The policy discloses that users in certain jurisdictions, including California and EU/UK, have rights to access, correct, delete, and obtain copies of their personal information, as well as rights to restrict processing, object to processing, and opt out of data sale or sharing.
This analysis describes what Whatnot's agreement states, permits, or reserves. It does not constitute a legal determination about enforceability. Regulatory applicability and practical outcomes may vary by jurisdiction, enforcement context, and individual circumstances. Read our methodology
This provision establishes the mechanism and scope of data subject rights available under CCPA, CPRA, GDPR, and UK GDPR, and the operational availability of these rights depends on Whatnot's implementation of request intake, verification, and response workflows.
The updated terms require all disputes arising from the Strategic Seller Agreement or a seller's relationship with Whatnot to be resolved through arbitration as defined in the main Terms of Service, rather than through litigation in California courts. Previously, sellers could bring claims in federal or state courts located in Los Angeles; under the revised language, this option is eliminated except where the Terms of Service arbitration section expressly permits court proceedings. The change applies to the relationship between individual sellers and Whatnot, affecting how contract disputes, payment disagreements, or other claims are processed and adjudicated.
View change record →The updated terms establish a new Creator Program for UK users that allows them to submit content (videos, shopping hauls, seller spotlights) and potentially receive program benefits including cash payments, shopping credit, or promotional support. The terms grant Whatnot a one-year non-exclusive license to use submitted content across all marketing channels worldwide for promotion, advertising, and derivative works without additional compensation beyond the stated program benefit. Creators must be at least 18 years old, maintain a valid Whatnot account, and complete identity verification and tax documentation before receiving any payment. The terms state explicitly that submission does not guarantee content will be selected, used, featured, or rewarded, and Whatnot retains discretion to reject, remove, or stop using content at any time.
View change record →This new provision consolidates data subject rights for multiple jurisdictions (California, EU, UK) in a single statement, improving clarity about location-based privacy rights.
View full change record →Under this provision, eligible users can submit requests to access, correct, delete, or export their personal information by contacting Whatnot through the privacy request mechanism; the policy states these rights are available depending on the user's location.
How other platforms handle this
If you are located in the European Economic Area, Switzerland, or the United Kingdom, you have the right to access, correct, or erase your personal data; the right to restrict or object to our processing of your personal data; the right to data portability; and, where our processing is based on your...
Depending on where you are located, you may have certain rights regarding your personal information, including the right to access, correct, delete, or restrict processing of your personal information, the right to data portability, and the right to object to or withdraw consent for certain processi...
We may also collect your personal data from other people or companies.
Monitoring
Whatnot has changed this document before.
Receive same-day alerts, structured change summaries, and monitoring for up to 25 platforms.
"Depending on your location, you may have certain rights regarding your personal information, including the right to access, correct, delete, or obtain a copy of your personal information, the right to restrict or object to our processing of your personal information, and the right to opt out of the sale or sharing of your personal information.— Excerpt from Whatnot's Whatnot Privacy Policy
1) REGULATORY LANDSCAPE: This provision engages CCPA and CPRA for California residents (enforced by the California Privacy Protection Agency), GDPR for EU residents (enforced by relevant national data protection authorities), and UK GDPR for UK residents (enforced by the Information Commissioner's Office). Each framework imposes specific timelines and response requirements for data subject requests that Whatnot's operational processes must satisfy. 2) GOVERNANCE EXPOSURE: Medium. The adequacy of identity verification procedures for data subject requests, the completeness of data mapping required to respond to access and deletion requests, and compliance with statutory response timelines represent the primary operational exposure areas. 3) JURISDICTION FLAGS: GDPR requires response to access requests within one month, with extensions permitted in limited circumstances. CCPA/CPRA requires response within 45 days, with one 45-day extension. UK GDPR mirrors GDPR timelines. Non-compliance with these timelines is a direct enforcement risk. For sellers who have submitted government ID and financial account data, deletion requests create additional complexity regarding regulatory retention obligations. 4) CONTRACT AND VENDOR IMPLICATIONS: Whatnot must ensure that data subject deletion and access requests can be fulfilled across all data processors and sub-processors holding user data, requiring appropriate contractual provisions with vendors. 5) COMPLIANCE CONSIDERATIONS: Compliance teams should audit the data subject request intake and response workflow for adherence to jurisdiction-specific timelines; confirm that identity verification procedures for requests meet applicable standards without creating undue barriers; and map data flows to ensure deletion requests can be technically fulfilled across all systems and vendors.
Full compliance analysis
Regulatory citations, enforcement risk, and due diligence action items.
Free: track 1 platform + weekly digest. Monitor: 25 platforms + same-day alerts. No credit card required.
Compliance Governance Intelligence
Need to monitor specific governance provisions?
Compliance includes provision-level monitoring, governance timelines, regulatory mapping, and audit-ready analysis.
Built from archived source documents, structured governance mappings, and historical version tracking.
This provision establishes the mechanism and scope of data subject rights available under CCPA, CPRA, GDPR, and UK GDPR, and the operational availability of these rights depends on Whatnot's implementation of request intake, verification, and response workflows.
Under this provision, eligible users can submit requests to access, correct, delete, or export their personal information by contacting Whatnot through the privacy request mechanism; the policy states these rights are available depending on the user's location.
No. ConductAtlas is an independent monitoring service. We are not affiliated with, endorsed by, or sponsored by Whatnot.