Skip to content

Are Abandoned Cart Emails GDPR Compliant? (Updated!)

Osman Husain 2/23/23 5:00 PM

Table of Contents

Abandoned shopping carts are about as disappointing as a date that gets canceled at the last minute on a beautiful Saturday night. 

While it is tempting and necessary to encourage your prospects to come back to your store to complete their purchase by sending them emails, you should still consider GDPR compliance for abandoned cart emails.

American Express Services was recently fined £90,000 under the GDPR for sending 4 million unsolicited emails, and it is vital to do your due diligence to avoid similar fines.

In this article we'll answer: 

  • Are abandoned cart emails GDPR compliant
  • How can your eCommerce store send abandoned cart emails in a GDPR-compliant way? 
  • What does the GDPR say about abandoned cart emails?
  • Can you store email addresses under GDPR?

Ready to learn how to avoid costly mistakes while sending your customers' emails? Keep on reading!

And if you're curious to learn more about email compliance laws in general, we recommend you check out our guide to email laws and regulations around the world


Are Abandoned Cart Emails GDPR-compliant?

Yes, abandoned cart emails are GDPR compliant. The specific law you need to comply with when sending abandoned cart emails is the ePrivacy Directive. Under the ePrivacy Directive, you can send abandoned cart emails to individuals without consent because those individuals were already interested in a transactional relationship with your company.

Is it legal to send abandoned cart emails?

You can send abandoned cart emails in a GDPR-compliant fashion as long as you have a lawful basis to do so. While you can both obtain your prospects' consent or rely on legitimate interest, relying on legitimate interest grounds to justify your email marketing campaign is more appropriate. 

Collection of emails, names, and other personal details of your customers and the subsequently abandoned cart emails all fall under the scope of the GDPR.

This is because both the collection of this data and email addresses to send abandoned cart emails are data processing activities under the GDPR.

Before sending abandoned cart emails, you must first identify a lawful basis to justify sending these emails.

GDPR defines six separate legal bases in article 6, including 'consent' and 'legitimate interest.' 

One common misconception prevalent amongst marketers is that consent is superior to all other legal bases provided under the GDPR. You must always ask for consent to send marketing emails to prospects. 

Contrary to what some marketers believe, GDPR does not set a hierarchy between different legal bases, so you can choose to rely on other legal bases such as legitimate interest instead of asking for consent.

There is no reason or benefit in relying on consent and losing your prospects when you do not have to.

Put simply; you do not need the consent of your prospects before sending them abandoned cart emails as long as you satisfy requirements for other lawful bases such as legitimate interests. 

GDPR itself confirms that marketers can rely on legitimate interests instead of asking for consent for direct marketing:

"The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest."

Furthermore, The UK's Privacy Authority ICO has explicitly stated in its Direct Marketing Guidance that sending emails to individuals who had an existing relationship with a business or in the sales process can be lawful based on legitimate interests ground under the GDPR.

However, just like consent, legitimate interests ground is also subject to strict rules, so you first need to make sure that you comply with GDPR requirements for reliance on legitimate interests.

gdpr privacy policy

How to Apply the 3-Part Legitimate Interest Assessment

You need to conduct the three-step Legitimate Interest Impact Assessment we define below and demonstrate that you satisfy all the steps. When you meet this Legitimate Interest Assessment, you can freely send abandoned cart emails in a GDPR-compliant manner without needing consent.


The Purpose Test

You need to specify the legitimate interest in sending abandoned cart emails.

Sending abandoned cart emails falls under direct marketing, and direct marketing constitutes legitimate interest. 

While drafting your legitimate interest assessment, you can refer to soft opt-in under the ePrivacy Directive and explain how you comply because your prospects share their email in the sales stage.


The Necessity Test

You need to demonstrate that sending out abandoned cart emails is necessary and proportional to achieve the legitimate interest you identified in the first step.

In this step, you need to show that there are no less intrusive and equally effective direct marketing methods than emails. The number of emails you send and the collection of email addresses is proportional to the legitimate interest you are trying to achieve.

For example, you can refer to reliable studies and surveys that prove the high ROI of email campaigns in recovering abandoned carts.

Limiting the number of emails sent and not spamming your prospects is also essential in assessing the proportionality of the use of emails.



The Balancing Test

You need to balance your legitimate interests against your prospects' rights and freedoms and ensure that their rights do not override your legitimate interests.

In this step, you need to consider whether your email campaign is intrusive on your prospects and whether they would expect to receive such emails.

Considering that your prospects already showed strong interest in your products to the degree that they added items to their carts and shared their contact details, it is reasonable to assume that they would not be surprised by abandoned cart emails.

However, you need to clearly explain in your privacy policy that you collect email data. You can send abandoned cart emails to your customers to remind them of their cart and invite them to complete their purchase.

Being transparent in your email marketing campaigns will eliminate any uncertainty and help you satisfy this step.

Another thing to keep in mind is that the number of emails you send matters: The fewer emails you send, the more likely the balancing test will be in your favour.


What Does GDPR Say About Abandoned Cart Emails?

When your customers (data subject) visit your website, choose products and provide their details such as their names, email addresses and phone numbers, GDPR rules apply to the processing of personal data in this way.

In the next step, you use the email address of your customers that abandoned the checkout page before completing the order and send them an email.

This is where it gets tricky because sending marketing emails to consumers in the EU is subject to the GDPR and another set of laws that you should be aware of, the ePrivacy Directive.


What is the ePrivacy Directive?

ePrivacy Directive is an EU Directive that sets rules on sending electronic communications, including emails such as abandoned cart emails to EU consumers.


Therefore, you need to comply with both the GDPR and the ePrivacy Directive when sending abandoned cart emails.

In the next section, we will explain how to comply with the ePrivacy Directive and then explain GDPR compliance and abandoned cart emails.


Are Abandoned Cart Emails ePrivacy Directive Compliant?

To send your customers abandoned cart emails in compliance with the ePrivacy Directive, you can rely on one of these two methods:

Customer Consent 

Under the Directive, you can freely send abandoned cart emails to your customers so long as you obtain their explicit consent.

Applying these criteria to abandoned cart emails, your customers must expressly consent to receive emails about every online cart they have created. However, the consent must be specific, freely given and informed. In other words, you cannot satisfy the consent criteria just by obtaining consent to general marketing emails.

Given that a significant chunk of your customers can simply ignore your request to send them cart emails, you may end up with fewer customers to retarget with abandoned cart emails. 

Luckily, there is an alternative mechanism to consent called soft opt-in, and it allows you to send abandoned cart emails in compliance with the ePrivacy Directive.

The Beauty Chef Email Opt-in

Soft Opt-in for Email

When your customers fill out a form and add items to their cart, they are in the last stage of the online checkout process. 

Fortunately, the ePrivacy Directive recognizes that since customers provided their email addresses in the course of a sale, it is reasonable to allow businesses to send marketing emails without obtaining specific consent.

In other words, you can send abandoned cart emails under the ePrivacy Directive because you collected email addresses during the checkout process. However, you should also satisfy the following requirements to comply:

As long as the email only relates to customers' cart and includes a simple way to opt-out, you satisfy ePrivacy Directive requirements. 


Can You Store Email Addresses Under GDPR?

Yes, companies can store email addresses under GDPR rules. The GDPR does not define a specific minimum or maximum time for email retention — but says that all personally identifiable data be stored for as long as necessary to achieve the purpose for which it was collected or processed in the first place.

Do You Have to Delete Emails Under GDPR?

Companies have a legal obligation to scrub their email lists when they don't serve the same purpose as originally intended.

For example, if you've noticed a segment of your customers that haven't bought from you in years, it's definitely a good idea to delete them from your email list. And if you've pivoted into a different product or service, you can safely assume that your legacy email subscribers won't be interested in that, either.


Can You Send Cold & Unsolicited Email Under GDPR?

Sending unsolicited messages, like cold email, is legal under GDPR regulations. That's because GDPR only concerns itself with the processing of personal data and how that's handled. It does not place any restrictions on attempting to communicate with other organizations via email. 

The only caveat here is that you must obtain the email addresses legally. Buying them from an email list is not allowed. If you make it clear that the email address was acquired publicly, for example via a company website or LinkedIn page, that's perfectly fine under GDPR tenets.   


The Curse Of Abandoned Carts In Ecommerce

The world of eCommerce has gone through drastic changes over the past few years. Not only are consumers constantly looking for cheaper options, but they are also considering other factors such as the delivery time and shipping costs before making a purchase. 

Add to that how easy it is for your customers to get distracted by all the noise in the digital environment, and it is no wonder that you face an uphill battle to get your customers to complete their order and check out.


What is An Abandoned Cart?

An abandoned shopping cart refers to a scenario in eCommerce, where your customer leaves the checkout page before completing the purchase.

Whether the reason is due to high shipping costs, change of heart, late delivery time or payment security concerns—abandoned carts prospect lower conversion rates for eCommerce businesses and resulted in a loss of revenue.

According to recent research conducted by Forrester, abandoned shopping carts cost eCommerce businesses $18 billion each year worldwide.

Given that almost 70% of all potential customers abandon their carts before checking out, recovering even a small percentage of these customers can help boost revenues significantly for eCommerce businesses.

To convert these prospects into customers, eCommerce businesses use various methods such as retargeting, push notifications, text messages, personal outreach and abandoned cart emails.

One of the most effective ways in recovering these lost customers is automated abandoned cart email sequences. 

In fact, according to a recent report published by Klaviyo, with a 41% open rate and around 10% click rate, abandoned cart emails can help eCommerce businesses recover as much as 15% of lost revenue.

The same report also demonstrates that the timeliness of the email and the relevance of the content play a vital role in winning back customers and getting them to complete the checkout process. 

For example, sending two or three emails within the first few hours or days after the abandonment and making the subject line and body of the email more relevant by reminding recipients that they left something behind or adding emojis boosted the performance significantly. 

Example Abandoned Cart Email Sequence:

  • 1 hour passed: Email #1
  • 1 day passed: Email #2
  • 3 days passed: Email #3

On average, the e-commerce businesses that participated in this research have earned almost $6 per abandoned cart email recipient. If you multiply the revenue per email recipient by the number of emails sent, often in thousands, it is not hard to see why abandoned cart emails are highly effective.

While you may be tempted to send out an email within the first few hours after the abandonment and personalize the email with conversion-driven copy, it is best to be diligent in running your email campaign in a GDPR-compliant way. 

If you send abandoned cart emails by violating GDPR, all the revenue you get from your email campaign may get wiped away because GDPR fines can be as much as 20 million euros.

Privacy Law Fines




gdpr privacy policy


Osman Husain

Osman is the content lead at Enzuzo. He has a background in data privacy management via a two-year role at ExpressVPN and extensive freelance work with cybersecurity and blockchain companies. Osman also holds an MBA from the Toronto Metropolitan University.