GDPR stands for the General Data Protection Regulation. It’s a law enacted by the European Commission in 2016 that went into effect on May 25, 2018. It’s designed to protect the privacy of all EU citizens, including when those citizens engage with businesses located outside the European Union, by imposing regulations around personal data. For more information on GDPR, check out our blog series.
The information provided here is intended to be educational and should not be construed as legal advice. Klaviyo encourages all of our customers— and all ecommerce merchants— to seek legal advice for counsel on how they specifically should comply with GDPR.
Is it legal for me to transfer data from my European customers to Klaviyo?
Yes. Following the invalidation of the EU-US Privacy Shield framework, Klaviyo relies on the European Commission's Standard Contractual Clauses as our transfer solution to enable the lawful transfer of personal data from the EU to the US. These Standard Contractual Clauses are located in our Data Protection Addendum, which is incorporated into our Terms of Service.
If we can't prove explicit opt-in for legacy profiles, is there a way to confirm consent via email?
Prior to GDPR going into effect (May 25, 2018), we did recommend sending a repermissioning campaign to any of your subscribers in the EU. However, now that GDPR is in effect, we no longer recommend this practice. Before contacting any of your existing customers or subscribers for whom you cannot prove explicit opt-in, please consult your legal team.
How do we prove consent, including the day a subscriber opted in?
In addition to using double opt-in, you are required to retain the language that was presented to the consumer in the form, email, or webpage where they provided consent. So, you will have to be able to produce both the time/date that they consented and exactly what they consented to.
For our email fields on our websites, do we need to add more checkboxes for the customers to tick before submitting their details?
Klaviyo provides GDPR compliant forms with multiple checkboxes, allowing for granular consent (i.e. separate consent for email marketing and Facebook marketing).
You will need to select forms identified as GDPR compliant, and then customize them as appropriate given your marketing program. If you gather personal information about EU consumers through other platforms, you’ll need to make changes on those platforms as well.
What types of personal data do you process, where is it hosted, who is it shared with, and how long is it retained?
Information about the data that we process and the measures we take to protect it can be found in our Data Processing Addendum (DPA). Security measures are specifically outlined in Attachment 2 to the Addendum. You can also read our entire Terms of Service, where GDPR and a link to our DPA are available in section 6.3.
Should we be updating the fine print when we capture emails that include any information about how their data is being stored in Klaviyo?
Yes, your fine print should be updated to reflect the following guidance for EU prospects and customers:
- Use clear, plain language that is easy to understand
- Specify why you want the data and what you’re going to do with it
- Name your organization and any third party processors you will be using
- Tell individuals they can withdraw their consent
Do I need to provide opt-in emails in the local language to comply with GDPR?
Not necessarily, but Klaviyo provides default opt-in language in several languages.
Am I required to get consent on all personal data from consumers?
Your only option to have a lawful basis for collecting or processing sensitive data is explicit consent. For other personal data, there may be several options when it comes to establishing a lawful basis, but consent is the most likely lawful basis.
Other lawful bases include:
- You are contractually required to process their personal data to fulfill the terms of a contract
- You are required by law to process their personal data
- You need to process someone’s personal data to save/protect their life
- You need to process someone’s personal data to fulfill your responsibilities as a public official
There are other, more obscure lawful bases, but these are edge cases. Most businesses will need to have consent from the consumer in order to collect and process their data.
Can you anonymize my data so that I can view a profile but not see the personally identifiable information?
We do not currently allow customers to anonymize a profile, but anonymized data associated with that profile will remain in the account (e.g., Placed Order events) to preserve the accuracy of performance metrics. Data can be anonymized when extracted from the system, but within Klaviyo, you have full visibility of the data incorporated into any profile.
Is an Abandoned Cart email GDPR compliant?
The answer to this one is not entirely clear; however, there is a prevailing view in the industry that you can still send abandoned cart emails under the basis of legitimate interest. You can consider an abandoned cart email as a communication relevant to the explicit intent to complete a transaction with your business.
That said, you need to be able to defend the notion of legitimate interest in order to use it as a lawful basis — and if you’ve sent someone 100 emails about an item they added to their cart 30 days ago, your abandoned cart series is indefensible. We strongly recommend you stick with an abandoned cart series of no more than 2-3 emails.
Other triggered emails, like browse abandonment and winbacks, on the other hand, are not GDPR compliant unless you restrict them solely to customers who have previously consented to receive marketing emails from you in a GDPR compliant fashion.