Marketing integration
Klaviyo on Shopify, made compliant
Email + SMS marketing platform with a Shopify-native web tracker for behavioural segmentation.
Why consent applies to Klaviyo
Klaviyo's web tracker (`klaviyo.js`) tracks viewed-product and started-checkout events for behavioural email/SMS triggers. EU regulators treat this as marketing — opt-in consent is required before any tracking fires. The transactional emails Klaviyo sends after a purchase are covered by contract lawful basis and don't need separate consent, but the tracker that powers segmentation does.
Cookies / scripts Klaviyo sets
__kla_id_learnq (legacy)
Step-by-step compliance setup
- 1
Block klaviyo.js until marketing consent
The Klaviyo onsite tracker is loaded via `<script src="https://static.klaviyo.com/onsite/js/...">`. Block this script until the visitor accepts the marketing category. The Klaviyo `learnq.push` queue gracefully handles late initialisation.
- 2
Sync consent state to Klaviyo profile properties
When a known customer accepts marketing, set their Klaviyo profile property `$consent` to `['email', 'sms', 'web']` as appropriate. This double-counts as evidence in case of a regulator dispute and prevents re-prompting on future visits.
- 3
Coordinate with Shopify Customer Privacy API
Klaviyo's Shopify integration reads `window.Shopify.customerPrivacy`. Make sure your CMP updates that object on consent — otherwise Klaviyo's server-side events keep firing even when the banner shows the visitor as opted out.
- 4
Stop tracking for CCPA opt-outs
California visitors who click Do Not Sell or Share need klaviyo.js to stop firing entirely — not just opt out of email. Klaviyo's audience-sharing with Meta and Google is the 'share' that CPRA targets.
How Consentico handles Klaviyo
Consentico's Shopify-native integration reads and writes `window.Shopify.customerPrivacy` so Klaviyo, Yotpo, and other Shopify-aware apps see the correct consent state. The marketing category gates klaviyo.js via the same script blocker that handles GA4 and Meta Pixel.
- Default-deny before any tag fires
- Three-layer script blocking (createElement + MutationObserver + content-type)
- Audit-ready consent log
Related concepts
- Consent (GDPR)Freely given, specific, informed, and unambiguous indication of agreement. No pre-checked boxes, no implied consent from continued browsing.
- Do Not Sell or ShareRequired CCPA/CPRA opt-out link visible on every page of a California-targeting site. Renamed from 'Do Not Sell' in 2023.
- CCPACalifornia's privacy law, expanded in 2023 by the CPRA. Requires a 'Do Not Sell or Share' link and honouring of GPC for California residents.
- GDPREU regulation governing how organisations process personal data of EU/EEA residents. Applies to any Shopify store with EU visitors.
Related integrations
- Meta Pixel (Facebook Pixel)Meta's advertising tracker — used for Facebook/Instagram remarketing and conversion attribution.
- Google Analytics 4 (GA4)Google's behavioural-analytics product, mandatory since Universal Analytics was deprecated in July 2023.
- HotjarSession-replay and heatmap tool — records visitor sessions to identify UX issues.
Block Klaviyo until consent — in five minutes.
Free for stores under 5,000 banner views per month. No code, no theme edits.