Rockaway Digital


Regulation & Best Practices.

GDPR stands for the General Data Protection Regulation. It’s a law enacted by the European Commission in 2016 that went into effect on May 25, 2018. It’s designed to protect the privacy of all EU citizens, including when those citizens engage with businesses located outside the European Union, by imposing regulations around personal data. 
GDPR requires separate consent for email marketing and Facebook marketing. Fortunately our Klaviyo email marketing partners provide GDPR compliant forms with multiple checkboxes, making it easy to acquire full consent directly from your website pop up. 
Under GDPR personal data refers to anything you might use to identify who someone is, as well as any information you might associate with them. Something like an email address definitely counts as personal data. So does website browsing behavior you can tie back to a profile; information on what they bought; how much they spent… you get the idea.

As an ecommerce merchant, you’re considered a “data controller” under GDPR. That means you’re the frontline when it comes to explicit consent from your EU prospects and customers for how you plan on using their personal data.

While there are several other “lawful bases” for gathering and using personal data, most relate to health care or public agencies, so in the field of digital marketing consent is typically the appropriate basis.
Article 4 of the GDPR defines it as,

“Any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

But there are technically two slightly different types of consent that the GDPR calls out: consent for personal data; and “explicit” consent for a separate class of data called sensitive data. Sensitive data includes any information on things like a person’s religion, race, health, or sexual orientation. You should not store data classified as “sensitive information” under the GDPR in Klaviyo, so our focus here will be on the general definition of consent for personal data.

There are five fundamental aspects to consent that are important to understand:
  • Freely given. In other words, you can’t mislead or force someone to let you use their information. They must be given a legitimate choice — and you can’t withhold a service or transaction on the basis of consent if that consent is not integral to the service or transaction.
  • Specific. The individual must be allowed to consent to the specific use(s) of their data that you intend. It is not enough to ask for broad consent to use their data.
  • Informed. Closely tied to the idea of specific consent, informed consent simply means that the individual must clearly understand how their data is going to be used, by whom, and for what purpose.
  • Unambiguous. And to go one step further, consent under GDPR must be obtained through clear language and indicated through affirmative action on the part of the data subject. You can’t bury the description of what they are consenting to in either a pile of words or a maze of hyperlinks.
  • Easy to withdraw. Though not called out in the definition of consent upfront, Article 7 of the GDPR goes on to specify that consent must be as easy to withdraw as it is to grant.
At first pass, it may not seem like these five pillars of consent will have a meaningful impact on your marketing practices. But the fact is, they’ll have a profound impact on how ecommerce merchants build their marketing databases in the future… because a good number of common list-building tactics are not GDPR compliant.