Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Klaviyo is a US-based email and SMS marketing automation platform widely used by e-commerce businesses. It tracks on-site behaviour, segments audiences based on purchase history and browsing, and automates personalised email and SMS campaigns. For EU-facing e-commerce, Klaviyo presents significant GDPR obligations: valid opt-in consent is required for both marketing emails and on-site tracking cookies, all data is processed in the US requiring SCCs, and the combination of behavioural tracking and marketing profiling warrants careful compliance documentation.
Klaviyo is a marketing automation platform focused on email and SMS, purpose-built for e-commerce businesses. It integrates deeply with Shopify, WooCommerce, Magento, and other e-commerce platforms to access purchase data, browse abandonment, cart abandonment, and product interaction history. Klaviyo uses this data to build detailed audience segments and trigger automated, personalised email and SMS flows. It is one of the most popular e-commerce marketing platforms, particularly among direct-to-consumer (DTC) brands.
GDPR requires freely given, specific, informed, and unambiguous consent for email and SMS marketing. For Klaviyo specifically: use a clear opt-in checkbox (not pre-ticked) at checkout or on signup forms, implement double opt-in to verify consent, record the consent timestamp and source, never import purchased or rented lists, and send a confirmation email that allows the subscriber to withdraw consent. SMS marketing requires a separate opt-in from email marketing.
The Klaviyo JavaScript tag sets first-party cookies and tracks on-site visitor behaviour (page views, product views, cart additions) even before a visitor has identified themselves. This tracking requires consent under the ePrivacy Directive. Block the Klaviyo tag via your CMP until analytics consent is obtained. Without consent, Klaviyo should not be tracking anonymous visitor behaviour.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
All Klaviyo data is processed in the US. Sign the Klaviyo Data Processing Agreement (available from Klaviyo''s privacy settings) which includes SCCs. Disclose the US transfer in your privacy policy. Configure your Klaviyo account with EU subscriber data only after DPA signature.
Sign DPA and SCCs. Implement double opt-in for all EU subscribers. Record consent with timestamp and source. Block Klaviyo tracking tag until cookie consent. Configure unsubscribe flows that also delete contact data upon request. Add Klaviyo to your privacy policy and cookie notice. Never import contacts without documented consent. Implement a process for data subject erasure requests via the Klaviyo Profile deletion API.
Websites using Klaviyo must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is recommended for large-scale e-commerce Klaviyo deployments that combine on-site behavioural tracking, purchase history profiling, and automated personalised marketing. The combination of detailed individual profiling for marketing purposes constitutes high-risk processing.
Sample consent text
I agree to receive personalised email and SMS marketing from [Brand]. I understand my purchase history and browsing behaviour may be used to personalise communications. I can unsubscribe at any time. See our privacy policy for full details.
Third-party domains contacted
klaviyo.coma.klaviyo.comstatic.klaviyo.comCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| __kla_id | persistent | 2 years | Klaviyo visitor identifier linking on-site behaviour to email subscriber profiles for personalised marketing |
| _kl_ | session | Session | Klaviyo session identifier grouping visitor interactions within a single browsing session |
Klaviyo places tracking cookies for advertising — comply with GDPR using FlowConsent.
Yes. Klaviyo email marketing to EU contacts requires valid consent: freely given, specific, informed, unambiguous, and documented. Use unchecked opt-in boxes, implement double opt-in, and record the timestamp and source of each consent.
Yes. Klaviyo sets first-party tracking cookies monitoring on-site behaviour. These require opt-in consent under the ePrivacy Directive. Block the Klaviyo tag in your CMP until analytics consent is given.
Yes. SMS marketing requires separate explicit consent from email. Collect SMS consent via a dedicated opt-in field and record it separately in Klaviyo.
Yes. All Klaviyo data is processed in the US. SCCs are required. Sign the Klaviyo DPA in Account Settings.
Go to Lists and Segments, select your list, click Settings, enable double opt-in. Klaviyo sends a confirmation email subscribers must click to verify.
Only if those contacts provided valid marketing consent. Contacts who provided email for transactional purposes only have not consented to marketing.
Delete the profile via the Klaviyo API. Document the deletion and respond to the data subject within 30 days.
Brevo (France), ActiveCampaign (EU data centre option), and Mailjet (France) offer EU data residency. Brevo is the most established Klaviyo alternative for e-commerce.