disconnectme
commented
2 months ago Thank you for bringing this to our attention. Our technical and policy review determined that klaviyo.com meets our definition of tracking and that this domain is properly classified.
Our technical review revealed Request URLs from Klaviyo subdomains are present on thousands of 3P sites. Although the Bugzilla report says “. . . all tracking and analytics code is under static-tracking.klaviyo.com, all other subdomains serve experiences to brand's websites and should be allowed . . .”; we are also seeing that static.klaviyo.com points to the same IP as static-tracking.klaviyo.com and we are also seeing what appear to be tracking requests from sub-domain a.klaviyo.com, including but not limited to the following:
⁃ https://www.pierreherme.com/ Request URL https://a.klaviyo.com/onsite/track-analytics?company_id=Yaq7Ec ⁃ https://www.evike.com/ Request URL https://a.klaviyo.com/onsite/track-analytics?company_id=LZBAWh
In addition, several portions of the Klaviyo policy and website marketing seem to support the current classification, including but not limited to the following:
Website marketing: ⁃ “Send hyper-personalized, targeted messages with Klaviyo’s intelligent marketing automation platform. With your data in one place, you can efficiently automate your workflow across marketing channels.” https://www.klaviyo.com/marketing-automation ⁃ “Real-time data makes it possible, increasing customer engagement with personalized, relevant messages.” https://www.klaviyo.com/features/segmentation ⁃ “Maximize your sales with omnichannel campaigns” https://www.klaviyo.com/features/campaigns ⁃ “Using Klaviyo’s built-in CDP and its CRM functionality, you can gain a comprehensive understanding of your customers’ behavior and preferences. Easily view their purchase history, email engagement, and website activity all in one place.” https://www.klaviyo.com/features/customer-profiles
Privacy policy https://www.klaviyo.com/legal/privacy/privacy-notice talks about data collection: ⁃ “Klaviyo as a Data Processor: In providing our Service, our customers may collect data in our products and services, or we may collect data on their behalf, which may include personal information or data about our customers’ end users (“Customer Data”). In such instances, Klaviyo acts as a “data processor” (or similar term under applicable laws), and we have contractually committed ourselves to process Customer Data on behalf and under the instruction of the respective customer, who is the data controller. This Privacy Notice does not apply to the processing of Customer Data and we recommend you read the privacy notice of the respective customer if their processing concerns your personal information.” ⁃ “Log Data: Including your internet protocol (IP) address, operating system, browser details such as type, ID, and configuration, unique identifiers, local and language settings; session logging, heatmaps and scrolls; screen resolution, ISP, device type and version, the referring URL, date/time of your visit, the time you spent on our services and any errors that may occur during your visit to our Services.” ⁃ “Analytics Data: Including the electronic path you take to our services, through our services and when exiting our services, UTM source, as well as your usage and activity on our services, such as the time zone, activity information (first and last active date and time), usage history (flows created, campaigns scheduled, emails opened, total log-ins) as well as the pages, links, objects, products and benefits you view, click or otherwise interact with. We may also analyze the interaction between you and your customer using our Services.” ⁃ “Digital Behavioral Data: Web page interactions (clicks, hovers, focus, mouse movements, browsing, zooms and other interactions), referring web page/source through which you accessed the Sites, and statistics associated with the interaction between device or browser and the Sites.” ⁃ Regarding the use of data “Opportunity tracking, conversion and lead generation” ⁃ “Advertising Partners: We may share certain personal information (including information collected through cookies) with our advertising service providers and vendors in order to advertise our Services to you.” ⁃ “We or the online advertising networks use this information to make the advertisements you see online more relevant to your interests. We may also display targeted advertising to you through social media platforms, such as LinkedIn, Facebook, Twitter, Google, and others.”
Although we understand Klaviyo is offering a service, our review has determined that Klaviyo also is collecting and retaining data about particular devices/users on websites that Klaviyo does not own, and this activity fits our definition of tracking: https://disconnect.me/trackerprotection.
Based on this analysis we believe this domain is properly classified but please feel free to provide additional information and we’ll be sure to consider.
Domain(s) to review. Separate them by comma.
klaviyo.com
Rationale for removing, adding, or recategorizing.
Klaviyo puts all tracking and analytics code under static-tracking.klaviyo.com. The other subdomains serve resources but no tracking. So, Disconnect could consider only blocking for the tracking subdomain.
Where domain(s) observed. Separate them by comma.
static-tracking.klaviyo.com
Additional notes
A related breakage report - Bug 1894315 - Non-tracking klaviyo subdomains are being blocked as tracking