Skip to main content
Back to Guides
Compliance8 min read

Cookie Consent for Klaviyo, Onsite Tracking & Cart Emails

Your abandoned-cart flow only works if you can identify the shopper, and identifying the shopper means a tracking cookie that needs consent. This guide untangles onsite tracking consent, abandoned cart vs abandoned checkout, the UK soft opt-in, and US SMS rules.

Two consent systems, one abandoned cart

Here's the problem in one sentence: your abandoned-cart flow only fires if you can tie a browsing session to an email address, and tying a browsing session to an email address depends on a tracking cookie that needs consent. Gate the cookie, and a chunk of your recovery revenue disappears before the email ever gets written.

Most store owners treat "cookie consent" and "email consent" as one thing. They aren't. An online store runs into two separate rulebooks at the same time. The ePrivacy Directive (and the UK's PECR) governs the tracking cookie that identifies the shopper on your site. A second set of rules, the e-marketing provisions in those same laws plus CAN-SPAM and TCPA in the US, governs whether you're allowed to send the message. You have to clear both gates, and they don't always line up. This guide walks through where they collide and how to keep recovering carts without stepping on either.

Onsite tracking is a consent-gated cookie, full stop

Klaviyo's onsite tracking sets a cookie (the __kla_id identifier) that records what a visitor browses and, once they're identified, stitches that behavior to their profile. That's what powers browse-abandonment and cart-abandonment flows. It's also, plainly, analytics-and-marketing tracking under ePrivacy Article 5(3), so it needs consent before it fires in the EU, EEA, UK, and Switzerland.

Klaviyo knows this. On Shopify, Klaviyo reads the store's Customer Privacy API and will not track onsite events for visitors in those regions unless consent has been given. The same logic applies to Meta Pixel, Google's tags, and any other onsite identifier. If your consent banner blocks the marketing category, the tracker stays dark, and the shopper who abandoned a cart never gets identified.

One trap catches a lot of teams: consent to receive email marketing is not consent for onsite behavioral tracking. A shopper who ticks "email me deals" at checkout has agreed to messages. They haven't agreed to a cookie that follows them around the catalog. Those are different permissions collected in different places. Treat them separately.

Abandoned cart vs abandoned checkout: the line that matters

The single most useful distinction in store email compliance is the one between an abandoned checkout and an abandoned cart.

  • Abandoned checkout. The shopper reached the checkout, entered their email, then left. You have the address because they gave it to you in the course of a transaction they started. A message that helps them finish that specific purchase ("you left something in your bag, here's the link") sits close to transactional and is the more defensible send.
  • Abandoned cart / browse abandonment. The shopper added an item or looked at a product, but never entered an email at checkout. You only know who they are because onsite tracking matched them to a profile from a previous visit. That's a marketing communication built on tracked behavior, and it needs both a lawful basis for the tracking and permission (or a valid exemption) for the message.

In practice, the abandoned-checkout flow survives a strict consent setup far better than the browse-abandonment flow, because it doesn't depend on a marketing cookie to know who the person is. If you're going to lose one flow to consent, it'll usually be the browse one. Design for that.

The UK and EU soft opt-in for existing customers

There's a genuine exemption that a lot of stores forget they can use. Under the UK's PECR (Regulation 22) and the equivalent provision in EU member-state ePrivacy law, you can email marketing to an existing customer without a separate opt-in if three conditions all hold. This is the "soft opt-in."

  1. You obtained their contact details in the course of a sale or negotiation of a sale of a product or service.
  2. You're marketing your own similar products or services.
  3. You gave them a simple way to opt out at the point you collected the address, and you offer an opt-out in every message after.

See the text at PECR Regulation 22 and the ICO's Guide to PECR. The soft opt-in is why win-back and "you left this behind" emails to past buyers are often fine even without a ticked marketing box. It does not cover people who never bought, and it doesn't stretch to unrelated product lines. And it's an email exemption only, it says nothing about whether your onsite tracking cookie needed consent, which it still did.

US rules run on a different logic: opt-out email, opt-in SMS

If your shoppers are in the US, the framework flips. There's no general federal cookie-consent law, but the message rules are strict in their own way.

Email (CAN-SPAM). You can send commercial email without prior consent, but every message needs a truthful subject line, a physical postal address, and a working unsubscribe that you honor within 10 business days. It's an opt-out regime, not opt-in.

SMS (TCPA). This is the one that bites. Marketing text messages require prior express written consent, a specific, documented opt-in to receive texts at that number. A pre-checked box doesn't count, and a general email signup doesn't transfer to SMS. Statutory damages run $500 to $1,500 per message, and TCPA class actions are a cottage industry. So the abandoned-cart text is a much higher-stakes send than the abandoned-cart email. Collect a distinct SMS opt-in, keep the timestamped record, and never assume email permission covers texting.

Several US states (California, Colorado, and the growing list) also treat this as covered by their opt-out and "do not sell/share" rights. See our complete guide to US state privacy laws for where those bite.

What breaks when you gate tracking, and how to recover it

Blocking onsite tracking until consent is the correct default, but it does cost you identified sessions. Three moves recover most of the loss without cutting corners.

  • Lean on the identified checkout. When a shopper enters their email at checkout, you have first-party data from a transaction they initiated. Abandoned-checkout flows built on that don't need a marketing cookie to work, so they keep firing even at low banner-accept rates.
  • Move conversion measurement server-side. Purchases, add-to-carts, and checkout starts can be sent from your backend to ad and email platforms through server-side APIs (Meta's Conversions API, Google's server-side tagging) with consent still enforced at the source. That protects measurement without a pile of browser cookies. See server-side tagging with consent on Shopify and server-side consent enforcement.
  • Design the banner to earn genuine consent. A clear, honest banner on a store that shoppers trust converts better than a dark-pattern one, and the consent you get is valid. Our guide to raising consent rates without dark patterns covers the specifics.

A practical setup for online stores

  1. Separate your permissions. One consent state for onsite tracking cookies (banner-driven), a separate opt-in for email marketing, and a distinct opt-in for SMS. Never let one imply the others.
  2. Wire the banner to the tracking, not the pixel alone. Klaviyo, Meta, and Google onsite tracking should all sit in the marketing category and stay blocked until consent. On Shopify, connect the banner to the Customer Privacy API so Klaviyo honors it automatically.
  3. Keep abandoned-checkout flows first-party. Trigger them from the email captured at checkout, not from cookie-matched browse behavior.
  4. Use the soft opt-in deliberately for past buyers in the UK/EU, and document that you offered opt-out at collection.
  5. Collect SMS consent explicitly and store the timestamp, source, and exact wording. TCPA cases are won and lost on that record.
  6. Audit what's actually firing. Stores accumulate tags. Scan regularly so a marketing app added last quarter isn't tracking pre-consent.

How CookieBeam handles store consent

Marketing tags blocked by default. CookieBeam holds non-essential scripts, including Klaviyo onsite tracking, Meta Pixel, and Google tags, until the shopper consents, so nothing tracks before the banner is answered.

Shopify Customer Privacy API integration. Consent decisions propagate to Shopify's privacy API, so Klaviyo and other apps that read it stay in sync with the banner. See Shopify cookie consent and the Customer Privacy API.

Server-side enforcement. CookieBeam's consent signals carry into server-side tagging and Consent Mode v2, so a blocked shopper isn't measured no matter which layer the tag lives in.

Consent logging. Every decision is stored with timestamp and jurisdiction, the audit trail you want if a regulator or a plaintiff's lawyer ever asks how a given send was permitted. See consent logging and audit requirements.

The stores that handle this well stop treating consent as a single switch. Tracking, email, and SMS are three permissions, gated separately, and recovered with first-party checkout data and server-side measurement rather than a pile of pre-consent cookies.

Klaviyo, Onsite Tracking & Cart Email Consent for Stores | CookieBeam | CookieBeam