GDPR Made Easy

GDPR enforcement begins on May 25th. With that in mind, we dug deep into the details so we could provide you with tools you need to help you comply with the new GDPR requirements while making managing your EU profiles easy and effortless. In this light, we’ve made several changes to our product that we’re excited to share.

Demonstrate that the data subject has consented (Art (7), Sec (1))

You must prove that you not only received consent to market to a person, but also the provide the specific type(s) of marketing that person consented to receive.

To make it easy to verify if a profile consented, Klaviyo displays the latest consent status via the new $consent property shown directly on the customer’s profile in the information box. This property can be updated by using Klaviyo forms or by manually uploading profiles.

We’ll record $consent_timestamp automatically so you’ll have a record of when exactly consent was provided. In the event that you’re using a Klaviyo form, we’ll keep track of how consent was added to this profile ($consent_method), and what version of consent the person agreed to ($consent_version) so you can always trace the specific language the customer was shown at the moment consent was given.

To make it easy to collect GDPR compliant consent, we’ve done 3 things:

  1. Pre-templated GDPR pop ups
  2. Assign GDPR preferences to uploads
  3. Manually update profiles to reflect preferences

Pre-templated GDPR pop ups

If you want to add a form to your site to allow customers to specify consent and ensure that the data is accurately stored, your best bet is to use one system. Our new form builder allows you to customize forms to reflect your brand and we’ve created a way for you to easily include GDPR specific fields in a single click.

Pre-templated GDPR popup form

When you select this checkbox, we’ll automatically add checkboxes for types of consent and language that clearly explains how a submitter’s data will be used.

From there, you can customize the look and feel of the form however you want and publish to your site in seconds – all without touching code.

Assign GDPR preferences to uploads

If you’re uploading profiles, you’ll have the option to specify if you received consent to contact these users. If you already have $consent in your CSV file we will automatically add it to profiles you’re uploading, and if you don’t, we’ve included a new workflow to make it easy to add. Just specify if you want to “Add GDPR specific consent”, pick your consent type(s), and then start your import.

GDPR specific consent

GDPR

Sometimes, you’ll want to add profiles using our API. To make sure that your account is kept clean and consistent, we’ve limited the allowable fields to email, sms, mobile, direct mail, and web. That way, you can configure your own forms in Klaviyo or custom forms on your site and have them update profiles consistently, to ensure for a clean, filterable customer data set going forward.

Manually update profiles to reflect preferences

Sometimes, your customers will write in or even call you on the phone to let you know any updates to their consent preferences. If that happens, you can update their preferences in three easy clicks. First, search for their profile. Second, find the $consent property on their profile and click the edit icon. Third, click update.

Right to Data Portability (Art 20)

Any contact has the right to request and receive all data that you have accumulated on them.

In the event you receive a GDPR information or deletion request from a customer, you can handle this direct from the profile page as well. When you scroll to the bottom of a customer’s profile, you’ll see a new export button. Just click this button to download all the information Klaviyo has on that customer’s profile properties and event history. The file will download direct to your browser and we’ll keep a copy of it on the downloads tab of your account page. To help you control who has access to that information, we’ve restricted this functionality to only account users who are Owners, Admins, Managers, or Analysts.

GDPR data portability

Right to rectification (Art 16)

Consumers have the right to have the controller update inaccurate personal data concerning him or her, without undue delay.

Consumers have the ability to reach out to your brand and request that you update information about them. We’ve built our profile pages and in-app navigation to make this a simple, 3-step process. First, search for the email address who wrote in. Second, find the information they want you to update – this could be their name, address or even what they would like to consent to. Click edit and update the field.

Right to be Erasure (Art 17)

Any contact has the right to request that their data be deleted at any time.

If you get a GDPR deletion request, the delete button is right next to the export button. When you click the delete button, you’ll see a new checkbox in the confirmation modal to specify whether or not the deletion is due to a GDPR request.

If you click that checkbox, a record of the deletion will populate on the new delete history page. You can always refer back to this page to see a permanent record that your business successfully complied with the GDPR request.

We’ll also remove any profile data downloads for that particular customer from the downloads page so you don’t have to worry about anyone accessing their personally identifying information from the Klaviyo platform.

As email marketers ourselves, we understand that GDPR compliance can seem like a lot to manage. We also know that your time is valuable and it’s best spent when it’s focused on marketing and not interpreting or managing legalese. That’s why we’ve dedicated so much energy to upgrading our existing workflows and building a new suite of tools to give you the best, most thorough, and least disruptive GDPR experience possible. If you need help identifying all of your EU customers, we’ve gone ahead and created a starting point for you. Check out our new Guide to GDPR Re-Permissioning to populate this segment into your account and get tips and advice on how to verify consent.

Please let us know if you have any questions or feedback by sending an email to product@klaviyo.com with the subject line “I have an idea”!

 

Visit our Help Center for GDPR FAQs, a guide to re-permissioning, and details on how you can collect GDPR compliant consent. Also see our Preparing for GDPR blog post series for overviews on GDPR for ecommerce, consent, and re-permissioning.

Back to Blog Home

2 comments

  • Hi Tyler!

    From my point of view is not legal to update the consent field manually. So if a client ask for it on the phone there’s no way to legaly prove that it was his/her decision and that way the time stamp is useless. The same way when you import a subscriber…

    Plus, will the consent be available in the subscription pages any time soon?

    Thank you!

    • Hey Juliana!

      We allow users to manually update consent via the profile and via upload because some of our users have in-person events or brick and mortar stores where they collect email addresses. Ultimately it’s up to the business itself to ensure that any consent they manually enter was acquired in a GDPR compliant way, but we thought it was important to acknowledge these common business practices and not lock users into a corner. I would definitely advise you consult with a lawyer for more details on how GDPR impacts your particular business, but from our viewpoint, and this is not legal advice by any means, as long as you store what language the customer consented to (we’ll record the timestamps) you should be okay to manually change consent.

      We haven’t discussed that internally yet, but to add GDPR to your subscription pages, you can just add $consent as a new variable along with a textfield that includes an explanation of what the user is consenting to. I’ll definitely bring this up during our next product meeting and get back to you!

      Best,
      Tyler

Comments are closed.