Strategy 14 min read

GDPR and Email Marketing: The Complete Compliance Guide for E-Commerce

By Excelohunt Team ·
GDPR and Email Marketing: The Complete Compliance Guide for E-Commerce

GDPR has been in effect since May 2018. Seven years later, and most e-commerce brands still don’t fully understand what it requires for email marketing. Some over-comply and cripple their list growth. Others under-comply and risk fines of up to 20 million euros or 4% of global annual revenue — whichever is higher.

Neither extreme is where you want to be.

The practical reality: GDPR isn’t going to shut down your email program. It requires you to be transparent, respectful, and organized about how you collect and use customer data. Brands that comply properly actually see higher engagement rates because their lists are built on genuine consent — not tricked or coerced subscribers.

This guide covers everything an e-commerce brand needs to know about GDPR-compliant email marketing, with specific Klaviyo implementation steps.

Key Takeaways

  • GDPR applies to you if you market to anyone in the EU/EEA, regardless of where your business is based
  • You need a lawful basis for every marketing email — consent (opt-in) or legitimate interest are the two practical options for e-commerce
  • Pre-checked opt-in boxes are illegal under GDPR. Consent must be freely given, specific, informed, and unambiguous
  • Every email must include an easy unsubscribe mechanism — one click, no login required
  • You must be able to demonstrate consent (records of when, how, and what someone consented to)
  • Data subject access requests (DSARs) must be fulfilled within 30 days — Klaviyo makes this relatively straightforward
  • GDPR-compliant lists have 15-25% higher engagement rates than non-compliant lists built on loose consent

Does GDPR Apply to Your Brand?

Short answer: probably yes.

GDPR applies if:

  1. Your business is established in the EU/EEA. Obvious.
  2. You offer goods or services to people in the EU/EEA. If you ship to EU countries, accept euros, or have your website in EU languages, this applies to you — even if your business is in the US, Canada, or Australia.
  3. You monitor the behavior of people in the EU/EEA. If you use tracking pixels, cookies, or behavioral targeting on EU visitors, GDPR applies.

The critical point: GDPR is about the location of the person, not the location of the business. A Shopify store based in Texas that ships to Germany must comply with GDPR for its German customers.

What about US-only stores? If you genuinely don’t market to or collect data from EU residents, GDPR doesn’t technically apply. But many US states are implementing similar privacy laws (California’s CCPA/CPRA, Virginia’s VCDPA, Colorado’s CPA, etc.), and best practices for GDPR compliance largely overlap. Complying with GDPR essentially makes you compliant with most global privacy frameworks.

The Six Lawful Bases for Processing Data

GDPR requires a “lawful basis” for processing personal data. There are six options, but only two are practically relevant for email marketing:

The gold standard for marketing emails. The person explicitly agrees to receive marketing communications from you.

  • Freely given: No coercion. “Subscribe to checkout” is not free consent.
  • Specific: They know what they’re consenting to. “Receive marketing emails about our products and promotions” is specific. “Receive communications” is too vague.
  • Informed: They know who they’re giving consent to (your brand name) and what you’ll do with their data.
  • Unambiguous: A clear affirmative action. Typing an email address and clicking “Subscribe” qualifies. A pre-checked box does NOT.

2. Legitimate Interest

You can process data without explicit consent if you have a “legitimate interest” that doesn’t override the person’s rights. For e-commerce, this can cover:

  • Transactional emails: Order confirmations, shipping updates, delivery notifications. These don’t require marketing consent.
  • Post-purchase marketing to existing customers: Some EU countries allow marketing to existing customers for similar products without explicit consent, under the “soft opt-in” principle. This must include an easy opt-out.

Important: Legitimate interest is NOT a blanket permission to email anyone who’s ever visited your site. It requires a balancing test and documentation. When in doubt, use consent.

Which Basis to Use for What

Email TypeLawful BasisConsent Required?
Order confirmationContract performanceNo
Shipping updatesContract performanceNo
Review request (for purchased product)Legitimate interestNo (but provide opt-out)
Marketing campaignsConsentYes
Welcome series (promotional)ConsentYes
Abandoned cart emailsLegitimate interest*Depends on jurisdiction
Browse abandonment emailsConsentYes
Win-back campaignsConsent**Yes

*Abandoned cart emails occupy a gray area. The customer started a transaction (legitimate interest argument), but the email is promotional in nature. Best practice: require consent.

**Win-back emails to lapsed subscribers are technically sent based on original consent, but if someone hasn’t engaged in 12+ months, the consent may be considered “stale.” Best practice: include a clear re-consent mechanism.

Setting Up GDPR-Compliant Signup Forms in Klaviyo

Your signup form must clearly communicate what the person is signing up for. In Klaviyo Forms, include consent text below or near the email field.

“By entering your email, you agree to receive marketing emails from [Brand Name]. You can unsubscribe at any time.”

“By subscribing, you agree to receive promotional emails from [Brand Name] including product updates, offers, and company news. We’ll email you 2-4 times per week. Unsubscribe anytime with one click.”

What NOT to do:

  • Pre-checked checkboxes for marketing consent
  • Bundling marketing consent with terms of service acceptance
  • Hiding the marketing consent in fine print
  • “By using this website you agree to receive emails” — this is not valid consent

Checkbox vs. No Checkbox

There’s a common misconception that GDPR always requires an unchecked checkbox. It doesn’t — but the rules vary:

  • Popup/signup forms: If the sole purpose of the form is to subscribe to marketing emails, the act of entering an email and clicking “Subscribe” IS the consent action. A separate checkbox is helpful but not strictly required, as long as the purpose is clearly communicated.
  • Checkout forms: If you want to add marketing consent during checkout, you MUST use a separate, unchecked checkbox. Consent must be separate from the purchase transaction.
  • Account creation forms: Same as checkout — separate, unchecked checkbox for marketing.

In Klaviyo, use the checkbox form element for checkout and account creation integrations. For dedicated signup popups, clear consent language above or below the submit button is sufficient.

Double Opt-In (DOI)

GDPR doesn’t explicitly require double opt-in, but it’s strongly recommended — and it’s legally required in some EU countries (Germany, Austria, Switzerland, Luxembourg, Norway).

Double opt-in means: after someone submits their email, they receive a confirmation email and must click a link to verify their subscription.

To enable DOI in Klaviyo:

  1. Go to Lists & Segments > [Your List] > Settings
  2. Enable “Double Opt-In”
  3. Customize the confirmation email with your branding
  4. The confirmation email subject should be clear: “Confirm your subscription to [Brand Name]”

DOI impact on list growth: Expect a 15-25% drop in final subscriber count compared to single opt-in. However, DOI lists have:

  • 30-40% higher open rates
  • 50% fewer spam complaints
  • Near-zero invalid emails
  • Bulletproof consent records for GDPR compliance

For brands targeting EU customers, the trade-off is worth it.

Managing Data Subject Rights

GDPR grants individuals specific rights over their personal data. You must have processes to handle these.

Right of Access (DSAR)

A customer can request all personal data you hold about them. You must respond within 30 days.

How to handle in Klaviyo:

  1. Go to Profiles > search for the person
  2. Export their profile data (Klaviyo provides a “Download Profile Data” option)
  3. This includes: profile properties, consent records, event history, segment memberships, and flow history
  4. Send this data to the requester in a machine-readable format (CSV or JSON)

Right to Erasure (Right to Be Forgotten)

A customer can request deletion of all their personal data.

How to handle in Klaviyo:

  1. Search for the profile in Klaviyo
  2. Use the “Suppress” function first (prevents future emails)
  3. Then use “Delete Profile” to remove all data
  4. Note: Klaviyo retains some anonymized event data for analytics, but personal identifiers are removed
  5. Also check: Shopify, your CRM, analytics tools, and any other systems that hold this person’s data

Important: You don’t have to delete data that you’re legally required to retain (tax records, order history for accounting). But you must delete marketing data and stop all marketing communications.

A person can withdraw marketing consent at any time. This is your unsubscribe mechanism.

Requirements:

  • Unsubscribe must be available in every marketing email
  • It must work with one click — no login, no survey, no confirmation page required
  • Consent withdrawal must be processed immediately (within a few hours at most)
  • You cannot make unsubscribing harder than subscribing

Klaviyo handles this automatically with its built-in unsubscribe link. Do NOT remove or hide this link. Do NOT replace it with a “manage preferences” link that requires multiple clicks to fully unsubscribe. You can offer preference management as an alternative, but the one-click full unsubscribe must always be available.

Right to Data Portability

A customer can request their data in a portable format to transfer to another service. Klaviyo’s profile export function (CSV/JSON) satisfies this requirement.

GDPR requires you to demonstrate that consent was obtained. You need records of:

  1. Who gave consent (email address, profile ID)
  2. When consent was given (timestamp)
  3. How consent was given (which form, which page, which version of consent text)
  4. What they consented to (specific consent language at the time)

Klaviyo automatically stores consent records including:

  • Consent timestamp
  • Consent method (form, import, API)
  • Source of consent (which specific form or integration)
  • Single opt-in vs. double opt-in confirmation

You can view consent history on any profile under the “Consent” tab. This is your audit trail if a regulator ever asks.

Best practice: Keep a changelog of your signup form consent language. If you change the wording, note the date and the old vs. new text. This documents what each cohort of subscribers consented to.

Segmentation and GDPR

GDPR doesn’t prohibit segmentation or personalization — it requires transparency about it.

What You Can Do

  • Segment by purchase history, browsing behavior, email engagement, demographics, and preferences
  • Use Klaviyo’s predictive analytics (predicted LTV, churn risk, etc.) for segmentation
  • Personalize email content based on profile data

What You Must Disclose

  • Your privacy policy must explain that you use personal data for personalization
  • If you use automated decision-making that significantly affects people (like dynamic pricing based on profiles), you must disclose this and allow people to opt out
  • Standard email personalization (name, product recommendations) doesn’t trigger the automated decision-making rules

Profiling Considerations

  • Behavioral profiling (tracking site behavior for targeting) requires disclosure in your privacy policy
  • Using Klaviyo’s AI features (predictive analytics, smart send time) for email optimization is generally fine under legitimate interest, but disclose it
  • Do NOT use sensitive categories (health conditions, religion, political views) for segmentation unless you have explicit consent for that specific purpose

International Considerations

GDPR isn’t the only email privacy law. Here’s a quick comparison:

RequirementGDPR (EU)CAN-SPAM (US)CASL (Canada)CCPA/CPRA (California)
Consent typeOpt-in requiredOpt-out allowedOpt-in requiredOpt-out for sale of data
Pre-checked boxesIllegalLegal (but poor practice)IllegalN/A
Unsubscribe timelineImmediate10 business days10 business days15 business days
FinesUp to 4% of revenue or EUR 20M$51,744 per violation$10M CAD per violation$7,500 per intentional violation
Applies toEU/EEA residentsUS recipientsCanadian recipientsCA residents

Practical approach: Comply with GDPR globally. It’s the strictest standard, and meeting it automatically satisfies most other frameworks. Maintain opt-in consent for all marketing subscribers, provide easy one-click unsubscribe, and keep consent records.

Practical GDPR Checklist for E-Commerce Email

Use this checklist to audit your current setup:

Signup Forms

  • All forms clearly state the purpose of data collection
  • No pre-checked marketing consent boxes at checkout
  • Double opt-in enabled for EU subscribers (or globally)
  • Privacy policy linked from every form
  • Consent language specifies email frequency and content type

Email Content

  • Every marketing email includes a one-click unsubscribe link
  • Physical mailing address included in footer (also required by CAN-SPAM)
  • Sender name and email clearly identify your brand
  • No deceptive subject lines

Data Management

  • Process documented for handling data access requests
  • Process documented for handling deletion requests
  • Consent records stored and accessible in Klaviyo
  • List cleaning procedures to remove stale consents (12+ months no engagement)
  • Data processing agreement (DPA) in place with Klaviyo (they provide this)

Privacy Policy

  • Explains what data you collect and why
  • Lists all third-party processors (Klaviyo, Shopify, analytics tools)
  • Describes how to exercise data rights (access, deletion, portability)
  • Updated within the last 12 months
  • Accessible from every page of your website

Technical

  • Klaviyo sending domain properly authenticated (SPF, DKIM, DMARC)
  • Cookie consent banner for tracking cookies (EU requirement)
  • Klaviyo tracking snippet only fires after cookie consent for EU visitors

The Bottom Line

GDPR compliance isn’t a burden — it’s a competitive advantage. Brands that collect explicit consent, respect subscriber preferences, and maintain clean lists consistently outperform those that play fast and loose with data practices.

The investment is primarily upfront: audit your forms, update your privacy policy, enable double opt-in for EU subscribers, and document your processes. After that, maintaining compliance is built into your normal workflow.

The alternative — non-compliance — risks fines, deliverability damage, and brand reputation harm that far outweigh the effort of getting it right.

Want us to set this up for your store? Get a Free Audit

Tags: gdprcomplianceemail-marketingprivacyklaviyo

Want Us to Implement This for Your Brand?

Get a free email audit and see exactly where you're losing revenue.

Get Your Free Audit

Related Articles

Email Marketing Reporting for Agencies: How to Show ROI That Retains Clients
Strategy

Email Marketing Reporting for Agencies: How to Show ROI That Retains Clients

Scaling Email Marketing Across Multiple Clients: Systems, Templates, and Automation for Agencies
Strategy

Scaling Email Marketing Across Multiple Clients: Systems, Templates, and Automation for Agencies

White-Label Email Marketing: How Agencies Can Add Email as a Revenue Stream Without Hiring
Strategy

White-Label Email Marketing: How Agencies Can Add Email as a Revenue Stream Without Hiring