Collect GDPR Compliant Consent



GDPR stands for the General Data Protection Regulation. It’s a law enacted by the European Commission in 2016 that goes into effect on May 25, 2018. It’s designed to protect the privacy of all EU citizens, including when those citizens engage with businesses located outside the European Union, by imposing regulations around personal data. For more information on GDPR, check out our blog series.

Because GDPR requires informed and freely given consent before you can send marketing emails to a given contact, having GDPR compliant signup forms is critical. While we still recommend you contact legal counsel to review the language relayed on your forms, Klaviyo provides built-in GDPR compliant forms as a starting point.

If you have an existing list that you would like to import into Klaviyo and you have already collected consent, check out our guide to applying consent properties to an existing list.


The information provided here is intended to be educational and should not be construed as legal advice. Klaviyo encourages all of our customers -- and all ecommerce merchants -- to seek legal advice for counsel on how they specifically should prepare for GDPR.

Use a GDPR Compliant Popup or Flyout

After you install Klaviyo signup forms on your site, you will have the option to start building forms within the form editor in the Signup Forms tab in your account. When you create a new form, you will have the option to select Enable GDPR Fields. This will ensure that the default template includes GDPR compliant language.


You can edit the language of this form or add additional fields using checkboxes to suit your needs. Bear in mind that GDPR requires granular consent, which means that subscribers must have the option to subscribe to some, but not all, types of marketing. For example, a subscriber may want to receive emails from you, but not be retargeted by your business on social media. Using checkboxes allows subscribers to choose as many or as few types of marketing they would like to receive from you.

Any value that a subscriber selects will be stored as a $consent property on their Klaviyo profile. Consent is recorded as a list data type, and as such may contain any number of values.


Once you have your form styled to suit your needs, you can publish it on your site to ensure that, going forward, you are collecting email addresses in a GDPR compliant fashion. 

Use a GDPR Compliant Embedded Form

In addition to a popup or flyout form, you may want to include a GDPR compliant embedded form on your site. To do this, navigate to your newsletter list and click Signup Forms > GDPR Embed. The default language of this form is GDPR compliant, but you can edit it to suit the needs of your particular business.


Copy the code provided in Klaviyo and then install it on your site. Note that if you copy and paste the code below, you must replace each LIST_ID value with your newsletter list's ID to ensure that contacts are added to the list. Learn more about how to find the ID for a given list.

<form id="email_signup" class="klaviyo_styling klaviyo_gdpr_embed_LIST_ID" action="//" data-ajax-submit="//manage.kmail-" method="GET" 
target="_blank" novalidate="novalidate">

<input type="hidden" name="g" value="LIST_ID">
<input type="hidden" name="$fields" value="$consent">
<input type="hidden" name="$list_fields" value="$consent">
<div class="klaviyo_field_group">
<label for="k_id_email">Newsletter Sign Up</label>
<input class="" type="email" value="" name="email" id="k_id_email" placeholder="Your email"/>
<div class="klaviyo_field_group klaviyo_form_actions">
<div class="klaviyo_helptext"> How would you like to hear from us? (please select at least one option) </div>
<input type="checkbox" name="$consent" id="consent-email" value="email">
<label for="consent-email" >Email</label><br>
<input type="checkbox" name="$consent" id="consent-web" value="web" >
<label for="consent-web">Online advertisements</label>
<div class="klaviyo_helptext klaviyo_gdpr_text"> We use email and targeted online advertising to send you product and services updates, promotional offers and other marketing communications based on the information we collect about you, such as your email address, general location, and purchase and website browsing history. <br>
We process your personal data as stated in our Privacy Policy {Insert privacy policy link}. You may withdraw your consent or manage your preferences at any time by clicking the unsubscribe link at the bottom of any of our marketing emails, or by emailing us at {insert customer support email address}.</div>
<div class="klaviyo_messages">
<div class="success_message" style="display:none;"></div>
<div class="error_message" style="display:none;"></div>
<div class="klaviyo_form_actions">
<button type="submit" class="klaviyo_submit_button">Subscribe</button>
<style type="text/css">
.klaviyo_condensed_styling.klaviyo_gdpr_embed_LIST_ID {
font-family: "Helvetica Neue", Arial;
}.klaviyo_styling.klaviyo_gdpr_embed_LIST_ID .klaviyo_helptext,
.klaviyo_condensed_styling.klaviyo_gdpr_embed_LIST_ID .klaviyo_helptext {
font-family: "Helvetica Neue", Arial;
padding-top: 10px;
padding-bottom: 10px;
.klaviyo_styling.klaviyo_gdpr_embed_LIST_ID .klaviyo_gdpr_text,
.klaviyo_condensed_styling.klaviyo_gdpr_embed_LIST_ID .klaviyo_gdpr_text {
font-size: 14px;
line-height: 1.3;
.klaviyo_styling.klaviyo_gdpr_embed_LIST_ID label,
.klaviyo_condensed_styling.klaviyo_gdpr_embed_LIST_ID label {
.klaviyo_styling .klaviyo_field_group .klaviyo_form_actions {
.klaviyo_styling.klaviyo_gdpr_embed_LIST_ID input[type=checkbox] + label,
.klaviyo_condensed_styling.klaviyo_gdpr_embed_LIST_ID input[type=checkbox] + label {
display: inline;
}.klaviyo_styling.klaviyo_gdpr_embed_LIST_ID input[type=text],
.klaviyo_styling.klaviyo_gdpr_embed_LIST_ID input[type=email],
.klaviyo_condensed_styling.klaviyo_gdpr_embed_LIST_ID input[type=text],
.klaviyo_condensed_styling.klaviyo_gdpr_embed_LIST_ID input[type=email] {
border-radius: 2px;
}.klaviyo_styling.klaviyo_gdpr_embed_LIST_ID .klaviyo_submit_button,
.klaviyo_condensed_styling.klaviyo_gdpr_embed_LIST_ID .klaviyo_submit_button {
border-radius: 2px;
}.klaviyo_styling.klaviyo_gdpr_embed_LIST_ID .klaviyo_submit_button:hover,
.klaviyo_condensed_styling.klaviyo_gdpr_embed_LIST_ID .klaviyo_submit_button:hover {
<script type="text/javascript" src="//"></script>
<script type="text/javascript">
KlaviyoSubscribe.attachToForms('#email_signup', {
hide_form_on_success: true,
extra_properties: {
$source: '$embed',
$method_type: "Klaviyo Form",
$method_id: 'embed',
$consent_version: 'Embed default text'

How Consent is Stored in Klaviyo


When subscribers submit their consent through a form, Klaviyo stores several key custom properties on their profile:

  • $consent
    This identifies which types of consent a subscriber has given. Consent is stored as a list array and may contain several properties, like Email and Web.
  • $consent_id
    This is the unique form ID, which allows you to identify the specific form that someone used to opt in. Every form created in Klaviyo has a unique ID, which can be found in the URL of the form as a six digit alphanumeric code.
  • $consent_method
    This identifies the method that a subscriber used to opt in. If you are using a Klaviyo signup form as outlined above, this will read "Klaviyo Form."
  • $consent_timestamp
    This is a timestamp recording precisely when they submitted the form and granted consent.
  • $consent_version
    This identifies the iteration of the form that a particular subscriber saw. Klaviyo keeps a record of the exact text and language that was used for each version of a form you create, which you can request from support if necessary. For example, if you see "2" as the consent version, this means that the subscriber signed up to the second variation you made of the form.

Handling Requests for Data or Deletion

Under GDPR, you are required to provide a contact with all of their user data if they request it. Additionally, if a contact requests that their data is deleted, you must keep a record of this deletion to prove that the request was met. 

Check out our guide on Handling GDPR Requests for specific instructions.

Best Practices

Once you have a GDPR compliant signup framework in place, you can use segmentation and flow filters to ensure you only send to profiles who have consented to receive marketing emails. The condition below outlines the filter that you would add to ensure that the group you're targeting has consented to receive emails.


Additionally, for any non-transactional flows, you will want to add a filter to only include those who have given email consent, with the same specifications as outlined above. Some common flows that will require this filter are:

  • Browse abandonment
  • Win-back
  • Upsell
  • Cross-sell
  • Product review

For more information on the difference between transactional and non-transactional flows, check out this guide. The one exception to this list may be abandoned cart emails. There is a prevailing view in the industry that you can still send abandoned cart emails under basis of legitimate interest because you can consider an abandoned cart email a communication relevant to the explicit intent to complete a transaction with your business.

That said, you need to be able to defend the notion of legitimate interest in order to use it as a lawful basis — and if you’ve sent someone 100 emails about an item they added to their cart 30 days ago, your abandoned cart series is indefensible. We strongly recommend you stick with an abandoned cart series of no more than 2-3 emails.

Was this article helpful?
5 out of 5 found this helpful