Skip to main content
Solved

Privacy issue in Shopify Klaviyo Integration


Forum|alt.badge.img+3
  • Problem Solver I
  • 7 replies

Hi,
the Shopify Klaviyo integration is causing a privacy issue:
Shopify Apps are supposed to integrate with the Shopify Customer Privacy API. This API allows Cookie banners to change the consent/privacy state of a given user.
Source:
https://shopify.dev/api/consent-tracking?shpxid=1bb96289-AA05-4C06-5918-3BEFBDF10957

The Shopify Klaviyo App sets the __kla_id cookie before a user gives consent. If a user denies cookies and the Customer Privacy API is triggered to update the user’s consent state, the Klaviyo App ignores the user’s preference.

Do you have a solution for this  or are you waiting for a wave of legal actions that hits your clients?

 

Best answer by David To

Hey @IKT,

In case you may have missed our recent announcement on this topic, I’ve shared it below:

To put it simply, Klaviyo will adhere to the Customer Privacy settings you’ve enabled per the Shopify’s Customer Privacy API.

David

View original
Did this topic or the replies in the thread help you find an answer to your question?

11 replies

alex.hong
Forum|alt.badge.img+58
  • Klaviyo Alum
  • 1552 replies
  • December 16, 2022

Hi there @THahn ,

Thanks for sharing.

While we have our security team investigate this claim I would like to provide some info or possible guesses to what might be going on. The Klaviyo KX parameter would only be feasible if customers clicked in from a Klaviyo email, hence they would have already had to have given consent. I.E. through subscribing or giving some sort of email already. Assuming this is the case, either way it will be up to the business owners to manage the appropriate consent within the integration. I think the consent that is mentioned might be more related to web tracking, which falls back on our customers for the integration. Although we have web tracking it is going to need to be given first. If there is an update to consent level, you will need a way to ensure that that information/detail is shared back to Klaviyo.

 

I will provide more info once we hear from our security team regarding this.

Alex

 

 


Forum|alt.badge.img+3
  • Author
  • Problem Solver I
  • 7 replies
  • December 19, 2022

Hey @alex.hong ,

thanks for your answer.

I think I’ve found the root cause:
https://help.klaviyo.com/hc/en-us/articles/4425956184731

As described in this article, one has to enable the so called Shopify App Embed setting in order to activate the Klavyio JS Tracker which sets the __kla_id cookie. 

However, this setting does not interact with the Shopify Consent API and it seems like it can’t be altered.

Is there a workaround that you can recommend to make the integration gdpr compliant?
 

 


Forum|alt.badge.img+3
  • Author
  • Problem Solver I
  • 7 replies
  • December 29, 2022

Hey @alex.hong, any news on this?

 


alex.hong
Forum|alt.badge.img+58
  • Klaviyo Alum
  • 1552 replies
  • December 29, 2022

Hi @THahn ,

Apologies for the inconvenience. I have escalated this to our engineering and bug report team and I am also awaiting a followup on this.

 

Thank you for your patience,

Alex


Forum|alt.badge.img+3
  • Author
  • Problem Solver I
  • 7 replies
  • January 2, 2023

Hi @alex.hong,
 
thanks!

 

As an additional note:
I’ve observed this issue also in Shopify stores which integrated the Klaviyo app before the Shopify App Embed setting was available. So even if the Shopify App Embed setting is turned off, the Klaviyo Onsite JS is loaded through Shopify Analytics for users that have not given proper consent.

 


Forum|alt.badge.img+3
  • Author
  • Problem Solver I
  • 7 replies
  • January 16, 2023

Hey @alex.hong ,

 

any news from your engineering team?

 

Best,

Tristan


alex.hong
Forum|alt.badge.img+58
  • Klaviyo Alum
  • 1552 replies
  • January 17, 2023

Hi @THahn ,

Thanks for your patience as we work on this.

Our engineer teams are working on this and have told me there will be an update/fix coming relatively soon. There will also be proper customer communication done when these changes go live. Thank you for providing your feedback/experience with this and we appreciate your participation in the community.

 

Best,

Alex


Forum|alt.badge.img+3
  • Author
  • Problem Solver I
  • 7 replies
  • January 18, 2023

that’s awesome! Many thanks @alex.hong 


Forum|alt.badge.img+1
  • Contributor I
  • 1 reply
  • February 6, 2023

Hi,

 

Just wanted to check if this is still ongoing? I am exploring Klaviyo as an option for my business and this is a concern for me.

 

Thanks!


David To
Klaviyo Employee
Forum|alt.badge.img+60
  • Klaviyo Employee
  • 2456 replies
  • Answer
  • February 10, 2023

Hey @IKT,

In case you may have missed our recent announcement on this topic, I’ve shared it below:

To put it simply, Klaviyo will adhere to the Customer Privacy settings you’ve enabled per the Shopify’s Customer Privacy API.

David


Jakub
Partner - Silver
Forum|alt.badge.img+13
  • Partner - Silver
  • 125 replies
  • May 31, 2024

Hello Community,

It's great that the Shopify cookie banner is now functional. However, for stricter markets like Germany, the Shopify cookie banner is insufficient because it does not display a cookie list under the preference center. My question is: can this be achieved with OneTrust? We still see the __kla_id cookie being triggered without prior permission from the cookie banner.

The only solution we've found is to disable web tracking by removing the Klaviyo JS embedded in Shopify, but this results in the popup functionality ceasing to work.