Consent Management in Klaviyo

Nobody starts an eCommerce brand because they're passionate about consent management. But here's the thing — one compliance mistake can cost you your entire email channel. Not metaphorically. Literally.

I've seen a brand get their Klaviyo account suspended because they imported a purchased list and sent a campaign. I've seen another brand get slapped with a five-figure fine because they were texting people without proper SMS consent. And I've watched brands slowly destroy their email deliverability by ignoring unsubscribe requests and consent tracking.

Consent management isn't exciting. But it's the legal and technical foundation that everything else in your email program sits on. Get it wrong and none of your flows, campaigns, or segmentation matters because your emails aren't reaching inboxes anyway.

Let me break down the three consent frameworks you need to know, how Klaviyo handles each one, and the specific setup steps that keep you compliant.

The Three Laws You Need to Know

CAN-SPAM (United States)

CAN-SPAM is the most lenient major email law. It uses an opt-out model, meaning you can email people who haven't explicitly opted in, as long as you give them a way to opt out.

Requirements:

• Every email must have a visible unsubscribe link
• Unsubscribe requests must be honored within 10 business days
• Your physical mailing address must be in every email
• Subject lines can't be deceptive
• The email must clearly identify itself as an advertisement (if it is one)

Penalties: Up to $50,000 per violation. Yes, per email.

GDPR (European Union and UK)

GDPR is far stricter. It uses an opt-in model. You cannot email someone unless they've explicitly consented to receive marketing from you. "Explicit consent" means they took a clear, affirmative action — checking a box, clicking a confirmation link, submitting a form with clear marketing language.

Requirements:

• Active, informed consent before any marketing emails
• Consent must be specific (can't bundle "agree to terms" with "agree to marketing")
• Right to access (customers can request all data you have on them)
• Right to erasure (customers can request you delete their data)
• Right to withdraw consent at any time
• Records of consent must be maintained

Penalties: Up to 20 million euros or 4% of global annual revenue, whichever is higher.

TCPA (United States — SMS)

TCPA governs text message marketing in the US and it's extremely strict. SMS requires express written consent before you can send marketing texts.

Requirements:

• Written consent (digital signatures and checkboxes count) before any marketing SMS
• Consent must clearly disclose that the subscriber is agreeing to receive marketing texts
• Consent must disclose the frequency and potential charges
• Every SMS must include an opt-out mechanism (reply STOP)

Penalties: $500-$1,500 per unsolicited text message. Class action lawsuits are common. This is not hypothetical — brands get sued for TCPA violations regularly.

How Consent Works in Klaviyo

Klaviyo tracks consent at the profile level across multiple channels. Here's how the system works:

Email Consent States:

• Subscribed: Explicitly opted in to marketing emails. You can send campaigns and marketing flows.
• Non-subscribed: Has a profile in Klaviyo (maybe from a purchase) but hasn't opted in to marketing. You can send transactional emails only.
• Unsubscribed: Was subscribed but opted out. Cannot receive marketing emails. Can still receive transactional emails if configured correctly.
• Suppressed: Hard bounced, spam complained, or manually suppressed. Cannot receive any email.

SMS Consent States:

• Subscribed: Explicitly opted in to SMS marketing with proper written consent.
• Non-subscribed: Has a phone number on file but hasn't consented to SMS marketing.
• Unsubscribed: Was subscribed but opted out (replied STOP).

The critical point: email consent and SMS consent are separate. Someone can be subscribed to email but not SMS, and vice versa. Never assume that email consent covers SMS. It doesn't, and treating it as if it does is a TCPA violation.

Setting Up Email Consent Properly

Step 1: Configure your signup forms.

Every Klaviyo signup form (popups, embedded forms, landing pages) should have clear language about what the subscriber is signing up for. "Get 15% off + weekly emails about new products and sales" is good. "Subscribe" with no context is legally risky under GDPR.

For EU/UK audiences, add an unchecked consent checkbox that the subscriber must actively check. Klaviyo's form builder supports this. The checkbox language should be: "I agree to receive marketing emails from [Brand Name]. I can unsubscribe at any time."

Pre-checked boxes don't count as consent under GDPR. The subscriber must take an affirmative action.

Step 2: Implement double opt-in for GDPR markets.

Double opt-in means the subscriber enters their email, then receives a confirmation email that they must click to activate their subscription. This creates an indisputable record of consent.

In Klaviyo, go to your list settings and enable double opt-in. You can enable it for specific lists (your GDPR-compliant list) and disable it for others (your US list) if you want different flows for different markets.

Double opt-in reduces signup volume by 20-30% but dramatically improves list quality. Every subscriber is a real, confirmed email address that actively wanted to receive your emails.

Step 3: Track consent source.

Klaviyo automatically tracks where each subscriber consented: which form, which list, what timestamp. This is your proof of consent if anyone asks. Don't delete this data.

For added protection, we recommend adding a hidden field to your signup forms that records the consent language version. If you update your signup form copy, you want to know which subscribers consented to which version.

Setting Up SMS Consent Properly

SMS consent is more regulated than email. Here's the correct setup:

Step 1: Use Klaviyo's SMS-specific signup forms.

Klaviyo's SMS signup unit includes legally required disclosure language. Don't modify or remove this language. It includes:

• Consent to receive marketing text messages
• Message frequency disclosure
• "Msg & data rates may apply" disclosure
• Instructions for how to opt out (reply STOP)
• Link to your privacy policy

Step 2: Separate SMS consent from email consent.

Never auto-subscribe someone to SMS because they signed up for email. These are legally distinct consent types. Your form can collect both, but the subscriber must actively consent to each one separately.

In practice, this means:

• A popup that asks for email, then on a second step asks for phone number with SMS consent language
• Or separate forms for email and SMS
• Or a single form with distinct checkboxes for each channel

Step 3: Keep SMS confirmation messages.

When someone subscribes to SMS, Klaviyo sends an automatic confirmation text. Don't disable this. It serves as a record of the subscriber's consent and gives them an immediate opt-out mechanism.

Managing Consent for Shopify Customers

When someone makes a purchase on your Shopify store, their email and sometimes phone number flow into Klaviyo. But a purchase doesn't equal marketing consent.

The checkbox on Shopify checkout: Shopify's checkout includes an optional "Email me with news and offers" checkbox. If the customer checks it, that's email marketing consent. If they don't check it, they're a customer who consented to transactional emails (order updates) but not marketing.

In Klaviyo, these profiles appear as:

• If they checked the box: Added to your Shopify newsletter list, consent status "subscribed"
• If they didn't check the box: Profile exists with "non-subscribed" status

Do not move non-subscribed customers to your marketing list. That's a consent violation. You can send them transactional flow emails (order confirmation, shipping updates) but not campaigns or marketing flows.

You can, however, ask them to opt in. Add a post-purchase email that invites them to subscribe: "Want to hear about new products and exclusive offers? Sign up here." Include a link to your signup form. This gives them a clean opt-in path.

GDPR-Specific Requirements

If you sell to EU or UK customers (and most eCommerce brands do, even if it's a small percentage of revenue), you need to handle GDPR compliance:

Right to Access: If a customer requests their data, you must provide it within 30 days. In Klaviyo, you can export a profile's complete data (events, properties, consent history) from the profile page.

Right to Erasure: If a customer requests deletion, you must delete their data within 30 days. In Klaviyo, you can delete profiles entirely. Make sure to also delete their data from Shopify, your CRM, and any other system where their data exists.

Consent Records: Maintain records of when, where, and how each subscriber consented. Klaviyo tracks this automatically for signups through Klaviyo forms. For other sources (imported lists, Shopify checkout), make sure you have documentation.

Data Processing Agreement: Klaviyo is a data processor under GDPR. You (as the brand) are the data controller. You need a Data Processing Agreement (DPA) with Klaviyo. Klaviyo provides a standard DPA — make sure you've signed it. It's in your Klaviyo account settings.

Consent Audit Checklist

Run this checklist quarterly:

• Every signup form has clear consent language
• GDPR markets use double opt-in
• SMS forms include all required disclosure language
• Email and SMS consent are collected separately
• Shopify checkout non-subscribers are not receiving marketing
• Unsubscribe links work in every email template
• SMS STOP keyword works correctly
• Profile consent records are intact and exportable
• Data Processing Agreement with Klaviyo is signed and current
• Physical mailing address appears in email footer
• "This is an advertisement" or equivalent disclosure is present where required

What to Do If You've Been Non-Compliant

If you realize your consent management has been sloppy, don't panic. Here's the remediation path:

Step 1: Stop sending to questionable profiles. Create a segment of profiles where consent source is unknown or unclear. Stop all marketing to this segment immediately.

Step 2: Run a re-permission campaign. Send a one-time email to the questionable segment asking them to re-confirm their subscription. "We're updating our email preferences. Click here to keep receiving emails from us." Anyone who doesn't click gets moved to non-subscribed.

Step 3: Fix your forms going forward. Update all signup forms with proper consent language. Enable double opt-in for GDPR markets. Separate SMS and email consent.

Step 4: Document everything. Create a consent management policy document. Include your form language, consent collection methods, and data retention practices.

Is this process painful? Yes. Is it better than a GDPR fine or a TCPA lawsuit? Infinitely.

Consent management isn't the fun part of email marketing. But it's the part that keeps your program alive, your deliverability healthy, and your business out of legal trouble. Set it up right once, audit it quarterly, and you'll never have to worry about it.

---

Want us to audit your Klaviyo compliance setup? Book a free strategy call and we'll make sure your consent management is bulletproof.