Preparing for GDPR: Consent
Last week, we published an overview on GDPR and what it means for ecommerce merchants. This post will dive in on one of the core tenets of GDPR: making sure you have proper consent for collecting personal data from EU citizens.
As a quick recap, under GDPR personal data refers to anything you might use to identify who someone is, as well as any information you might associate with them. Something like an email address definitely counts as personal data. So does website browsing behavior you can tie back to a profile; information on what they bought; how much they spent… you get the idea.
As an ecommerce merchant, you’re considered a “data controller” under GDPR. That means you’re the frontline when it comes to explicit consent from your EU prospects and customers for how you plan on using their personal data.
While there are several other “lawful bases” for gathering and using personal data, most relate to health care or public agencies, so in the field of digital marketing consent is typically the appropriate basis.
The Meaning of Consent
So what, exactly, is ‘consent’? Article 4 of the GDPR defines it as,
“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”
But there are technically two slightly different types of consent that the GDPR calls out: consent for personal data; and “explicit” consent for a separate class of data called sensitive data. Sensitive data includes any information on things like a person’s religion, race, health, or sexual orientation. You should not store data classified as “sensitive information” under the GDPR in Klaviyo, so our focus here will be on the general definition of consent for personal data.
There are five fundamental aspects to consent that are important to understand:
- Freely given. In other words, you can’t mislead or force someone to let you use their information. They must be given a legitimate choice — and you can’t withhold a service or transaction on the basis of consent if that consent is not integral to the service or transaction.
- Specific. The individual must be allowed to consent to the specific use(s) of their data that you intend. It is not enough to ask for broad consent to use their data.
- Informed. Closely tied to the idea of specific consent, informed consent simply means that the individual must clearly understand how their data is going to be used, by whom, and for what purpose.
- Unambiguous. And to go one step further, consent under GDPR must be obtained through clear language and indicated through affirmative action on the part of the data subject. You can’t bury the description of what they are consenting to in either a pile of words or a maze of hyperlinks.
- Easy to withdraw. Though not called out in the definition of consent upfront, Article 7 of the GDPR goes on to specify that consent must be as easy to withdraw as it is to grant.
At first pass, it may not seem like these five pillars of consent will have a meaningful impact on your marketing practices. But the fact is, they’ll have a profound impact on how ecommerce merchants build their marketing databases in the future… because a good number of common list-building tactics are not GDPR compliant.
Marketing practices that are not compliant with GDPR
Requiring an opt-out instead of an opt-in for permission to send marketing is a common practice — but GDPR specifically calls out that “silence, pre-ticked boxes or inactivity” do not constitute consent. Make sure that any time you’re signing someone up for your email list, you require them to take an explicit action to indicate their consent — such as checking a box.
Using general language for opt-ins
Perhaps the most common opt-in language is some variation of this phrase: “By checking this box, you consent to receive promotional and other marketing materials.” Unfortunately, under GDPR that language is not specific. You’ll need to make sure you use language that explains exactly why you want permission to use someone’s data and how you intend to use it. For example: “By checking this box, you consent to receive promotional emails related to your purchase history, website browsing activity, and/or interaction with marketing materials.”
Complicated or incomplete opt-out processes
Your EU subscribers must be able to revoke their consent for using their personal data at any time, and that process must be as straightforward as giving that consent in the first place. In other words, you can’t ask someone to opt-in to your marketing and then require them to opt-out of specific types of marketing, like daily promotions or category-specific newsletters. You also can’t require that an EU citizen take extra actions to opt-out: for instance, asking them to contact your customer support team in order to be removed from email lists.
Relying on implied consent – even with some automated emails
Assuming that a transaction with your business implies consent to future marketing is a violation of GDPR. In other words, you may have a lawful basis for gathering an email address during a purchase to provide confirmation or deliver product, but that does not imply that you have consent to use that email for marketing purposes. This also extends to relying on your terms of service to cover your use of an EU citizen’s personal data — that practice isn’t considered unbundled or an instance of freely given consent.
On the surface, this may seem straightforward — but in reality, where you do and don’t have a lawful basis to send an email can get tricky. Article 6 of the GDPR outlines the provisions for lawful basis, and it includes “legitimate interests” as one of those basis:
“Processing shall be lawful only if and to the extent that at least one of the following applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”
Legitimate interest is the most ambiguous – and therefore the most flexible – basis for processing data. It states that if there is a reason for you to process the data that supports the data subjects interests or your own commercial interests, then you’re good to go as long as you can demonstrate that the processing is necessary – meaning you can’t get the same result in a less intrusive way – and that it does not infringe on an individual’s interests and can be assumed to be reasonably expected.
The specific boundaries for what constitutes legitimate interest will no doubt be established through precedents set after GDPR goes into effect. For now, though, our recommendation is to consider communications relevant to the explicit intent to complete a transaction with your business as GDPR-compliant under the basis of legitimate interest.
More simply put, sending an abandoned cart email does not require explicit opt-in to receive marketing. Neither does an order confirmation email, since that can be considered communication that is both in the legitimate interest of the recipient, but also something that is critical to fulfilling the “contract” made when someone completes a transaction. But you need to be able to defend the notion of legitimate interest in order to use it as a lawful basis — and if you’ve sent someone 100 emails about that item they added to their cart 30 days ago, you can be sure that your abandoned cart series is indefensible. We strongly recommend you stick with an abandoned cart series of no more than 3 emails to maximize revenue per recipient without seeing a sharp decline in response.
But as for other types of automated event-triggered emails — including things like win-back emails, replenishment campaigns, upsell prompts, product review requests, and browse abandonment flows – we strongly recommend that you only send to EU citizens that have granted explicit permission.
How Klaviyo will help with GDPR-compliant list-building
Klaviyo is making several changes in order to assist our users with GDPR compliance. They include:
- Supporting mandatory checkboxes within forms
- Boilerplate opt-in language that is GDPR compliant available within Klaviyo pop-up forms
- A record of when consent is granted for all opt-ins, including the specific consent language
- The ability to export personal data for a subscriber to respond to a data portability request
- The ability to delete a profile to respond to a data deletion request
- Easy segmentation of existing EU subscribers for re-permissioning
In addition, we encourage Klaviyo customers to take advantage of our custom unsubscribe page feature to assist with enabling opt-outs in any situations where you’re collecting segmented or specialized opt-ins.
In the next post in our series around GDPR, we’ll cover how you can make your existing email list GDPR-compliant by re-permissioning existing subscribers.
Disclaimer: The information provided here is intended to be educational and should not be construed as legal advice. Klaviyo encourages all of our customers — and all ecommerce merchants – to seek legal advice for counsel on how they specifically should prepare for GDPR.Back to Blog Home