# Advocate GDPR/CCPA Compliance This article explains how Advocate referral programs can maintain General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA)/ California Privacy Rights Act (CPRA) compliance. {% hint style="info" %} **Note**: This article is for general information only and is not legal advice. Your legal and privacy teams are responsible for determining how applicable laws apply to your business and how you configure Advocate. {% endhint %} #### Is impact.com GDPR and CCPA compliant? impact.com is designed to support referral programs in line with major privacy regulations, including GDPR and CCPA/CPRA. The platform: * Applies technical and organizational measures to help protect personal data. * Provides capabilities to help you respond to data subject/consumer rights requests (for example, access and deletion). * Allows you to configure data and program behavior to align with your privacy and data‑retention policies. However, compliance is shared: * **impact.com** is responsible for the platform and its controls. * **You (the brand)** are responsible for: * Deciding what data to collect and for what purposes. * Providing required privacy notices and disclosures. * Collecting and recording any required consent. * Configuring Advocate, your CRM, and your marketing tools in accordance with applicable laws. #### Are Advocate referral emails transactional or marketing? Advocate referral programs are designed around *transactional* communications, such as: * Referral invitations from an existing customer to a friend. * When using the social sharing email option to send the Advocate's share link to a friend, selecting the *Share via email* button launches the *Advocate's* own email client and the sender is the *Advocate*, not the brand. * Notifications about referral status and rewards. * Essential system messages to operate the referral program. These messages are directly connected to the referral transaction and are not intended to subscribe people to ongoing marketing or newsletters. On that basis, our general position is that: * Advocate referral emails are **transactional program emails** * **Opt‑in consent and unsubscribe links are not required** for these specific transactional messages under many regulatory frameworks. Due to this, by default: * Advocate friend widgets do not include a marketing opt‑in feature. * Referred friends are not treated as opted‑in to your general marketing programs. * Advocate transactional emails do not include an unsubscribe option. This position assumes that: * You do not treat participation in the referral program as marketing consent * You do not automatically add these recipients to broader marketing send lists solely because they participated in the referral program. Your legal team should confirm this classification for the jurisdictions in which you operate. #### Is an opt‑in checkbox mandatory for GDPR compliance? Some teams argue that an opt‑in checkbox is mandatory for GDPR compliance. In practice, there is a distinction between *transactional* and *marketing* communications. For **transactional referral emails** only (for example, invitations, reward or status messages): * These emails are seen as necessary to operate the referral program. * These messages are not used to enroll people into ongoing marketing. * On that basis, a marketing opt‑in for these specific transactional emails is often not required. For **marketing activities** (for example, newsletters, general promotions, or campaigns that go beyond the referral event): * Opt‑in is typically required under GDPR and e‑privacy rules. * This consent and subsequent unsubscribe handling are managed in your own CRM, marketing automation, or consent management tools, not in Advocate. Advocate’s default approach is intended to be compatible with GDPR when: * Emails are used solely to operate the referral program * You do not infer marketing consent from referral participation. If your internal policies or regulator guidance are stricter (for example, opt‑in required before any email is sent), your legal team should define how you use Advocate and any additional consent steps you need. #### Is Advocate used in the UK and Europe? Yes. Advocate is used by multiple brands operating in the UK and across Europe. Common patterns among these brands include: * Treating Advocate referral emails as transactional and separate from general marketing. * Managing marketing consent and preferences centrally in CRM, marketing automation, or consent management platforms. * Only adding referred friends to marketing send lists when: * Explicit marketing consent has been collected * Another lawful basis has been confirmed by your legal team. Exact configurations and legal positions vary by brand, sector, and market. Your legal and privacy teams are responsible for defining your own approach. #### Unsubscribes and use of referral data for marketing **Why don’t Advocate emails include an unsubscribe link?** Advocate referral emails are designed as transactional program messages. They are not intended to be used as ongoing marketing or promotional campaigns. For that reason, they do not include an unsubscribe option by default. **What if we want to use referral data for marketing?** If you plan to import referral participants into your CRM, and send them marketing or promotional campaigns, then you must: * **Obtain and record valid marketing consent** where required (for example, via an opt‑in checkbox). * **Manage unsubscribe and opt‑out preferences** in your CRM, ESP, or consent management platform. * **Include unsubscribe links** in your marketing emails in accordance with applicable laws (for example, GDPR/e‑privacy, CCPA/CPRA, CAN‑SPAM). This consent and unsubscribe handling is managed in your systems outside of Advocate. --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://help.impact.com/brand/what-would-you-like-to-learn-about/advocate-program/protect-your-advocate-program/advocate-gdprccpa-compliance.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.