GDPR for Ecommerce

Klaviyo & GDPR logos as header for post on GDPR for ecommerce

What is GDPR

GDPR stands for the General Data Protection Regulation. It’s a law enacted by the European Commission in 2016 that goes into effect on May 25, 2018. It’s designed to protect the privacy of all EU citizens, including when those citizens engage with businesses located outside the European Union, by imposing regulations around personal data. So in theory, the GDPR could technically apply to every single business selling to or processing the data of EU citizens.

It’s kind of a big deal, to say the least.

We’re committed to helping all Klaviyo users navigate GDPR, which is why this is the first post in a GDPR series we’ll be publishing over the next few weeks.

What is personal data

First things first: the concept of “personal data” is at the heart of GDPR legislation, so it’s important to understand what that means. That’s particularly important because what constitutes personal data, may be broader than you realize. It is certainly broader than what’s encompassed by “PII,” or “personally identifiable information,” a term typically used in US legislation. Article 4 of the GDPR defines personal data as “any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Translated from legalese, this definition basically encompasses any type of data you could use to figure out who someone is — like an email address, or an IP address, or a cookie – plus any data you associate with that person, like what they bought or what they looked at online. That’s far more wide-reaching than things like name, age, financial information, or Social Security number: things that fall under the bucket of PII in the US.

There’s a special class of personal data under GDPR, referred to as sensitive personal data. That’s referring to data around someone’s race, ethnic origin, political views, religious or philosophical believes; trade-union membership, health, or sex life. This type of data isn’t something you should store in Klaviyo, and if you’re collecting it at all, you should definitely seek legal counsel as you’ll be subject to even more stringent regulation.

User Roles

There are four types of roles any given person or business will fall into under GDPR:

  • The data subject is the EU citizen whose personal data can be collected, stored, and/or processed by other entities.
  • The data controller is the entity which the data subject is transacting with and therefore trusting their personal data to. As a merchant, you are considered a data controller.
  • The data processor is any company that is storing and/or processing the data on behalf of the data controller. Your ecommerce platform is a data processor, and so is Klaviyo.
  • A third party data processor or “subprocessor” is any company performing additional processing after personal data is transferred to it from a data processor. For instance, Klaviyo, like most cloud-based software services, uses Amazon Web Services (AWS) to host our software. In this case, AWS can be considered a third party data processor.

It’s important to understand that as a data controller under GDPR, you have the primary responsibility for protecting the personal data of your customers. That means it is your responsibility to ensure that any company you’re doing business with that is processing the data of your EU customers is compliant with GDPR. That includes your ecommerce platform, Klaviyo, forms providers, certain analytics software, loyalty platform providers, and more. Most things in your marketing technology stack will likely fall into the role of a data processor.

So… what exactly does GDPR impact?

GDPR is a complicated piece of legislation. But it’s essentially architected around the idea that any given European citizen has the fundamental right to understand and control how their personal data is collected, secured, and used. There are the three buckets you, as an ecommerce merchant, should be concerned with:

  • How you’re collecting and using your customers’ data;
  • How that data is being secured by you and any data processors you’re working with;
  • How you enable and support your customers’ rights to understand and control their personal data.

What is Klaviyo Doing to Comply with GDPR

As a processor, Klaviyo has distinct responsibilities under GDPR. These include:

  • Only processing data to the extent entrusted to Klaviyo by the controller. In other words, as a data processor we can’t take the data you’re sharing as a controller and opportunistically do something with it that we haven’t disclosed to you.
  • Disclosing all third party processors or subprocessors, and assuming responsibility for confirming their GDPR compliance. In other words, it’s Klaviyo’s responsibility to make sure that we only use GDPR compliant subprocessors and that you know who they are.
  • Erasing or returning data back to the controller on request at the end of a service contract. That means you have the right to all the information Klaviyo is storing for your account should you choose to stop using our software.
  • Securing the data. Any processor or subprocessor is responsible for ensuring that they are employing “appropriate technical and organisational measures” to secure personal information in their possession.
  • Notifying data controllers, and EU data protection authorities of any incidentsthat compromise personal information.
  • Establishing an EU Data Protection Representative agency (Article 27 representative) to provide EU points of contact with local language support for consumer inquiries.
  • Ensuring that international transfer of the data that you have collected is performed in a manner that meets all the legal requirements of GDPR by providing adequate safeguards with certification under an accepted certification mechanism.

This last point is a very important one. We’re meeting the Chapter V requirements of GDPR through Privacy Shield certification. The Privacy Shield was designed by the US Department of Commerce, the European Commission, and the Swiss Administration in 2016 to “provide companies on both sides of the Atlantic with a mechanism to comply with data protection requirements when transferring personal data from the European Union and Switzerland to the United States in support of transatlantic commerce.” In other words, the US government has worked with the EU to define exactly what US companies need to do to be in compliance with European data laws, including security, accountability, a recourse mechanism and enforcement.
As an added layer of protection, we will also provide a EU Data Processing Addendum to our Terms of Service for our EU customers. The Data Processing Addendum provides a formal contract between a data controller (you, the merchant) and the data processor (Klaviyo), that details our commitment to compliance with GDPR.

What should you do to prepare for GDPR?

To help you prepare for GDPR, we’ll be publishing a series of posts over the next few weeks that dive into each of the main areas you need to focus on in order to be GDPR compliant:

  • How you’re collecting and using your customers’ data;
  • How that data is being secured by you and any data processors you’re working with;
  • How you enable and support your customers’ rights to understand and control their personal data.

But for now, here’s a general overview of the implications of GDPR in each of these areas for you as a data controller.

How you’re collecting and using your customers’ data

This is perhaps the most impactful area of the regulation, because more likely than not it’s going to force you to rethink some of your marketing practices.

GDPR places a lot of emphasis on informed and explicit consent around personal data. That means that in order to store your EU customers’ email address — or any other personal data about them — you must let them know what it will be used for in greater detail than you’ve had to in the past. And you also need them to take explicit action to indicate consent.

That boils down to a prohibition of some of the common marketing practices that are not GDPR compliant, including but not limited to:

  • Requiring an opt-out instead of an opt-in for permission to send marketing materials.
  • Obscuring intended use of personal data through either omission or intentionally misleading language or presentation. This includes burying a description of intended use in excessive or confusing language or through a maze of hyperlinks.
  • Assuming that a transaction with your business implies consent. In other words, requiring an email address to complete a purchase without gathering explicit consent from your European customer to store that email, and without disclosing how you plan on using their email.

Klaviyo is committed to helping you navigate GDPR compliance, and that will include publishing language around collecting explicit consent for using email addresses in marketing materials. We’re building this language and an opt-in mechanism into our forms builder.

Remember, GDPR applies to all data collected from European citizens regardless of when their personal data was collected. If you’ve relied on any non-compliant marketing practices in the past, you’ll need to start thinking about how to collect informed, explicit consent from your European customers. The best way to tackle this is in three stages:

  • First, plan on updating your forms and practices to be GDPR compliant as soon as possible.
  • Next, start including prompts in your marketing materials asking for explicit consent. You’ll want to run this as a campaign, so make sure you give yourself plenty of time to have 5 or 6 touchpoints, 2 of which you might want to consider making dedicated prompts (as opposed to notices you might insert in your typically promotions or email newsletter).
  • Finally, consider scrubbing your lists of any EU citizens you have not collected explicit consent for before May 25, 2018.

Later this week, we’ll publish more details on how to put this plan into effect, and some of the repercussions you may face if you’re not in compliance as a data controller.

How that data is being secured by you and any data processors you’re working with

As a data controller, one of the things you’ll want to consider is how you’re limiting access to personal data within your own company. If someone’s role does not require them to access or work with personal data, they should not be able to obtain it. Klaviyo can help you on this front with our user permission tiers, but don’t forget to look at other systems where you are storing consumer data

You should also make sure that you understand the security measures being taken by all of your data processors. One way to do this is by reviewing the security measures described in your vendors’ Terms of Service or Data Processing Agreement/Addendum.

How you support your customers’ rights to understand and control their personal data.

Again, your EU customers are entitled to request to see the personal data you have about them, and to request that their data be corrected or deleted. If you’re collecting and storing any customer data on premise, you’ll need to make sure you have procedures in place to meet these requests.

You’ll also want to make sure any of your data processors are able to meet these demands as well. U.S.-based vendors should be Privacy Shield certified and EU based vendors should be able to provide reasonable guarantees as provided for in Article 28 of the GDPR.

Some food for thought

Like… well, all legislation, GDPR can seem intimidating, overwhelming, anxiety-inducing, and generally detrimental to your mental well-being. Trust us, we get it. But there’s a bigger theme at play here, and if you stop to consider it GDPR may actually – dare we say it – start looking like a good thing.

See, every digital marketing channel today – whether it’s social, search marketing, SEO, or email – is constantly being optimized to deliver the best possible experience for the end user. Because without those end users, those channels wouldn’t exist. Think about Google’s search algorithm updates, for example. They’re all designed around making sure they’re serving up the most relevant content in the best possible way to people using their search engine. They might adversely impact reputable businesses at times. But whenever they do that, they also act as a forcing function for that business to change whatever they’re sometimes unintentionally doing to impede the user experience. Email is no different — all the ISPs have rules in place to try and prevent emails their users don’t care about from hitting the inbox, even if those emails aren’t technically spam.

GDPR is just one more thing that’s forcing businesses to consider the experience they’re delivering to the end user. It’s actively punishing “black hat” email marketing tactics, like shady (or non-existent) permission gathering. Beyond that, it’s forcing brands to make the best use of the data they have on their consumers to deliver a user experience those consumers want.

The bottom line is this: in today’s world, the consumer is in control. In fact, they should be in control. As a brand, it’s your responsibility to focus on communicating and interacting with consumers in a way that’s relevant and meaningful to them. The good news is, operating that way is incredibly lucrative for your business. It means you’re doing a good job of getting the value of your brand, business, and product across to your potential and current customers. And if you’re doing that, you’ll drive sales, retention, and ongoing revenue.

Disclaimer: The information provided here is intended to be educational and should not be construed as legal advice. Klaviyo encourages all of our customers — and all ecommerce merchants – to seek legal advice for counsel on how they specifically should prepare for GDPR.

Back to Blog Home
Get email marketing insights delivered straight to your inbox.