the privacy of all individuals on our platform.

Our Terms and Additional Terms for Brands prohibit spamming, offensive, and harassing communications on our platform. We reserve the right to terminate your services if you engage in such behavior.

When communicating with your customers:

  • Let them know who you are and the purpose of your communication.

  • Refrain from repeated communications if you have not received a response.

  • Honor any requests to stop or opt-out of further communications.

What solution do we offer for cross-border data transfers?

Under the GDPR, personal data may only be transferred outside of Europe in certain circumstances, such as to a country whose data protection laws are deemed "adequate" by the European Commission, or by relying on an approved data transfer mechanism.

We are located outside of Europe. As noted in our Additional Terms for Brands, you may request that we sign Standard Contractual Clauses (SCCs) for restricted transfers of European data. To request a copy of the SCCs, please contact us at

Did this answer your question?