GDPR stands for the General Data Protection Regulation. It’s a law enacted by the European Commission in 2016 that went into effect on May 25, 2018. It’s designed to protect the privacy of all EU citizens, including when those citizens engage with businesses located outside the European Union, by imposing regulations around personal data. For more information on GDPR, check out our blog series.
The information provided here is intended to be educational and should not be construed as legal advice. Klaviyo encourages all of our customers— and all ecommerce merchants— to seek legal advice for counsel on how they specifically should comply with GDPR.
Is it legal for me to transfer data from my European customers to Klaviyo?
Yes. The GDPR recognizes a number of legal mechanisms for transferring data out of the EU. Following the invalidation of the EU-US Privacy Shield framework, Klaviyo has incorporated the European Commission's Standard Contractual Clauses into our Data Protection Addendum, which is incorporated into our Terms of Service. We recommend consulting your legal team to determine the appropriate transfer mechanism for any transfers of data your organization may make.
If we can't prove explicit opt-in for legacy profiles, is there a way to confirm consent via email?
Prior to GDPR going into effect (May 25, 2018), we did recommend sending a repermissioning campaign to any of your subscribers in the EU. However, now that GDPR is in effect, we no longer recommend this practice. Before contacting any of your existing customers or subscribers for whom you cannot prove explicit opt-in, please consult your legal team.
How do we prove consent, including the day a subscriber opted in?
In addition to using double opt-in, you are required to retain the language that was presented to the consumer in the form, email, or webpage where they provided consent. So, you will have to be able to produce both the time/date that they consented and exactly what they consented to.
For our email fields on our websites, do we need to add more checkboxes for the customers to tick before submitting their details?
Klaviyo provides GDPR compliant forms with multiple checkboxes, allowing for granular consent (i.e. separate consent for email marketing and Facebook marketing).
You will need to select forms identified as GDPR compliant, and then customize them as appropriate given your marketing program. If you gather personal information about EU consumers through other platforms, you’ll need to make changes on those platforms as well.
What types of personal data do you process, where is it hosted, who is it shared with, and how long is it retained?
Information about the data that we process and the measures we take to protect it can be found in our Data Processing Addendum (DPA). Security measures are specifically outlined in Attachment 2 to the Addendum. You can also read our entire Terms of Service, where GDPR and a link to our DPA are available in section 6.3.
Should we be updating the fine print when we capture emails that include any information about how their data is being stored in Klaviyo?
Yes, your fine print should be updated to reflect the following guidance for EU prospects and customers:
- Use clear, plain language that is easy to understand
- Specify why you want the data and what you’re going to do with it
- Name your organization and any third party processors you will be using
- Tell individuals they can withdraw their consent
Do I need to provide opt-in emails in the local language to comply with GDPR?
Not necessarily. The specific requirements may vary country to country, so we recommend consulting your legal team about country-specific requirements, but Klaviyo provides default opt-in language in several languages.
Am I required to get consent on all personal data from consumers?
Your only option to have a lawful basis for collecting or processing sensitive data is explicit consent. For other personal data, there may be several options when it comes to establishing a lawful basis, but consent is one that organizations frequently rely upon.
Other lawful bases include:
- The processing is necessary for the performance of a contract or in order to take steps at the request of the data subject prior to entering a contract
- The processing is necessary for compliance with a legal obligation
- The processing is necessary to protect the vital interests of the data subject or another person
- The processing is necessary for the legitimate interests of the business and such interests are not outweighed by the interests or fundamental rights of the data subject
- The processing is necessary for a task performed in the public interest or to fulfill the responsibilities for a public official
We recommend consulting your legal team to determine the appropriate lawful basis for the processing of data by your organization.
Can you anonymize my data so that I can view a profile but not see the personally identifiable information?
We do not currently allow customers to anonymize a profile, but anonymized data associated with that profile will remain in the account (e.g., Placed Order events) to preserve the accuracy of performance metrics. Data can be anonymized when extracted from the system, but within Klaviyo, you have full visibility of the data incorporated into any profile.
Is an Abandoned Cart email GDPR compliant?
The answer to this one is not entirely clear; however, many organizations take the view that you can still send abandoned cart emails without explicit consent for marketing communications under the basis of legitimate interest. You may be able to consider an abandoned cart email as a communication relevant to the explicit intent to complete a transaction with your business. Other triggered emails, like browse abandonment and winbacks, on the other hand, may not be permissible unless customers have previously consented to receive marketing emails from you in a GDPR compliant fashion.
That said, the applicability of legitimate interests or any other legal basis will depend on the particular circumstances, including, for example, the number and frequency of emails and the amount of time that has elapsed since the cart was abandoned. We strongly recommend you consult with your legal team about your email campaigns to confirm they are compliant with applicable law.