Skip to content

Are Abandoned Cart Emails GDPR Compliant?

Table of Contents

Abandoned shopping carts are about as disappointing as a date that gets cancelled at the last minute on a beautiful Saturday night. 

While it is tempting and necessary to encourage your prospects to come back to your store to complete their purchase by sending them emails, you should still consider GDPR compliance for abandoned cart emails.

American Express Services was recently fined £90,000 under the GDPR for sending 4 million unsolicited emails, and it is vital to do your due diligence to avoid similar fines.

In this article we'll answer: 

  • Are abandoned cart emails GDPR compliant? 
  • How can your eCommerce store send abandoned cart emails in a GDPR-compliant way? 

Ready to learn how to avoid costly mistakes while sending your customers' emails? Keep on reading!


TL;DR: Are Card Abandoned Emails GDPR-compliant?

  • When it comes to compliance with EU Laws for sending abandoned cart emails, you need to comply with the ePrivacy Directive and the GDPR.
  • Under the ePrivacy Directive, you can send abandoned cart emails to individuals without consent because individuals were already at the end of your sales funnel.

  • You can send abandoned cart emails in a GDPR-compliant fashion as long as you have a lawful basis to do so. While you can both obtain your prospects' consent or rely on legitimate interest, relying on legitimate interest grounds to justify your email marketing campaign is more appropriate. 

  • You need to conduct the three-step Legitimate Interest Impact Assessment we define below and demonstrate that you satisfy all the steps. When you meet this Legitimate Interest Assessment, you can freely send abandoned cart emails in a GDPR-compliant manner without needing consent.


The Curse Of Abandoned Carts In Ecommerce

The world of eCommerce has gone through drastic changes over the past few years. Not only are consumers constantly looking for cheaper options, but they are also considering other factors such as the delivery time and shipping costs before making a purchase. 

Add to that how easy it is for your customers to get distracted by all the noise in the digital environment, and it is no wonder that you face an uphill battle to get your customers to complete their order and check out.


What is An Abandoned Cart?

An abandoned shopping cart refers to a scenario in eCommerce, where your customer leaves the checkout page before completing the purchase.

Whether the reason is due to high shipping costs, change of heart, late delivery time or payment security concerns—abandoned carts prospect lower conversion rates for eCommerce businesses and resulted in a loss of revenue.

According to recent research conducted by Forrester, abandoned shopping carts cost eCommerce businesses $18 billion each year worldwide.

Given that almost 70% of all potential customers abandon their carts before checking out, recovering even a small percentage of these customers can help boost revenues significantly for eCommerce businesses.

To convert these prospects into customers, eCommerce businesses use various methods such as retargeting, push notifications, text messages, personal outreach and abandoned cart emails.

One of the most effective ways in recovering these lost customers is automated abandoned cart email sequences. 

In fact, according to a recent report published by Klaviyo, with a 41% open rate and around 10% click rate, abandoned cart emails can help eCommerce businesses recover as much as 15% of lost revenue.

The same report also demonstrates that the timeliness of the email and the relevance of the content play a vital role in winning back customers and getting them to complete the checkout process. 

For example, sending two or three emails within the first few hours or days after the abandonment and making the subject line and body of the email more relevant by reminding recipients that they left something behind or adding emojis boosted the performance significantly. 

Example Abandoned Cart Email Sequence:

  • 1 hour passed: Email #1
  • 1 day passed: Email #2
  • 3 days passed: Email #3

On average, the e-commerce businesses that participated in this research have earned almost $6 per abandoned cart email recipient. If you multiply the revenue per email recipient by the number of emails sent, often in thousands, it is not hard to see why abandoned cart emails are highly effective.

While you may be tempted to send out an email within the first few hours after the abandonment and personalize the email with conversion-driven copy, it is best to be diligent in running your email campaign in a GDPR-compliant way. 

If you send abandoned cart emails by violating GDPR, all the revenue you get from your email campaign may get wiped away because GDPR fines can be as much as 20 million euros.

Privacy Law Fines

Let's now turn to the million-dollar question: 

  • Are abandoned cart emails allowed under the GDPR? 
  • If so, what should you do to run your marketing campaign in compliance with the GDPR?


What Does GDPR Say About Abandoned Cart Emails?

When your customers (data subject) visit your website, choose products and provide their details such as their names, email addresses and phone numbers, GDPR rules apply to the processing of personal data in this way.

In the next step, you use the email address of your customers that abandoned the checkout page before completing the order and send them an email.

This is where it gets tricky because sending marketing emails to consumers in the EU is subject to the GDPR and another set of laws that you should be aware of, the ePrivacy Directive.


What is the ePrivacy Directive?

ePrivacy Directive is an EU Directive that sets rules on sending electronic communications, including emails such as abandoned cart emails to EU consumers.


Therefore, you need to comply with both the GDPR and the ePrivacy Directive when sending abandoned cart emails.

In the next section, we will explain how to comply with the ePrivacy Directive and then explain GDPR compliance and abandoned cart emails.


Are Abandoned Cart Emails ePrivacy Directive Compliant?

To send your customers abandoned cart emails in compliance with the ePrivacy Directive, you can rely on one of these two methods:

Customer Consent 

Under the Directive, you can freely send abandoned cart emails to your customers so long as you obtain their explicit consent.

Applying these criteria to abandoned cart emails, your customers must expressly consent to receive emails about every online cart they have created. However, the consent must be specific, freely given and informed. In other words, you cannot satisfy the consent criteria just by obtaining consent to general marketing emails.

Given that a significant chunk of your customers can simply ignore your request to send them cart emails, you may end up with fewer customers to retarget with abandoned cart emails. 

Luckily, there is an alternative mechanism to consent called soft opt-in, and it allows you to send abandoned cart emails in compliance with the ePrivacy Directive.

The Beauty Chef Email Opt-inSoft Opt-in for Email

When your customers fill out a form and add items to their cart, they are in the last stage of the online checkout process. 

Fortunately, the ePrivacy Directive recognizes that since customers provided their email addresses in the course of a sale, it is reasonable to allow businesses to send marketing emails without obtaining specific consent.

In other words, you can send abandoned cart emails under the ePrivacy Directive because you collected email addresses during the checkout process. However, you should also satisfy the following requirements to comply:

As long as the email only relates to customers' cart and includes a simple way to opt-out, you satisfy ePrivacy Directive requirements. 

Your customer may choose to make a subject access request (SAR) in which they are requesting you to delete their data, or

Alongside the ePrivacy Directive, you should also follow GDPR rules on abandoned cart emails.

Let's now look at what the GDPR has to say on this.


Are Abandoned Cart Emails GDPR Compliant?

Collection of emails, names and other personal details of your customers and the subsequently abandoned cart emails all fall under the scope of the GDPR.

This is because both the collection of this data and email addresses to send abandoned cart emails are data processing activities under the GDPR.

Before sending abandoned cart emails, you must first identify a lawful basis to justify sending these emails.

GDPR defines six separate legal bases in article 6, including 'consent' and 'legitimate interest.' 

One common misconception prevalent amongst marketers is that consent is superior to all other legal bases provided under the GDPR. You must always ask for consent to send marketing emails to prospects. 

Contrary to what some marketers believe, GDPR does not set a hierarchy between different legal bases, so you can choose to rely on other legal bases such as legitimate interest instead of asking for consent.

stock image

Photo by Maksim Goncharenok from Pexels


After GDPR came into force in 2018, a significant number of marketers fell into the misconception that they needed consent from all their existing customers to comply with the GDPR even though it was not necessary and ended up with significant shrinkage of their valuable prospect lists.

There is no reason or benefit in relying on consent and losing your prospects when you do not have to.

Put simply; you do not need the consent of your prospects before sending them abandoned cart emails as long as you satisfy requirements for other lawful bases such as legitimate interests. 

GDPR itself confirms that marketers can rely on legitimate interests instead of asking for consent for direct marketing:

"The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest."

Furthermore, The UK's Privacy Authority ICO has explicitly stated in its Direct Marketing Guidance that sending emails to individuals who had an existing relationship with a business or in the sales process can be lawful based on legitimate interests ground under the GDPR.

However, just like consent, legitimate interests ground is also subject to strict rules, so you first need to make sure that you comply with GDPR requirements for reliance on legitimate interests.


How To Lawfully Run Your Abandoned Cart Emails

You may think, so far so good with relying on the legitimate interests to run your abandoned cart email campaign and achieve high ROI because legitimate interests save you from asking for consent, frustrating your prospects and ending up with fewer prospects to send emails due to opt-outs.

While legitimate interests ground is more flexible compared to consent and it gives you more power over the personal data you collect and your email campaigns, it comes with overhead: You still need to satisfy the requirements to rely on legitimate interest; it does not automatically make it lawful to send as many emails to your prospects as possible without giving them the ability to opt-out.

To lawfully run your email marketing campaigns and convert your prospects into customers, you need to conduct a 3-Part Legitimate Interest Assessment that Data Protection Authorities recommend.


How to Apply the 3-Part Legitimate Interest Assessment



The Purpose Test

You need to specify the legitimate interest in sending abandoned cart emails.

Sending abandoned cart emails falls under direct marketing, and direct marketing constitutes legitimate interest. 

While drafting your legitimate interest assessment, you can refer to soft opt-in under the ePrivacy Directive and explain how you comply because your prospects share their email in the sales stage.



The Necessity Test

You need to demonstrate that sending out abandoned cart emails is necessary and proportional to achieve the legitimate interest you identified in the first step.

In this step, you need to show that there are no less intrusive and equally effective direct marketing methods than emails. The number of emails you send and the collection of email addresses is proportional to the legitimate interest you are trying to achieve.

For example, you can refer to reliable studies and surveys that prove the high ROI of email campaigns in recovering abandoned carts.

Limiting the number of emails sent and not spamming your prospects is also essential in assessing the proportionality of the use of emails.



The Balancing Test

You need to balance your legitimate interests against your prospects' rights and freedoms and ensure that their rights do not override your legitimate interests.

In this step, you need to consider whether your email campaign is intrusive on your prospects and whether they would expect to receive such emails.

Considering that your prospects already showed strong interest in your products to the degree that they added items to their carts and shared their contact details, it is reasonable to assume that they would not be surprised by abandoned cart emails.

However, you need to clearly explain in your privacy policy that you collect email data. You can send abandoned cart emails to your customers to remind them of their cart and invite them to complete their purchase.

Being transparent in your email marketing campaigns will eliminate any uncertainty and help you satisfy this step.

Another thing to keep in mind is that the number of emails you send matters: The fewer emails you send, the more likely the balancing test will be in your favour.

Easily Manage Data Requests