Collect GDPR Compliant Consent

read

Overview

GDPR stands for the General Data Protection Regulation. It’s a law enacted by the European Commission in 2016 that went into effect on May 25, 2018. It’s designed to protect the privacy of all EU citizens, including when those citizens engage with businesses located outside the European Union, by imposing regulations around personal data. For more information on GDPR, check out our blog series.

Because GDPR requires informed and freely given consent before you can send marketing emails to a given contact, having GDPR compliant signup forms is critical. While we still recommend you contact legal counsel to review the language relayed on your forms, Klaviyo provides built-in GDPR compliant forms as a starting point.

If you have an existing list that you would like to import into Klaviyo and you have already collected consent, check out our guide to applying consent properties to an existing list.

The information provided here is intended to be educational and should not be construed as legal advice. Klaviyo encourages all of our customers -- and all ecommerce merchants -- to seek legal advice for counsel on how they specifically should prepare for GDPR.

Use a GDPR Compliant Form

After you install Klaviyo signup forms on your site, you will have the option to start building forms within the form editor in the Signup Forms tab in your account. When you create a new form, you will have the option to select Enable GDPR Fields. This will ensure that the default template includes GDPR compliant language.

2018-07-09_17-32-40.png

You can edit the language of this form or add additional fields using checkboxes to suit your needs. Bear in mind that GDPR requires granular consent, which means that subscribers must have the option to subscribe to some, but not all, types of marketing. For example, a subscriber may want to receive emails from you, but not be retargeted by your business on social media. Using checkboxes allows subscribers to choose as many or as few types of marketing they would like to receive from you.

Any value that a subscriber selects will be stored as a $consent property on their Klaviyo profile. Consent is recorded as a list data type, and as such may contain any number of values.

2018-05-10_10-35-25.png

Once you have your form styled to suit your needs, you can publish it on your site to ensure that, going forward, you are collecting email addresses in a GDPR compliant fashion. 

Additionally, you may choose to only show this form to browsers who are located in the EU. Or, as an alternative, you may only choose to display your existing signup form to browsers who are not in the EU. You can do this by navigating to Behaviors > Targeting > By Location. Here, you can specify where to show/hide a form to browsers in specific locations. Klaviyo determine's a browser's location using their IP address.

2018-07-19_16-34-56.png

Use a GDPR Compliant Embedded Form

In addition to a popup or flyout form, you may want to include a GDPR compliant embedded form on your site. You can do this by creating a GDPR compliant embedded form in the Klaviyo Signup Form Builder, as outlined above.

Alternatively, you can copy the code provided below and install it on your site. Note that you must replace each LIST_ID value with your newsletter list's ID to ensure that contacts are added to the list. Learn more about how to find the ID for a given list.

<form id="email_signup" class="klaviyo_styling klaviyo_gdpr_embed_LIST_ID" action="//manage.kmail-lists.com/subscriptions/subscribe" data-ajax-submit="//manage.kmail-
lists.com/ajax/subscriptions/subscribe" method="GET" 
target="_blank" novalidate="novalidate">

<input type="hidden" name="g" value="LIST_ID">
<input type="hidden" name="$fields" value="$consent">
<input type="hidden" name="$list_fields" value="$consent">
<div class="klaviyo_field_group">
<label for="k_id_email">Newsletter Sign Up</label>
<input class="" type="email" value="" name="email" id="k_id_email" placeholder="Your email"/>
<div class="klaviyo_field_group klaviyo_form_actions">
<div class="klaviyo_helptext"> How would you like to hear from us? (please select at least one option) </div>
<input type="checkbox" name="$consent" id="consent-email" value="email">
<label for="consent-email" >Email</label><br>
<input type="checkbox" name="$consent" id="consent-web" value="web" >
<label for="consent-web">Online advertisements</label>
<div class="klaviyo_helptext klaviyo_gdpr_text"> We use email and targeted online advertising to send you product and services updates, promotional offers and other marketing communications based on the information we collect about you, such as your email address, general location, and purchase and website browsing history. <br>
<br>
We process your personal data as stated in our Privacy Policy {Insert privacy policy link}. You may withdraw your consent or manage your preferences at any time by clicking the unsubscribe link at the bottom of any of our marketing emails, or by emailing us at {insert customer support email address}.</div>
</div>
</div>
</div>
<div class="klaviyo_messages">
<div class="success_message" style="display:none;"></div>
<div class="error_message" style="display:none;"></div>
</div>
<div class="klaviyo_form_actions">
<button type="submit" class="klaviyo_submit_button">Subscribe</button>
</div>
</form>
<style type="text/css">
.klaviyo_styling.klaviyo_gdpr_embed_LIST_ID,
.klaviyo_condensed_styling.klaviyo_gdpr_embed_LIST_ID {
font-family: "Helvetica Neue", Arial;
}.klaviyo_styling.klaviyo_gdpr_embed_LIST_ID .klaviyo_helptext,
.klaviyo_condensed_styling.klaviyo_gdpr_embed_LIST_ID .klaviyo_helptext {
font-family: "Helvetica Neue", Arial;
padding-top: 10px;
padding-bottom: 10px;
}
.klaviyo_styling.klaviyo_gdpr_embed_LIST_ID .klaviyo_gdpr_text,
.klaviyo_condensed_styling.klaviyo_gdpr_embed_LIST_ID .klaviyo_gdpr_text {
font-size: 14px;
line-height: 1.3;
}
.klaviyo_styling.klaviyo_gdpr_embed_LIST_ID label,
.klaviyo_condensed_styling.klaviyo_gdpr_embed_LIST_ID label {
color:#222;
}
.klaviyo_styling .klaviyo_field_group .klaviyo_form_actions {
text-align:left;
}
.klaviyo_styling.klaviyo_gdpr_embed_LIST_ID input[type=checkbox] + label,
.klaviyo_condensed_styling.klaviyo_gdpr_embed_LIST_ID input[type=checkbox] + label {
display: inline;
font-weight:normal;
padding-left:5px;
}.klaviyo_styling.klaviyo_gdpr_embed_LIST_ID input[type=text],
.klaviyo_styling.klaviyo_gdpr_embed_LIST_ID input[type=email],
.klaviyo_condensed_styling.klaviyo_gdpr_embed_LIST_ID input[type=text],
.klaviyo_condensed_styling.klaviyo_gdpr_embed_LIST_ID input[type=email] {
border-radius: 2px;
}.klaviyo_styling.klaviyo_gdpr_embed_LIST_ID .klaviyo_submit_button,
.klaviyo_condensed_styling.klaviyo_gdpr_embed_LIST_ID .klaviyo_submit_button {
background-color:#0064cd;
border-radius: 2px;
}.klaviyo_styling.klaviyo_gdpr_embed_LIST_ID .klaviyo_submit_button:hover,
.klaviyo_condensed_styling.klaviyo_gdpr_embed_LIST_ID .klaviyo_submit_button:hover {
background-color:#0064cd;
}
</style>
<script type="text/javascript" src="//www.klaviyo.com/media/js/public/klaviyo_subscribe.js"></script>
<script type="text/javascript">
KlaviyoSubscribe.attachToForms('#email_signup', {
hide_form_on_success: true,
extra_properties: {
$source: '$embed',
$method_type: "Klaviyo Form",
$method_id: 'embed',
$consent_version: 'Embed default text'
}
});
</script>

How Consent is Stored in Klaviyo

image5.png

When subscribers submit their consent through a form, Klaviyo stores several key custom properties on their profile:

  • $consent
    This identifies which types of consent a subscriber has given. Consent is stored as a list array and may contain several properties, like Email and Web. There are five supported values for consent, which correspond to different methods you can use for marketing to your subscribers:
    • Email
    • Web
    • Mobile
    • SMS
    • Direct mail
  • $consent_id
    This is the unique form ID, which allows you to identify the specific form that someone used to opt in. Every form created in Klaviyo has a unique ID, which can be found in the URL of the form as a six digit alphanumeric code.
    2018-05-16_10-57-36.png
  • $consent_method
    This identifies the method that a subscriber used to opt in. If you are using a Klaviyo signup form as outlined above, this will read "Klaviyo Form."
  • $consent_timestamp
    This is a timestamp recording precisely when they submitted the form and granted consent.
  • $consent_version
    This identifies the iteration of the form that a particular subscriber saw. Klaviyo keeps a record of the exact text and language that was used for each version of a form you create, which you can request from support if necessary. For example, if you see "2" as the consent version, this means that the subscriber signed up to the second variation you made of the form.

Handling Requests for Data or Deletion

Under GDPR, you are required to provide a contact with all of their user data if they request it. Additionally, if a contact requests that their data is deleted, you must keep a record of this deletion to prove that the request was met. 

Check out our guide on Handling GDPR Requests for specific instructions.

Build a Segment of EU Contacts

To isolate a group of contacts in your account that are in the EU, create a segment with the following conditions:

2018-06-11_12-34-23.png

Filter EU Contacts Out of Flows

For any non-transactional flows, you will want to add a filter to only include those who have given email consent or are not in the EU.

2018-06-11_12-39-21.png

Some common flows that will require this filter are:

  • Browse abandonment
  • Win-back
  • Upsell
  • Cross-sell
  • Product review

For more information on the difference between transactional and non-transactional flows, check out this guide. The one exception to this list may be abandoned cart emails. There is a prevailing view in the industry that you can still send abandoned cart emails under basis of legitimate interest because you can consider an abandoned cart email a communication relevant to the explicit intent to complete a transaction with your business.

That said, you need to be able to defend the notion of legitimate interest in order to use it as a lawful basis — and if you’ve sent someone 100 emails about an item they added to their cart 30 days ago, your abandoned cart series is indefensible. We strongly recommend you stick with an abandoned cart series of no more than 2-3 emails.

Suppressing EU Contacts Who Do Not Provide Consent

Anyone in your EU subscriber segment who did not opt into a re-permissioning campaign by May 25, 2018 should be suppressed in your account to prevent you from accidentally emailing them. To ensure that you've filtered out any subscribers who provided consent, add the following condition to the EU segment outlined above.

Suppress this segment to ensure that you don’t inadvertently email these contacts. If they later decide that they want to opt back in, they can resubscribe.

Best Practices

Once you have a GDPR compliant signup framework in place, you can use segmentation and flow filters to ensure you only send to profiles who have consented to receive marketing emails. The condition below outlines the filter that you would add to ensure that the group you're targeting has consented to receive emails.

2018-05-10_14-10-35.png

In order to maintain your GDPR compliance, you’ll also want to adhere to the following best practices:

  • Display links to your Privacy Policy, Terms of Service, and cookie policy in all of your emails.
  • Use double opt-in.
  • Understand what consent means:
    • Freely given. In other words, you can’t mislead or force someone into letting you use their information. They must be given a legitimate choice -- and you can’t withhold a service or transaction on the basis of consent if that consent is not integral to the service or transaction.
    • Specific. Consent to process personal data must include details around both the purpose of the processing and the type of processing.
    • Informed. Closely tied to the idea of specific consent, informed consent simply means that the individual data subject must be told how their data is going to be used, the specific purpose their data is being used for, and the type of data processing you are using.
    • Unambiguous. To go one step further, consent under GDPR must be obtained through clear language and indicated through affirmative action on the part of the data subject.
    • Easy to withdraw. Though not called out in the definition of consent upfront, Article 7 of the GDPR goes on to specify that consent must be as easy to withdraw as it is to grant.

 

Was this article helpful?
7 out of 7 found this helpful