Do Abandoned Cart Emails Break The Law?

Do Abandoned Cart Emails Break The Law?

Posted On: Jul 09, 2018 By Tim

One of the biggest bains for eCommerce websites is abandoned carts. According to Statista, in 2017 the worldwide cart abandonment rate was 69.23% - that’s a lot of potential missed sales.

Abandoned shopping carts 2006-2017

There are a number of issues that can cause this, such as high postage costs, too long an expected delivery, slow page speeds during checkout. These issues are within your control, and solutions such as offering free delivery, different multiple delivery options, speeding up the checkout process load times.

However, there are other reasons people will abandon their carts outside of your control, such as leaving the website to look for a coupon (and not returning), getting distracted and forgetting to finish checkout, a user deciding to finish later (then forgetting).

In these situations, the potential for a sale was there, but then lost due to circumstances outside your control. Whatever the reason, there is a solution that’s been helping eCommerce store owners capture a these lost sales.

What’s the solution?

The solution, is cart abandonment emails.

This is where, in the event that someone starts, but does not complete an order, you follow up with an email a couple of days later with a helpful reminder, to say their order hasn’t been completed, coaxing them to come back and complete their order.

There have been numerous success stories, where businesses have increased their sales using this technique.

However, since the GDPR has come into effect, it’s become a little more difficult to continue using this method.

The GDPR’s effect

With the requirement of needing a legal basis to collect and process someone’s personal data - in this case, their email address - it makes collecting and sending these types of emails, a little more difficult.

No longer are the days where you can capture take the email address from an incomplete order, simply to send an email to remind them that there are items in the basket they haven’t ordered. You now need to be able to explain how and why you’re storing and using these email addresses.

But all hope is not lost, there might still be a way to continue to send abandoned cart emails, that’s ok in the eyes of the GDPR, meaning that you can still increase your sales in this manner.

Can we still send abandoned cart emails?

First off, to be able to process someone’s email address to send and abandoned cart email, we need to be able to justify our capturing with one of the six legal basis available to us:

  • Consent
  • Contractual
  • Legal obligation
  • Vital interests
  • Public task
  • Legitimate interest

From these, we’ll remove the ones that are wholly irrelevant and can’t use, so public interest, legal obligation, vital interests and public task (you can learn more about these on the ICO website). This leaves us with:

  • Contractual
  • Consent
  • Legitimate interests.

Now, are we able to use these? Or will we have to admit defeat, and leave the abandoned cart emails for good?

Let’s take a look;



First legal basis is consent, this is fairly straightforward, the person placing the order says that you can contact them to do this, simple enough.

However, under the legal basis of consent, the GDPR states in article 4 (11):

“‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her;”

This means the person needs to freely agree to you contacting them in this way.

The good news is this is a possibility, if someone has signed up/registered an account on your ecommerce website, you could potentially use this to contact them about abandoned carts, as long as it’s stated this in your privacy policy and you provide for them an easy way to stop receiving these types of emails.

The bad news is, this would only apply to registered users, anyone checking out as a guest, will not be applicable. The reason is, at the point of abandoning the cart, they won’t have got to the point where they have given their consent to you contacting them.

You could force everyone who wants to place an order to create an account, but this offers people less choice, potentially pushing the ones who do not wish to create an account away. It will also make the checkout process longer, meaning higher abandoned carts and less sales.



On an eCommerce site, you will likely be using the contractual legal basis for processing people personal data, to fulfill orders - that is taking their address, contact and payment details to process their payment and deliver what they’ve ordered.

So can we then use this as our legal basis for sending abandoned cart emails?

The answer unfortunately, is no. For the contractual basis only works so far as to their order, for the contract between you and your customer to be initiated, they need to have placed an order, until that point, you will not be able to use the contractual basis to contact them

Legitimate interests

The most flexible of all the legal basis, processing for the purposes of legitimate interest, in article 6(1)(f) states:

“processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

This, in basic terms means that as long as as the interest or rights of the user do not supersede your decision to send the email, then you should be ok to send an abandoned cart email.

However, before deciding that this all well and good to start sending them, under the basis of legitimate interests, you should be aware of what it says in recitals 47:

“a legitimate interest would need careful assessment including whether a data subject can reasonably expect at the time and in the context of the collection of the personal data that processing for that purpose may take place.”

So if the person who abandons their cart, would they reasonably expect to receive an abandoned cart email? As it says, you might want to conduct a legitimate interest assessment (LIA), to consider if you are covered by processing someone’s personal data in this situation.

Taken from the ICO, their LIA is as follows:

First, identify the legitimate interest(s). Consider:

  • Why do you want to process the data – what are you trying to achieve?
  • Who benefits from the processing? In what way?
  • Are there any wider public benefits to the processing?
  • How important are those benefits?
  • What would the impact be if you couldn’t go ahead?
  • Would your use of the data be unethical or unlawful in any way?

Second, apply the necessity test. Consider:

  • Does this processing actually help to further that interest?
  • Is it a reasonable way to go about it?
  • Is there another less intrusive way to achieve the same result?

Third, do a balancing test. Consider the impact of your processing and whether this overrides the interest you have identified. You might find it helpful to think about the following:

  • What is the nature of your relationship with the individual?
  • Is any of the data particularly sensitive or private?
  • Would people expect you to use their data in this way?
  • Are you happy to explain it to them?
  • Are some people likely to object or find it intrusive?
  • What is the possible impact on the individual?
  • How big an impact might it have on them?
  • Are you processing children’s data?
  • Are any of the individuals vulnerable in any other way
  • Can you adopt any safeguards to minimise the impact
  • Can you offer an opt-out?

So there it is, you are able to process and use people’s emails to contact them regarding abandoned carts, as long as you are sure (and can show), that is in the interest of the users, as well as your business interests. If you haven't checked it out already, here's our blog on A - Z of GDPR for Markeitng.

If you're looking for any help with your marketing, get in touch.

Ready To Talk

Choose a better website

Give us a call on 01952 897444. Alternitavely, drop us a message.

Drop us a message →