Preparing for GDPR: Re-permissioning

Klaviyo & GDPR logo header for GDPR re-permissioning post

In addition to making sure you’re compliant with GDPR in how you collect consent from EU citizens moving forward, you’ll also need to consider if you need to re-permission your existing EU subscribers – and if so, how.

Unless your permission-gathering practices have been in compliance with the requirements set forth by GDPR all along, you’ll need to ask for consent from your EU subscribers in order to continue storing and marketing with their personal data after May 25, 2018. It’s critical that you obtain that permission before the deadline, because after May 25th not only will it be in violation to email EU subscribers that haven’t granted their consent — you’ll also be prohibited from storing their contact details, or any information that might identify them as EU citizens to begin with, like IP address or billing country. In other words, simply segmenting out your EU citizens into their own suppression list isn’t enough.

To get your EU citizens to grant their consent for you to use their personal data, approach re-permissioning like the marketing campaign it is. That means you should focus on:

  • Targeting as precisely as possible
  • Planning for multiple touchpoints with clear calls-to-action
  • Making sure you communicate the value of re-permissioning to the recipient

Precise targeting

Klaviyo users should start by creating a segment of any subscribers who have opted in to marketing materials and are located in an EU country. These are the subscribers that probably require re-permissioning, as discussed above.

Any EU citizens who have not opted in to marketing materials should be pulled into a separate segment and deleted, unless you have some other lawful basis for continuing to retain their personal data (other lawful bases are rare in the digital marketing world).

Planning for multiple touchpoints

You’ll want to give your EU subscribers a couple of chances to see your messaging around re-granting consent. There are two main touchpoints you should consider: dynamic content inserted into promotions and/or newsletters you’re currently sending, and dedicated notices explaining the value of re-permissioning. Plan on including dynamic content prompts in all of your promotions right away. Our Guide to GDPR Repermissioning has details on how to set this up in Klaviyo. For dedicated messages, you should plan on a series of 2-3, with the last notice clearly marked as a final notice and sent by May 23, 2018.

Messaging around requesting consent

When it comes to the specific language you use to ask your EU subscribers to grant you permission to use their personal data, you’ll need to make sure you’re using language that both communicates the value of granting consent, and is in compliance with GDPR.

Here’s an example of a message you might use in your dynamic content prompts:

Under the General Data Protection Regulation (GDPR), you’ll need to grant [YOUR BUSINESS NAME] permission to use your personal data to keep receiving promotions like this. Please see here for additional details and to grant permission.

For a dedicated message, you can add more context around how you’ll use the personal data. For example, you might explain,

(YOUR BUSINESS NAME) uses data like your email address, general location, purchase history, and website browsing behavior in order to send you the most relevant promotional offers and marketing materials. For instance, if we see that you’ve added an item to your shopping cart but have not completed a purchase, we’ll trigger an email to you reminding you about that item. Or, if we see you’ve purchased certain products from us in the past, we might use that information to let you know about special offers on related products.

The General Data Protection Regulation (GDPR) requires us to ask you for specific permission to continue to use your email address, purchase history, and website activity to continue to send you these types of marketing materials. You’ll be able to revoke your permission at any point by managing your preferences. If you choose not to grant permission, you’ll no longer receive any marketing materials from us after May 25, 2018.

For more information and to grant permission, please visit: (LINK TO PREF CENTER).

And for the opt-in itself, Klaviyo users should use an opt-in checkbox with language similar to:

By checking this box, you consent to receive promotional emails related to your  purchase history, website browsing activity, and/or engagement with marketing materials.”

For step-by-step instructions on running this campaign in Klaviyo, check out our Guide to GDPR Repermissioning.

Deleting non-consent contacts

And finally, you should plan on creating a segment for any EU contacts you don’t have consent from on May 25, 2018 and deleting them from your Klaviyo account. While it may seem painful to delete subscribers that have previously granted you permission to receive marketing materials, it will be far less painful than leaving yourself vulnerable to the steep fines outlined in the GDPR. Violation of consent is considered an offense subject to “upper level” fines, which are set at 20 million Euro or 4% of worldwide revenue from the previous financial year – whichever is greater.

For additional best practices and examples for running re-permissioning campaigns in order to be GDPR-compliant, check out the article, GDPR Re-permission Campaigns: 6 Tips for Making Them a Success from Litmus and eConsultancy’s GDPR: 10 examples of best practice UX for obtaining marketing consent.

Closing thoughts

If you’re concerned about GDPR and its implications for your business when it comes to the requirements set forth for getting consent around personal data from EU citizens, you’re not alone. There’s no sugarcoating the fact that GDPR is a game-changer. But the law is fundamentally reflecting a reality that every ecommerce merchant needs to embrace in order to build a successful, sustainable business: the consumer is the one in control of your marketing. As a merchant, your responsibility is to always communicate clearly, with impact, and in a manner that’s relevant to your customers. Ultimately, GDPR is just one more reason to make sure you’re doing just that.

Disclaimer: The information provided here is intended to be educational and should not be construed as legal advice. Klaviyo encourages all of our customers — and all ecommerce merchants – to seek legal advice for counsel on how they specifically should prepare for GDPR.

Back to Blog Home
Get email marketing insights delivered straight to your inbox.

1 comment

  • Good advice. Just one question… How do we go about being compliant still after the 25th May when Klaviyo automatically imports customers and their data from our store (Bigcommerce)?

Comments are closed.