Privacy Policy

As a best practice, your privacy policy should include an accurate description of your program and how you will handle data in connection with that program. We also recommend including information regarding what you do with the phone numbers you collect, how you use them, who you share them with, etc. The privacy policy should be accessible from the opt-in method (e.g., signup form).

We also recommend including disclosures if any of the following apply to your business:

SMS abandoned cart
Third-party data sharing
Location tracking or location-based services

The sections below provide examples; however, Klaviyo cannot provide legal advice, so please check with your legal counsel before making changes to your privacy policy.

SMS Abandoned Cart Disclosure

Privacy policies must explicitly state how information is captured by the website to determine when a customer’s cart has been abandoned (e.g., website cookies, plugins, etc). If you are using SMS in an abandoned cart, include a disclosure about this in your privacy policy.

“The <website> uses cookies to help keep track of items you put into your shopping cart including when you have abandoned your cart and this information is used to determine when to send cart reminder messages via SMS.”

Third-Party Data Sharing

If your privacy policy mentions data sharing or selling to nonaffiliated third parties, there is a concern that customer data will be shared with third parties for marketing purposes. Here, third parties do not include subsidiaries and affiliates (i.e., companies under common control, as well as service providers who provide services on behalf of the customer).

Express Consent is required for SMS; therefore, sharing data is prohibited. Privacy policies must specify that this data sharing excludes SMS opt-in data and consent. Privacy policies can be updated (or draft versions provided) where the practice of sharing personal data to third parties is expressly omitted from the short code program.

“The above excludes text messaging originator opt-in data and consent; this information will not be shared with any third parties.”

Location Tracking and Location-Based Services

If your privacy policy mentions location tracking or location-based services, it must fully describe how that data is collected and for what purpose.

SMS Compliance for Abandoned Carts

Consent/Opt-In Requirements

There are two main requirements for consent in connection with abandoned cart messages:

A recipient must explicitly agree to receive abandoned cart reminders
The list they are sent to must have double opt-in enabled

For the first, as a part of the SMS opt-in process on your website, mention in the call-to-action that your SMS program includes abandoned cart reminders. Typically, this mention is part of the disclosure text written on a signup form.

Every SMS subscriber must also go through the double opt-in process if you want to send them abandoned cart messages.

Flow Restrictions

An SMS abandoned cart flow has two key restrictions:

The flow is limited to one SMS message per each abandoned cart
The message must be sent within 48 hours of the triggering event

Further, you cannot complete the transaction on behalf of the customer, collect payment information via text, or accept purchase via a keyword confirmation from the customer. The customer must complete the transaction themselves on your online store.

Required Disclosures

If you plan to send abandoned cart reminders through your short code SMS program, it needs to be specified within your mobile program terms of service. The language below is an example of such a disclosure.

“If you have opted in, the Service provides alerts, information, promotions, specials, and other marketing offers (e.g., cart reminders) from <Company Name>.”

You must also address your abandoned cart program in your privacy policy. Privacy policies must explicitly state how information is captured by the website to determine when a customer cart has been abandoned (website cookies, plugins, etc). The language below is an example.

SMS Compliance for Sweepstakes/Contests

Carriers have specific requirements for sweepstakes/contests where consumers enter, win, or otherwise participate. While these requirements are primarily for short codes, they are still good to have in place for other SMS sending numbers.

Sweepstakes rules must include:

Having a “No Purchase Necessary” method of participation within the contest
Not offering carrier-specific prizes
Defining the contest period
Listing all states where participation in the sweepstakes is available
Listing the approximate retail value (ARV) of the prizes

If you plan to run sweepstakes programs on a short code, you must provide additional information by:

Publishing the sweepstakes rules on your website
Linking to the sweepstakes rules in the signup form, call-to-action, or other opt-in method (website, point-of-sale signage, etc)
Attaching a physical copy in an email or via the application of the sweepstakes rules

What Is Double Opt-In?

Double opt-in is a process through which a new subscriber must confirm their subscription before being subscribed to a given list. It is the same for both email and SMS subscribers.

If someone provides both their email and SMS, confirming their consent by text will opt them into SMS and email. If they do so by email, they will only be opted into email.

Double opt-in is set at the list level. If a list has double opt-in, everyone who subscribes to that list must confirm their interest before they're added. The only exception is for SMS subscribers in the UK and Australia. Since alphanumeric sending IDs cannot receive text messages, there's no way for a subscriber to confirm that they want to opt in. Thus, even if a list is set to double opt-in, UK and Australian SMS subscribers will always go through single opt-in.