GDPR: What to consider for Abandoned Cart Emails

GDPR compliant Abandoned Cart Mails
Author: Haydar Yuece // 9min

As a shop owner, you’d like to reactivate your shopping cart abandoners after they’ve abandoned their shopping cart by email and are wondering how to design these mailings in a legally compliant manner? Do you want to find out what the legal provisions of the existing laws and in particular the General Data Protection Regulation (GDPR) are?

In this article, you’ll learn how to implement mailings to shopping cart abandoners in a legally compliant manner in order to persuade customers to make a purchase after all. On the one hand, we deal with the abandoned cart emails GDPR, which regulates the handling of personal data (because email addresses count as such). On the other, we also classify the German Unfair Competition Act (UWG), which regulates the sending of promotional emails.

A still widespread misunderstanding is that the GDPR replaces most of the previous national regulations. However, this is not the case. It merely supplements them. After all, many of the rules prescribed in the GDPR were already anchored in Germany’s national legislation before. Since email addresses fall under personal data, the GDPR affects abandoned cart emails in the same way as newsletter emails.

Legally compliant abandoned cart emails

Whether reminder emails, service emails or newsletters: naturally, emails may not simply be sent without further ado. Competition and data protection regulations govern the conditions for sending advertising emails as well as the “collection, processing and use of personal data”. Personal data is understood to be all information that can be used to establish a personal reference. This includes email addresses.

In order to avoid warnings, online shops would do well to comply with the legal provisions. Some rules for online shops regarding abandoned cart emails are derived from the GDPR and other data protection and competition law provisions. If shop operators observe these rules, purchase abandoners can be brought back into the purchase process in a legally compliant manner.

gdpr abandoned cart email

1. UWG: Sending Emails

Abandoned cart emails GDPR conform without explicit consent

Shop owners don’t need express consent to send abandoned cart emails under one condition: This exception applies if the customer is already an existing customer within the meaning of Section 7 (3) UWG. In this case, online shops are allowed to send abandoned cart emails without a customer’s explicit consent.

In other words: if a customer relationship already exists, i.e. the customer has ordered at least once before from the online shop, they may be sent an abandoned cart emails GDPR conform even without express consent. Further requirements are:

  • The email address may be used for direct advertising for one’s own similar goods or services. Here, of course, it depends on how similar the items are. It’s obvious that a pair of jeans is more similar to a jumper than to a washing machine.
  • The customer must not have objected to the use of their email address for this purpose (see right of revocation).
  • The collection and each use must clearly state that the use can be objected to at any time. An objection option must be provided in every abandoned cart emails to match the GDPR.

This law is also valid after the GDPR has come into force, as the Munich Higher Regional Court confirmed in a ruling.

Abandoned cart emails with explicit consent

As soon as one of the aforementioned conditions is not met, shop owners must obtain consent. Collecting email addresses and obtaining consent count as collecting personal data. They are therefore subject to legal provisions that must be observed. Both the UWG [Section 7 (2) No. 3 UWG] and the GDPR [Art. 6 (1) GDPR] require explicit consent. The only exception is existing customers.

2. GDPR for abandoned cart emails: Collection and processing of data

Obligation of the data controller to provide evidence

However, it’s not sufficient to merely obtain the data subject’s consent. In order to make abandoned cart emails GDPR compliant, consent must also be proven. In the GDPR, Art. 7(1) states in this regard:

“Where processing is based on consent, the Controller must be able to demonstrate that the data subject has consented to the processing of their personal data”.

Even though the GDPR does not prescribe a specific procedure, the double opt-in (DOI) offers a decisive advantage: consent can be proven through the double opt-in procedure because it is characterised by the fact that an interested party confirms their consent by actively clicking a checkbox on the website and confirms in an additional second step. This usually consists of a click within an email and makes the recipient’s declaration of consent technically conclusive.

Duty of the controller to inform

Senders of GDPR conform abandoned cart emails must inform recipients about the collection and processing of personal data both at the time of consent (“Informed Consent”) and permanently on its website (“Privacy Policy”). Specifically, this involves the following information, which is set out in Art. 13 GDPR:

General information (unique information at the time of collection)

  • Controller’s name & contact details
  • Reference to the rights of the data subject (e.g. revocation)
  • Data Protection Officer’s name and contact details
  • Right to lodge a complaint with the supervisory authority

Procedure-specific information (permanent information in the Privacy Policy)

  • Purpose of processing
  • Legal basis according to Art. 6 GDPR
  • Data storage period
  • Data recipient
  • Transfer to third country
  • Notification as to whether profiling takes place

Right of Revocation of the data subject

For the recipient, the GDPR makes its presence felt in particular in its revocation options. The possibility of revoking consent once it has been given is nothing new. In practice, a simple reference to the right of revocation isn’t sufficient. Rather, the so-called “simplicity requirement” must be observed. In the GDPR, Art. 7 (3) states in this regard:

“The data subject shall have the right to withdraw their consent at any time. […] The withdrawal of consent must be as straightforward as the granting of consent”.

Since consent is usually given with a simple click, a link must be included in every single abandoned cart email that allows for a simple one-click revocation.

Data processors or “Third Parties” within the meaning of the GDPR?

Whether Google Analytics, the use of web hosts or e-commerce services, such as services for sending abandoned cart emails (gdpr compliant at best): in order to function in a technical sense and be economically successful, online shops make use of data processors. According to the GDPR, this refers to external service providers who are commissioned by an online shop to process personal data in accordance with instructions.

At this point, the GDPR distinguishes between data processors and so-called “third parties”. In contrast to “third parties”, data processors are permitted to collect and process personal data on the basis of a contract. The difference here is that the data processor is bound by instructions.

uptain provides GDPR-compliant solutions

With uptain, online merchants opt for an automated solution that uses abandoned cart emails to reach out to purchase abandoners and bring them back into the purchasing process. The entire solution is legally compliant and can be used in accordance with the GDPR: the shop operator decides to which customer groups the abandoned cart emails may be sent to be GDPR compliant.


  • Abandoned cart emails are only sent to customers who have given their consent by means of a double opt-in or are existing customers and fall under Section 7 (3) UWG.
  • Users are given the opportunity to revoke their consent to the processing of their personal data in every abandoned cart email in accordance with Art. 21 DSGVO and Art. 7 (3) UWG
  • uptain acts as a data processor. As a result, uptain is not a “third party” within the meaning of the GDPR and is thus allowed to collect and process personal data on behalf of an online shop
  • uptain makes available a data protection text as an example (see information obligation of the Controller).

In addition to the legal requirements, uptain offers a high level of data security, through …

  • Secure data management: The servers used comply with current security standards and protect all data from unauthorised access.
  • Encrypted data transmission: With the help of randomised IDs, the transmission of all data from the online shop to the servers used is encrypted.
  • Server location in Germany: The servers used are located in Frankfurt and are therefore subject to the security and data protection laws applicable in Germany.

GDPR compliant abandoned cart emails to reactivate shopping cart abandoners

Abandoned cart emails can be used to win back over 30% of shopping cart abandonments. Used correctly, the email is not perceived as advertising but as a service. To achieve this, the content and form of the email must first be tailored to the shopping cart abandoner.

In terms of content, the GDPR compliant abandoned cart emails can refer to products in the shopping cart, but also to the reason for abandonment and provide appropriate solutions. Examples of this are – besides the simple reminder email – voucher codes for price-sensitive shopping cart abandoners or offering customer service for abandoners in need of assistance. In this way, aspects that might appear promotional are pushed into the background.

  • Successful Newsletter Marketing in compliance with the GDPR

    Newsletters are still one of the most successful advertising tools. However, some legal aspects need to be noted here: Since email addresses are counted as personal data, the GDPR applies to the generation of newsletter subscribers. Find out how successful newsletter marketing complies with the GDPR.

    To the Blog Post
  • Alpha Industries increase Orders by 10%

    The company is looking for technical solutions that increase sales and establish the online shop stronger among the desired target group. The results: Growth of Newsletter Subscribers through Newsletter Popups by 20% compared to the normal Newsletter Form on the website, Increase in Orders by 10%, Increase in Newsletter Open Rate by 5%, Consistent overall image of the Corporate Identity.

    To the Success Story
  • Abandoned Cart Emails: Examples & Templates

    The Email after a Shopping Cart Abandonment is an effective way for online merchants to reduce the abandonment rate and build strong customer loyalty at the same time. But for good reason, many online merchants have unanswered questions regarding the structure, content and layout of the Emails. Find out how successful Abandoned Cart Emails look like!

    To the Blog Post