7 min read

Abandoned Cart Emails Under GDPR: What Changed

Written by Andriy Boychuk
7 min read
Table of Contents

    When the GDPR went into effect, companies around the world had to make changes. But what changed for abandoned cart emails?

    Learning about abandoned cart GDPR concerns can help you ensure that you are compliant. It can also help you understand why certain best practices for abandoned cart emails exist.

    Take a closer look at GDPR and how it has affected this type of email marketing.

    Abandoned Cart GDPR: What Is GDPR? Why Did It Pass? Who Does It Affect?

    Before exploring cart abandonment GDPR compliance, take a moment to understand GDPR.

    GDPR stands for General Data Protection Regulation. It is enforced in the European Union and went into effect on May 25, 2018.

    Although the GDPR technically only affects the EU and companies that operate there, most companies made changes for all customers, including those outside the EU.

    This was a simpler process than maintaining multiple websites, email campaigns, or other relevant processes.

    What Is GDPR?

    Simply put, the GDPR is the strictest privacy security law anywhere in the world.

    It enforces strict standards for security and privacy.

    The penalties for breaking GDPR can be tens of millions of Euros, so companies want to avoid them.

    Why Did It Pass?

    The GDPR was passed to protect the privacy of EU citizens.

    Who Does It Affect?

    As mentioned, the GDPR technically only affects citizens and residents of the European Union.

    However, most companies found it easier to just apply the changes across their entire structure. This means that people outside of the EU also gained protections from the GDPR.

    You could spend days reading through the legalese of the GDPR.

    But if you just want an answer to “Are abandoned cart emails GDPR compliant?”, we will summarize everything you need to know.

    Cart Abandonment GDPR: What Does GDPR Change for Abandoned Cart Emails?

    Start by taking a look back at May 2018 and what changes have affected abandoned cart GDPR compliance.

    Requiring Consent

    Perhaps the biggest change to abandonment emails, and email marketing in general, was requiring consent from customers.

    You need “explicit consent” to legally be able to send these marketing emails.

    Requiring Legitimate Interest (If There Is No Consent)

    GDPR lets businesses use data about customer email addresses if they can show that these customers have a legitimate interest.

    Keep in mind that this is only required if you don’t have explicit consent.

    It requires a Legitimate Interest Assessment.

    During that assessment, you have to prove that abandoned cart emails benefit your customers.

    This is obviously very challenging, which is why nearly every abandoned cart email relies on consent instead.

    How to Make Your Abandoned Cart Email GDPR Compliant

    So, how do you incorporate GDPR into your abandoned cart emails?

    There are some crucial characteristics that any abandoned cart GDPR compliant email will meet.

    Checklist: Are Abandoned Cart Emails GDPR Compliant?

    To confirm that your abandoned cart emails are GDPR compliant, confirm that they meet the GDPR checklist:

    •     Recipients expressed consent
    •     Recipients can opt-out
    •     You can show legitimate interest (if you don’t have consent)
    •     Your automation tool is GDPR compliant
    •     You audited your system after GDPR went into effect.

    Have Customers Express Consent

    As mentioned, one of the most important changes with the GDPR is that customers have to express consent to receive marketing emails, including for abandoned carts.

    Importantly, the GDPR requires this to be a deliberate opt-in. That means that you cannot pre-check a box on a form and require users to uncheck it to opt-out.

    By contrast, having them check a box should be fine.

    You don’t want to take shortcuts with consent, as you need to be able to prove it.

    Some good options for getting consent include:

    •     Customized pop-ups
    •     A part of the registration form
    •     A highly visible feature or checkbox early on in shopping
    •     Add an opt-in during the checkout process
    •     Add it to other opt-ins, such as for your newsletter

    Getting explicit consent does not need to be hard, either. You can also offer incentives to users who opt-in to abandoned cart emails.

    Options include discounts, free items, coupons, free shipping, or low-price guarantees.

    Make It Easy to Opt-Out

    Your abandoned cart emails have likely had an unsubscribe button for years; it is simply a best practice.

    GDPR requires something simple like that, so don’t get rid of the button.

    Unsuscribe button for abandoned cart GDPR regulations.

    Confirm Your Automated Tool Is Compliant

    Nearly every single eCommerce site uses an automated email tool of some sort for their abandoned cart emails. Remember that your automated system has to follow the GDPR rules for you to be compliant.

    The good news is that, by now, most automated systems fit this requirement. Even so, it is smart to confirm.

    Audit Old Contact Information

    Remember that GDPR applies to any data that you collected before it went into effect.

    This means that if you send abandoned cart emails, GDPR compliance is essential, regardless of when you got the contact information.

    As such, you need to confirm that all of the information already in your database is GDPR compliant.

    During the audit process, the most important thing to check is that you have explicit evidence of consent from users.

    If you don’t have explicit consent from someone, remove their information from your email list.

    Remember that under GDPR, you may have to prove the consent. This means that making sure you have proof of consent will prevent large potential fines.

    Using Legitimate Interest Instead of Consent

    As mentioned, you can get around the requirement for consent under GDPR if you can prove that there is a legitimate interest for your customers.

    The problem is that you would need to complete a Legitimate Interest Assessment, which is complicated.

    To start, you will need to build a sizable paper trail to pass the Legitimate Interest Assessment. It will also likely be very expensive.

    Even with the high costs and levels of paperwork, there is no guarantee that you will receive your exception.

    Because of the difficulty, most companies find it easier and smarter to get explicit consent for abandoned cart emails.


    There is no simple answer to the question “Are abandoned cart emails GDPR compliant?”

    They can be compliant, but for that to be the case, you need to get explicit consent and make it easy for the recipients to opt-out.

    Abandoned cart GDPR compliance is not hard to achieve, and most automated systems are now compliant.

    Further Reading

    How to Recover an Abandoned Cart with an Ad Copy
    Understand and Reduce B2B Cart Abandonment
    Talk email strategy with an expert
    Request free email marketing audit from our experts!