GDPR and Email Marketing: What Shopify Brands Selling to Europe Need to Know

If your Shopify store sells to customers in the European Union, GDPR isn't optional. It's the law. And unlike many e-commerce regulations that operate in grey areas, GDPR enforcement is real — with fines that can reach €20 million or 4% of annual global revenue, whichever is higher.

But compliance doesn't have to kill your email marketing. Brands that handle GDPR properly often see better engagement rates, cleaner lists, and higher revenue per subscriber than those running non-compliant programs. The constraint forces better practices.

Here's what you need to know about GDPR as it relates to your Klaviyo setup, consent collection, and email sending practices.

The Core Principle: Consent Must Be Explicit

Under GDPR, you cannot email someone for marketing purposes unless they have given clear, affirmative consent to receive marketing communications from you specifically.

This means:

Pre-checked boxes are not consent. If your Shopify checkout has a newsletter opt-in box that's checked by default, that's not valid consent under GDPR. The box must be unchecked by default and the customer must actively check it.

Purchasing a product is not consent. In many jurisdictions, a completed purchase grants implied consent for transactional emails (order confirmation, shipping, delivery). It does not grant consent for marketing emails. A customer who bought from you has not agreed to receive campaigns, promotions, or newsletters unless they explicitly opted in.

Bundled consent is not consent. "By placing your order, you agree to receive marketing emails" buried in your terms of service doesn't count. Consent for marketing must be separate from consent for terms and conditions.

Consent must be freely given. Requiring someone to subscribe to your email list in order to complete a purchase or access a feature is not valid consent. The subscription must be voluntary.

How to Collect Compliant Consent on Shopify

At Checkout

Shopify's checkout has a built-in email marketing opt-in option. Make sure it's configured correctly:

The opt-in checkbox must be unchecked by default. Shopify allows you to configure this in Settings > Checkout. The language should be clear: "I agree to receive marketing emails from [Brand Name]" — not "Keep me updated" or "Stay in touch," which are vague.

Klaviyo syncs consent status from Shopify. When a customer checks the marketing opt-in at checkout, Klaviyo records them as having marketing consent. When they don't check it, they should be suppressed from marketing sends.

Via Popups and Forms

Klaviyo's signup forms (popups, flyouts, embedded forms) collect consent through the act of submission. But the form must clearly state what the subscriber is agreeing to.

Include language like: "By signing up, you agree to receive marketing emails from [Brand Name]. You can unsubscribe at any time." This should be visible near the submit button, not hidden in fine print.

If you offer an incentive (10% off, free guide), the incentive should not be conditional on marketing consent. The person should be able to receive the incentive without subscribing to marketing emails. In practice, most brands handle this by delivering the incentive via the confirmation page rather than exclusively via email.

Double Opt-In

GDPR doesn't technically require double opt-in (where subscribers confirm their email address by clicking a link in a confirmation email). Single opt-in is legally sufficient if you have clear records of consent.

However, double opt-in is strongly recommended for EU subscribers because it provides an additional layer of proof that the person who subscribed actually owns the email address. It also improves list quality by filtering out typos, fake emails, and bots.

Klaviyo supports double opt-in natively. You can enable it for specific forms or for all forms. For brands with significant EU traffic, enabling double opt-in for EU-based subscribers (using geo-targeting on forms) is a pragmatic approach that balances compliance with conversion rates.

Consent Records: What You Need to Store

GDPR requires that you can prove consent was given. This means storing:

• What the person consented to: The exact text they agreed to when they subscribed
• When they consented: The date and time of the opt-in
• How they consented: Which form, page, or checkout they used
• Who consented: The email address (and name if collected)

Klaviyo automatically logs consent records for subscribers who sign up through Klaviyo forms, including the form name, timestamp, and consent language. For Shopify checkout opt-ins, the consent is recorded in Shopify's customer record and synced to Klaviyo.

If you're importing a list from another platform, you need to have consent records for every subscriber on that list. Importing a purchased list, a scraped list, or a list where consent status is unknown is a GDPR violation — and also a fast track to deliverability problems.

The Right to Unsubscribe (and Beyond)

GDPR goes further than standard email compliance. Subscribers have the right to:

Unsubscribe from marketing. Every email must include a working unsubscribe link. Klaviyo handles this automatically. The unsubscribe must be honored immediately — not "within 10 business days."

Request data access. Any subscriber can ask what data you hold about them. You must provide it within 30 days. Klaviyo allows you to export a subscriber's full profile, including all events, properties, and consent history.

Request data deletion. A subscriber can ask you to delete all their personal data. This means removing them from Klaviyo entirely — not just unsubscribing them. Klaviyo supports profile deletion for this purpose.

Object to profiling. Subscribers can object to being profiled or segmented. This is rarely invoked in e-commerce email, but technically, a subscriber could request that you stop using their data for behavioral segmentation.

Have a process ready for each of these requests. Most will be rare, but when they come, you need to respond within 30 days.

Klaviyo Settings for GDPR Compliance

Klaviyo has specific GDPR features that should be enabled for any account sending to EU subscribers:

Enable GDPR consent settings. In Klaviyo's account settings, enable GDPR consent tracking. This ensures that consent status is tracked as a property on every subscriber profile.

Use consent-based sending. Create a segment that filters for subscribers with valid marketing consent. All marketing campaigns should target this segment as a baseline filter — never send marketing emails to subscribers without documented consent.

Configure suppression sync with Shopify. When a customer unsubscribes in Shopify, the suppression should sync to Klaviyo. When someone unsubscribes in Klaviyo, it should sync back to Shopify. Verify this sync is working — inconsistent suppression across platforms is a common compliance gap.

Set up geo-based segments. If you sell globally, create a segment for EU-based subscribers (using Klaviyo's location data). This segment can have stricter sending rules if needed, and makes it easier to handle GDPR-specific requests.

What About the UK?

Post-Brexit, the UK has its own data protection law: the UK GDPR, which is essentially identical to EU GDPR in its requirements for email marketing. If you sell to UK customers, treat them under the same consent and compliance rules as EU customers.

Common GDPR Mistakes in Shopify Email Marketing

Treating US and EU subscribers the same. US email regulations (CAN-SPAM) are significantly less strict than GDPR. CAN-SPAM allows sending marketing emails to anyone who hasn't explicitly opted out, while GDPR requires explicit opt-in before you send. If you apply US rules to EU subscribers, you're violating GDPR.

Not honoring unsubscribes across platforms. If someone unsubscribes from your Klaviyo emails but still receives marketing through another channel (Shopify email, a separate tool), that's a violation. Unsubscribe must mean unsubscribe everywhere.

Migrating lists without consent verification. When switching from another email platform to Klaviyo, brands sometimes import their entire list without verifying consent status. If consent was collected under vague terms or wasn't collected at all, those subscribers shouldn't be imported for marketing sends.

Sending to purchased or rented lists. This is always a violation under GDPR, regardless of what the list seller claims about consent. Don't do it.

Missing the physical address. Both GDPR and CAN-SPAM require that marketing emails include a physical mailing address. This is easy to miss in email templates, especially for smaller brands without office space. A registered business address or PO box satisfies the requirement.

The Revenue Upside of Compliance

Brands that handle GDPR properly often see better email performance than non-compliant senders. The reason is simple: when every subscriber on your list has actively opted in, engagement rates are naturally higher. You're sending to people who want to hear from you.

Higher engagement leads to better deliverability. Better deliverability leads to more inbox placement. More inbox placement leads to more revenue per send.

Compliance isn't a tax on your email program. It's a quality filter that makes everything else work better.

Get the consent right. Document it. Honor unsubscribes. Treat customer data with the respect it deserves. The result is an email list that's smaller but dramatically more valuable.