Manager, Privacy Compliance

Klaviyo's Legal Privacy team is responsible for Klaviyo's privacy strategy and for keeping the company's products, operations, and go-to-market practices aligned with privacy laws and regulations worldwide. The Senior Manager, Legal Compliance - Privacy will serve as a senior subject matter expert on privacy compliance across the company, partnering with Product, Engineering, Marketing, Security, and Customer Experience teams to operationalize privacy requirements in a fast-moving B2C CRM platform environment. Reporting directly to the Sr. Director, Legal Privacy, this role combines strategic privacy program ownership with hands-on compliance execution, covering the full lifecycle of Klaviyo's customer data handling across company products and services. The Senior Manager will help drive Klaviyo's privacy-by-design culture, support compliance with U.S. and international privacy frameworks, and contribute to the company's approach to AI governance as Klaviyo's AI-powered capabilities continue to grow.

• Own and execute a 6–12 month privacy compliance work plan aligned with broader Legal and company KPIs, identifying opportunities to drive measurable impact.
• Lead compliance readiness efforts for new and evolving U.S. state privacy laws (CCPA/CPRA), FTC requirements, and international privacy regulations (GDPR, UK Data Protection Act, PECR, PIPEDA, and emerging frameworks).
• Monitor legislative and regulatory developments across jurisdictions, assess applicability to Klaviyo's products and operationsDevelop, maintain, and improve privacy policies, procedures, records of processing activities (RoPAs), and internal documentation to demonstrate compliance with applicable laws.

• Working closely with Product Counsel, serve as the primary privacy compliance advisor to Product, Engineering, and Data teams, embedding privacy-by-design principles into Klaviyo's product development lifecycle, including new features, AI/ML capabilities, data integrations, and platform changes.
• Conduct and oversee privacy impact assessments (PIAs) and data protection impact assessments (DPIAs) for high-risk processing activities, new product launches, and third-party integrations.

• Communicate with key stakeholders cross-functionally to deliver a unified, global privacy compliance experience for the business.
• Partner with Security, IT, and Data Governance teams on controls frameworks, data mapping, data retention schedules, and incident response protocols.
• Support the negotiation and review of data processing agreements (DPAs) and privacy-related contractual terms with vendors, partners, and enterprise customers.
• Build and leverage strong relationships with leaders and partners across the company to secure buy-in, manage issues, and drive results on privacy initiatives.

• Oversee processes for data subject rights requests (access, deletion, correction, opt-out) to ensure timely and compliant responses at scale.
• Support privacy incident and data breach response, including investigation, documentation, root-cause analysis, remediation, and regulatory reporting as needed.

• Contribute to Klaviyo's approach to responsible AI governance, advising on privacy and data protection considerations for AI-powered features. 
• Monitor emerging AI-related privacy regulations and guidance (EU AI Act, FTC AI enforcement trends, state AI legislation) and assess their applicability to Klaviyo's products and services.

• Design and deliver privacy training and awareness programs tailored to different business functions (Engineering, Marketing, Customer Support and Success, Sales).
• Maintain accountability for key privacy compliance metrics (DSR response times, assessment completion rates, training completion, incident resolution timelines) and report on program performance to senior leadership.
• Proactively engage with external networks (IAPP, industry peer groups, privacy forums) to stay current on best practices, developing trends, and solutions to emerging issues.
• Set the standard for resolving urgent compliance issues effectively, continuously implementing systematic improvements to reduce recurring issues over time.
• Perform other related duties as assigned.

• You have deep expertise in global data privacy and protection law, including GDPR, CCPA/CPRA, PECR, CAN-SPAM, and emerging U.S. state privacy statutes, with the ability to apply them pragmatically to a technology platform business.
• You are a seasoned professional with a full understanding of privacy compliance as a specialization and can identify organizational risks proactively.
• You are comfortable operating at both strategic and operational levels, moving from program roadmap planning to hands-on policy drafting, assessment execution, and stakeholder advising in the same day.
• You communicate clearly and effectively across functions, teaching others how to think about privacy and building a collaborative privacy culture.
• You challenge to ensure excellence, can disagree and commit, and are able to deliver tough messages to senior internal and external partners when needed.
• You have strong project management skills, with a track record of building and executing multi-month work plans across cross-functional teams.
• You are familiar with privacy management tools and technologies (e.g., OneTrust, Transcend, or similar), GRC platforms, and workflow/ticketing systems.
• You bring a technology-forward mindset, including comfort with AI/ML concepts and an interest in leveraging automation to improve compliance program efficiency.
• You function well in a high-paced environment and can prioritize tasks and delegate appropriately.
• Proficient with Microsoft Office Suite, Google Workspace, Slack, or related productivity software.

• Bachelor's degree required; J.D., CIPP/US, CIPP/E, CIPM, or CIPT certification strongly preferred.
• 7+ years of experience in privacy, data protection, compliance, or a related legal function, with at least 2 years focused on privacy compliance in a technology or SaaS company.
• Experience with privacy compliance in a B2C or direct-to-consumer context, including marketing and communications channels (email, SMS, push), is highly preferred.
• Experience with privacy-by-design reviews, DPIAs, and data subject rights processes at scale preferred.
• Prior experience at a publicly traded company is a plus.