GDPR Compliance: Preparing for GDPR consent

Understanding the core tenets of GDPR ensures that you have proper consent for collecting personal data from citizens in Europe.

Under GDPR, personal data refers to anything you might use to identify who someone is, as well as any information you might associate with them. Something like an email address definitely counts as personal data. So does website browsing behavior you can tie back to a profile; information on what they bought; how much they spent.

As an ecommerce merchant if you sell to anyone in the European region, you’re considered a “data controller” under GDPR. That means you’re the frontline when it comes to explicit consent from your EU prospects and customers for how you plan on using their personal data.

While there are several other “lawful bases” for gathering and using personal data, most relate to health care or public agencies, so in the field of digital marketing consent is typically the appropriate basis.

Want to understand GDPR, learn the basics

What does GDPR compliance and consent mean?

So what, exactly, is ‘consent’? Article 4 of the GDPR defines it as,

“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

But there are technically two slightly different types of consent that the GDPR calls out for business to be compliant: consent for personal data; and “explicit” consent for a separate class of data called sensitive data. Sensitive data includes any information on things like a person’s religion, race, health, or sexual orientation.

You should not store data classified as “sensitive information” under the GDPR so our focus here will be on the general definition of consent for personal data.

There are five fundamental aspects to consent that are important to understand to remian GDPR compliant:

  • Consent should be freely given. In other words, you can’t mislead or force someone to let you use their information. They must be given a legitimate choice — and you can’t withhold a service or transaction on the basis of consent if that consent is not integral to the service or transaction.
  • Consent should be specific to the data set and channel. The individual must be allowed to consent to the specific use(s) of their data that you intend. It is not enough to ask for broad consent to use their data.
  • The user should be informed of the way data will be used. Closely tied to the idea of specific consent, informed consent simply means that the individual must clearly understand how their data is going to be used, by whom, and for what purpose.
  • The language in the consent form should be unambiguous. And to go one step further, consent under GDPR must be obtained through clear language and indicated through affirmative action on the part of the data subject. You can’t bury the description of what they are consenting to in either a pile of words or a maze of hyperlinks.
  • Consent should be easy to withdraw. Though not called out in the definition of consent upfront, Article 7 of the GDPR goes on to specify that consent must be as easy to withdraw as it is to grant.

At first pass, it may not seem like these five pillars of consent will have a meaningful impact on your marketing practices. But the fact is, they’ll have a profound impact on how ecommerce merchants build their marketing databases in the future… because a good number of common list-building tactics are not GDPR compliant.  

Marketing practices that are not compliant with GDPR

Using opt-outs are not in GDPR compliance-use opt-in

Requiring an opt-out instead of an opt-in for permission to send marketing is a common practice — but GDPR specifically calls out

“silence, pre-ticked boxes or inactivity” do not constitute consent. Make sure that any time you’re signing someone up for your email list, you require them to take an explicit action to indicate their consent — such as checking a box.

Using general language for opt-ins is not appropriate for compliance

Perhaps the most common opt-in language is some variation of this phrase: “By checking this box, you consent to receive promotional and other marketing materials.” Unfortunately, under GDPR that language is not specific. You’ll need to make sure you use language that explains exactly why you want permission to use someone’s data and how you intend to use it.

For example: “By checking this box, you consent to receive promotional emails related to your  purchase history, website browsing activity, and/or interaction with marketing materials.”

Complicated or incomplete opt-out processes will not be compliant

Your EU subscribers must be able to revoke their consent for using their personal data at any time, and that process must be as straightforward as giving that consent in the first place. In other words, you can’t ask someone to opt-in to your marketing and then require them to opt-out of specific types of marketing, like daily promotions or category-specific newsletters. You also can’t require that an EU citizen take extra actions to opt-out: for instance, asking them to contact your customer support team in order to be removed from email lists.

Relying on implied consent – even with some automated emails is against GDPR compliance

Assuming that a transaction with your business implies consent to future marketing is a violation of GDPR. In other words, you may have a lawful basis for gathering an email address during a purchase to provide confirmation or deliver product, but that does not imply that you have consent to use that email for marketing purposes.  This also extends to relying on your terms of service to cover your use of an EU citizen’s personal data — that practice isn’t considered unbundled or an instance of freely given consent.

On the surface, this may seem straightforward — but in reality, where you do and don’t have a lawful basis to send an email can get tricky. Article 6 of the GDPR outlines the provisions for lawful basis, and it includes “legitimate interests” as one of those basis:

“Processing shall be lawful only if and to the extent that at least one of the following applies:

(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;

(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;

(c) processing is necessary for compliance with a legal obligation to which the controller is subject;

(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;

(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

Legitimate interest is the most ambiguous – and therefore the most flexible – basis for processing data. It states that if there is a reason for you to process the data that supports the data subjects interests or your own commercial interests, then you’re good to go as long as you can demonstrate that the processing is necessary – meaning you can’t get the same result in a less intrusive way – and that it does not infringe on an individual’s interests and can be assumed to be reasonably expected.

The specific boundaries for what constitutes legitimate interest will no doubt be established through precedents set after GDPR goes into effect. For now, though, our recommendation is to consider communications relevant to the explicit intent to complete a transaction with your business as GDPR-compliant under the basis of legitimate interest.

Example using an abandoned cart email

More simply put, sending an abandoned cart email does not require explicit opt-in to receive marketing. Neither does an order confirmation email, since that can be considered communication that is both in the legitimate interest of the recipient, but also something that is critical to fulfilling the “contract” made when someone completes a transaction. But you need to be able to defend the notion of legitimate interest in order to use it as a lawful basis — and if you’ve sent someone 100 emails about that item they added to their cart 30 days ago, you can be sure that your abandoned cart series is indefensible. We strongly recommend you stick with an abandoned cart series of no more than 3 emails to maximize revenue per recipient without seeing a sharp decline in response.

But as for other types of automated event-triggered emails — including things like win-back emails, replenishment campaigns, upsell prompts, product review requests, and browse abandonment flows – we strongly recommend that you only send to EU citizens that have granted explicit permission.

How Klaviyo will help with GDPR-compliant list-building

Klaviyo is making several changes in order to assist our users with GDPR compliance. They include:

  • Supporting mandatory checkboxes within forms
  • Boilerplate opt-in language that is GDPR compliant available within Klaviyo pop-up forms
  • A record of when consent is granted for all opt-ins, including the specific consent language
  • The ability to export personal data for a subscriber to respond to a data portability request
  • The ability to delete a profile to respond to a data deletion request
  • Easy segmentation of existing EU subscribers for re-permissioning

In addition, we encourage Klaviyo customers to take advantage of our custom unsubscribe page feature to assist with enabling opt-outs in any situations where you’re collecting segmented or specialized opt-ins.

Use Klaviyo for email marketing compliance

Disclaimer: The information provided here is intended to be educational and should not be construed as legal advice. Klaviyo encourages all of our customers — and all ecommerce merchants – to seek legal advice for counsel on how they specifically should prepare for GDPR.

Back to Blog Home
Get email marketing insights delivered straight to your inbox.
*By entering your email address and clicking Subscribe, you consent to receive marketing emails (such as newsletters, blog posts, webinars, event invitations and new product updates) from Klaviyo from time to time. You can unsubscribe at any time by clicking on the “Unsubscribe” link at the bottom of our emails. For more information on how we process your personal information and what rights you have in this respect, please see our Privacy Policy.
Own your data.
Own your growth.
© 2022 Klaviyo. All rights reserved. Klaviyo and the Klaviyo logo are trademarks or registered trademarks of Klaviyo, Inc. or its affiliates.
Terms and Privacy Manage Cookies