Solved

Privacy issue in Shopify Klaviyo Integration

  • 16 December 2022
  • 11 replies
  • 469 views

Badge +2

Hi,
the Shopify Klaviyo integration is causing a privacy issue:
Shopify Apps are supposed to integrate with the Shopify Customer Privacy API. This API allows Cookie banners to change the consent/privacy state of a given user.
Source:
https://shopify.dev/api/consent-tracking?shpxid=1bb96289-AA05-4C06-5918-3BEFBDF10957

The Shopify Klaviyo App sets the __kla_id cookie before a user gives consent. If a user denies cookies and the Customer Privacy API is triggered to update the user’s consent state, the Klaviyo App ignores the user’s preference.

Do you have a solution for this  or are you waiting for a wave of legal actions that hits your clients?

 

icon

Best answer by David To 10 February 2023, 15:47

View original

11 replies

Userlevel 7
Badge +58

Hi there @THahn ,

Thanks for sharing.

While we have our security team investigate this claim I would like to provide some info or possible guesses to what might be going on. The Klaviyo KX parameter would only be feasible if customers clicked in from a Klaviyo email, hence they would have already had to have given consent. I.E. through subscribing or giving some sort of email already. Assuming this is the case, either way it will be up to the business owners to manage the appropriate consent within the integration. I think the consent that is mentioned might be more related to web tracking, which falls back on our customers for the integration. Although we have web tracking it is going to need to be given first. If there is an update to consent level, you will need a way to ensure that that information/detail is shared back to Klaviyo.

 

I will provide more info once we hear from our security team regarding this.

Alex

 

 

Badge +2

Hey @alex.hong ,

thanks for your answer.

I think I’ve found the root cause:
https://help.klaviyo.com/hc/en-us/articles/4425956184731

As described in this article, one has to enable the so called Shopify App Embed setting in order to activate the Klavyio JS Tracker which sets the __kla_id cookie. 

However, this setting does not interact with the Shopify Consent API and it seems like it can’t be altered.

Is there a workaround that you can recommend to make the integration gdpr compliant?
 

 

Badge +2

Hey @alex.hong, any news on this?

 

Userlevel 7
Badge +58

Hi @THahn ,

Apologies for the inconvenience. I have escalated this to our engineering and bug report team and I am also awaiting a followup on this.

 

Thank you for your patience,

Alex

Badge +2

Hi @alex.hong,
 
thanks!

 

As an additional note:
I’ve observed this issue also in Shopify stores which integrated the Klaviyo app before the Shopify App Embed setting was available. So even if the Shopify App Embed setting is turned off, the Klaviyo Onsite JS is loaded through Shopify Analytics for users that have not given proper consent.

 

Badge +2

Hey @alex.hong ,

 

any news from your engineering team?

 

Best,

Tristan

Userlevel 7
Badge +58

Hi @THahn ,

Thanks for your patience as we work on this.

Our engineer teams are working on this and have told me there will be an update/fix coming relatively soon. There will also be proper customer communication done when these changes go live. Thank you for providing your feedback/experience with this and we appreciate your participation in the community.

 

Best,

Alex

Badge +2

that’s awesome! Many thanks @alex.hong 

Badge

Hi,

 

Just wanted to check if this is still ongoing? I am exploring Klaviyo as an option for my business and this is a concern for me.

 

Thanks!

Userlevel 7
Badge +60

Hey @IKT,

In case you may have missed our recent announcement on this topic, I’ve shared it below:

To put it simply, Klaviyo will adhere to the Customer Privacy settings you’ve enabled per the Shopify’s Customer Privacy API.

David

Userlevel 5
Badge +12

Hello Community,

It's great that the Shopify cookie banner is now functional. However, for stricter markets like Germany, the Shopify cookie banner is insufficient because it does not display a cookie list under the preference center. My question is: can this be achieved with OneTrust? We still see the __kla_id cookie being triggered without prior permission from the cookie banner.

The only solution we've found is to disable web tracking by removing the Klaviyo JS embedded in Shopify, but this results in the popup functionality ceasing to work.

Reply