Are abandoned cart emails GDPR compliant?
Abandoned carts have been a crucial remarketing tactic for a long time. In fact, abandoned cart emails drive almost 30% of all eCommerce revenue, boasting a 41% open rate and 10% click-through rate.
Given around 7 in 10 potential customers abandon their carts before checking out, re-engaging even a small percentage of them through these emails can boost revenues significantly for eCommerce businesses, recovering as much as 15% of lost revenue.
GDPR has changed the rules of the game, however, meaning eCommerce sites can no longer treat abandoned carts as open-season for remarketing e-shots. Despite these new regulations around marketing being in full force for years, many businesses and brands still have unanswered questions, and not knowing the answers to them can have serious financial consequences, not to mention the bad press – with well over half (57%) of consumers not trusting brands to use their data responsibly as it is.
Article 4.11 of the GDPR states that consent must be “free, specific, informed and unambiguous”, and that any infringement of this rule may result in fines of up to €20 million or 4% of annual revenue whichever is larger. Understanding how GDPR affects abandoned cart emails will help you stay compliant and prevent paying hefty fines.
Let’s take a closer look at GDPR and how it has affected abandoned cart email marketing. It’s time for some eCommerce myth-busting.
What is an ‘abandoned cart’ and are they GDPR Compliant?
Abandoned carts at the last hurdle can be just as disappointing for eCommerce businesses as a Saturday night date that cancels on you at the last minute just when you got your hair the way you like it.
Online shoppers leave their shopping carts empty before completing their purchases for a variety of reasons, some of which are completely out of your control. But it's clear from the data that contacting people who merely forgot or got preoccupied has developed into a tried-and-true method of satisfying customers and enhancing your bottom line.
So, what has changed and how? Basically, you can keep sending emails to users who have abandoned carts as long as they want you to and have explicitly consented to it. This isn't such a bad thing, especially if you're embracing the spirit of GDPR (you know, not invading people’s privacy and being an irritant) and not just the letter of the law, or legislation.
While it is tempting and necessary to encourage your prospects to come back to your store to complete their purchase by sending them emails, you should still consider GDPR compliance for abandoned cart emails.
Take it from American Express, who were recently fined £90,000 under the GDPR for sending 4 million unsolicited emails, emphasizing why it’s vital to exercise caution to avoid penalties that can have a big negative impact on your business.
To make sure you don’t fall on the wrong side of GDPR when it comes to abandoned cart emails and avoid costly mistakes when sending them, we'll answer two key questions:
· Are abandoned cart emails GDPR compliant?
· How can you send GDPR-compliant abandoned cart emails from your eCommerce store?
What Does GDPR Say About Abandoned Cart Emails?
In theory, everyone should be able to agree that data privacy is important. But how does retargeting customers who leave their shopping carts relate to user data, privacy, and GDPR? Actually, the method of remarketing is more of a compliance concern than the remarketing concept itself.
To remind users that they have "abandoned" items in their shopping cart, the majority of websites that engage in this practice will simply send them an email. Sure, it seems harmless enough, but you broke the law by not being upfront and honest about how you got the user's email address in the first place. Furthermore, you didn't make it clear how that email address would be used.
In other words, GDPR states that just because a user enters their email address on an order form, it does not automatically provide you permission to use that address to get in touch with them for marketing purposes.
Keeping track of consent
Requiring consent
The flurry of opt-in emails, forms, cookie pop-ups, and advertisements seen all over the internet is one of the repercussions of the GDPR. Whether welcome or not, GDPR consent laid the groundwork for such changes. It meant that businesses had to get customers' permission before gathering and using their personal information.
Businesses are required under GDPR to establish a legitimate reason for handling customer personal data. Any action taken on personal data, including collection, recording, storage, adaptation or alteration, restriction erasure, etc., is considered processing under the GDPR. It encompasses all uses of personal data, not simply those involving your customers.
What does this mean for your business? The user must give their opt-in consent before receiving any marketing or sales communications, including newsletters, push notifications, SMS, marketing calls, and yes, abandoned cart emails.
Getting express consent?
Consent is one of the lawful bases for data processing. A definite affirmative action should accompany GDPR permission, demonstrating that it was freely given, specific, informed, and unambiguous. Also, consent requests must be written in plain, understandable language and be "clearly distinguishable from the other matters."
Express consent is given when a person actively agrees to do or receive something. In the case of email marketing, this most often occurs when someone signs up through one of your online signup forms. You must have someone's explicit consent to receive your email marketing campaigns to have their authorization to send them emails.
There are various ways you can make this easier, such as through a sign-up form for your newsletter on your website. Whatever method you choose, the key to acquiring express consent is, to be honest about the fact that they are signing up for your email list and will receive emails from you, regardless of the technique you employ to get their email address.
A subscribe pop-up or lightbox on your website is a perfect example of this. The pop-up box must make it clear that, by entering your email address into the form, you are subscribing to their email list and will be receiving email campaigns from them.
What if they want to withdraw consent?
GDPR consent also needs to be revocable, meaning it should be as easy to withdraw consent as to give it via the consent form, emails, privacy policy, etc. A company should therefore have easy-to-use and reliable processes for consent withdrawal. You should inform people of their right to withdraw consent at the same you collect it, and you should provide them with simple methods to do so.
For example, you could call upon a “You are receiving this email because…” permission reminder, in essence, a brief paragraph in an email footer that helps recipients recall how you got their email address. It can lessen spam complaints and requests to unsubscribe.
An appropriate permission message is something like: “You are receiving this email because you’re a customer or signed up via our [source]”.
Requiring Legitimate Interest (If There Is No Consent)
Legitimate Interest is one of the 6 lawful bases for processing personal data and is especially relevant for marketing communication. Even while consents are a foolproof basis for data processing, some situations, including direct marketing, don't necessarily call for them.
Recital 47 of the UK GDPR states:
“…The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest.”
Let’s look at an area where legitimate interest applies often to eCommerce companies – namely, direct marketing. Cart abandonment emails sent without consent are often accepted in the marketing industry to be GDPR compliant due to legitimate interest.
You have a genuine interest in contacting the customer to assist them in completing their transaction when you gather their email during the course of a sale. Emails sent after a customer abandons their shopping cart are seen as a type of interaction that helps them complete their transaction.
A person expresses interest in purchasing from you by adding items to their cart. You can use their legitimate interest to send a cart abandonment email if you already have their email address without the customer's permission.
However, a link to unsubscribe or opt-out must be included in your email. This guarantees that the customer can choose not to receive your cart abandonment emails in the future.
Record explicit permission
After ‘Legitimate Interest’, the second—and probably most reasonable— way to keep sending abandoned cart emails is to keep a record of the user's consent. This may first seem like a significant obstacle to overcome, but there are various ways you can overcome it to support your marketing efforts.
“Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.”
This means consent must be documented, meaning it’s vital that eCommerce businesses keep records to demonstrate that the individual gave consent and how – including what they said, when, and how they were informed.
The GDPR takes great care to ensure that the user must be aware of what they are consenting to, so don't be tempted to hide a checkbox and include some sneaky fine print. This means you can’t trick someone into opting-in to receive emails to avoid compliance problems.
However, there are a few marketing techniques that can help eCommerce businesses:
· You can create personalized pop-ups that ask customers to opt-in when they move their cursor over the shopping window's taskbar or are about to close the window.
· Design a checkbox or opt-in feature that is prominent and catches the user's attention as they start their shopping experience.
· Create a form that users can fill out at the beginning of the purchasing process to indicate whether they want to receive emails for remarketing or emails about things they have in their cart.
· Promote this specific remarketing strategy as a feature. Give users the option to get emails when the price of an item changes, for instance, when they add it to their shopping cart.
· Use your other forms to collect data and offer opt-in options for remarketing and empty-cart emails. For instance, present a form that explicitly requests consent to contact about abandoned carts when someone signs up for your email newsletter.
Every time a potential customer visits your website, you do not need to get their consent again. If they've already permitted you, you can likely send them emails at any time, including ones about abandoned carts. Check your consent processes and already granted consents.
Is sending cart abandonment emails still allowed under GDPR?
GDPR is without a doubt changing the way businesses around the world—not just in the EU— are handling user data, including email addresses. This means that your remarketing efforts around abandoned shopping carts also need to change.
But ultimately, if you have consent, cart abandonment emails are GDPR compliant. Without consent, you may rely on legitimate interest as they are categorized as direct marketing which basically states that provided you have good reason to believe the recipient will be interested in what you have to say and benefit from it, you have the green light to send it.
With a bit of creativity on your part, and certain website tweaks and techniques, you should be able to continue sending emails to customers who have abandoned carts – as long as they want you to.
Emails sent in response to cart abandonment can be excellent for persuading customers to stick around. They can be huge drivers in increasing conversions and boosting revenue.
However, we highly advise you to avoid taking any chances and to be very upfront and precise when asking users for their permission before launching any kind of automated cart abandonment campaign.
How does Snowplow help you remain GDPR compliant while optimizing your prospect email lists?
Snowplow is a behavioral data analytics tool which collects the most granular and accurate data and sends it to your cloud storage location - i.e. data warehouse or lake - as part of the Modern Data Stack. A behavioral ‘event’ might be anything from clicking on a link to moving place in a call center line.
The power of Snowplow comes from the meticulous organization and accuracy of the behavioral event data collected, which can be used to create a customer 360 by recording every touchpoint on their journey from top-of-funnel prospect to product interactions, and clearly distinguishing each user from the next. Most importantly, this can be done in a fully-compliant way, as compliance is at the heart of the design of our tool. (Snowplow is actually fully private SaaS, meaning the tool itself is deployed in your private cloud.)
User stitching
Snowplow allows for user stitching with unprecedented accuracy. Our tool collects a user ID, with consent as the basis, unless the user is logged in and so has self-identified. We are able to stitch user journeys across devices and sessions. Packaged analytics tools simply cannot do this, as they have inaccurate sessionization and user identification. With Snowplow, you get user level tables straight out of the box, which literally walk you through a user’s actions on site.
Recording basis for tracking with each behavioral event
With Snowplow’s ‘basis for tracking’ contexts, you can record a full GDPR context (or other regulatory framework) with each event. When it comes to modeling the data, your tech team can easily find out which data is compliant and show this in the event of an audit. What would have taken months to do retrospectively becomes a quick job. If consent is ever removed – no problem. The basis for consent is also tracked and all the user’s information is organized in one place