Do Abandoned Cart Emails Require Consent Under GDPR?
Abandoned cart emails sit in a legal grey area under GDPR. But to answer the question: it depends on how you collected the email address and what legal basis you’re relying on.
If the customer gave their email address during the checkout process but didn’t complete the purchase, you may be able to send follow-up emails without consent. This is possible under the soft opt-in rule in Regulation 22(3) of PECR (the UK’s Privacy and Electronic Communications Regulations), or its EU equivalent under the ePrivacy Directive. But that rule comes with strict conditions, and it only covers direct marketing by electronic means, not GDPR’s broader data processing requirements.
GDPR adds a second layer. Even if PECR allows the send, you still need a lawful basis under GDPR Article 6 for processing the personal data involved. Most businesses use legitimate interests — but that requires a balancing test, and it doesn’t always pass.
This article breaks down both layers, when each applies, and what ecommerce businesses actually need to do to stay compliant.
What counts as personal data in an abandoned cart scenario?
An Email address entered at checkout is personal data under GDPR
When a customer types their email address into a checkout form — even if they never complete the purchase — that email address is personal data under GDPR Article 4(1). It identifies, or is reasonably capable of identifying, a living individual, which is the threshold that triggers the GDPR’s application.
The fact that the transaction was abandoned does not change this. The moment the email address is captured by your system, you are processing personal data. It does not matter that no order was placed, no account was created, and no contract was concluded. Processing began when the data entered your server.
This means GDPR applies in full from that point. You need a lawful basis under Article 6 to hold the data, to use it, and to send any follow-up communication based on it. The incomplete purchase does not create a gap in GDPR’s coverage — it only affects which lawful basis you can plausibly rely on, which is a separate question covered below.
Does GDPR require consent specifically for abandoned cart emails?
Consent is one option, not a requirement
GDPR does not require consent specifically for abandoned cart emails. Consent is one of six lawful bases listed in Article 6(1), and businesses are free to rely on a different basis where it genuinely applies. For abandoned cart emails, most businesses rely on legitimate interests under Article 6(1)(f) rather than consent — provided they can demonstrate that their interest in sending the email is not overridden by the individual’s rights and expectations.
That said, GDPR is not the only law that applies here. Abandoned cart emails are electronic direct marketing, which means the ePrivacy Directive also applies — and in the UK, its domestic equivalent, PECR. These rules operate alongside GDPR, not inside it. You can satisfy GDPR’s lawful basis requirement and still breach ePrivacy rules, or vice versa. Both frameworks need to be considered independently.
Under the ePrivacy Directive and PECR, the default rule for electronic marketing to individuals is that consent is required. However, there is a specific exception — commonly called the soft opt-in — that allows businesses to send direct marketing emails without consent in limited circumstances. That exception is where most abandoned cart email compliance turns on, and it is covered in detail below.
What is the soft opt-in, and when does it apply?
The soft opt-in lets you email existing customers without fresh consent
The soft opt-in is an exception to the default consent requirement for electronic direct marketing. In the UK, it comes from Regulation 22(3) of PECR. At the EU level, it sits in Article 13(2) of the ePrivacy Directive. Both versions allow a business to send marketing emails to individuals without obtaining prior consent, provided specific conditions are met.
The rule exists because there is a recognised difference between cold outreach to a stranger and a follow-up communication to someone who has already engaged with your business. A customer who started a checkout on your site is not in the same position as someone who has never heard of you. The soft opt-in reflects that distinction — but it does not remove all restrictions.
Who exactly does soft opt-in apply to?
The soft opt-in is not available for general marketing to people who have simply browsed your site, added items to a cart without entering any contact details, or whose email address you obtained through a third party. It applies only where the individual qualifies as an existing customer.
In the abandoned cart context, this means the customer must have provided their email address directly to you — typically by entering it at the checkout stage. A person who abandoned a cart before reaching the email field does not qualify. Neither does someone whose email you obtained from a data broker or a partner. The relationship has to be direct, and the data has to have come from the individual themselves in the context of an actual or attempted transaction with your business.
Three conditions that must be met for soft opt-in to apply
The soft opt-in only applies when these three conditions are satisfied at the same time:
First, the customer must have provided their contact details in the context of a sale or negotiation of a sale of a product or service. Entering an email address at checkout — even in an incomplete transaction — can satisfy this, but the details were given in a commercial context, not just to receive information or access a resource.
Second, you can only market similar products or services to those involved in the original transaction or enquiry. While this easily covers the specific items left in the cart, it can also cover reasonably related products from your brand. However, you cannot use it to cross-sell fundamentally unrelated services or pass the data to a different company brand; the communication must stay within the reasonable expectations of what that specific business sells.
Third, the customer must have been given a clear opportunity to opt out of marketing at the point their details were collected — and at every subsequent communication. If your checkout form did not include an opt-out option, or if your emails do not carry an unsubscribe mechanism, the soft opt-in does not apply regardless of whether the other conditions are met.
All three conditions are cumulative. Satisfying two out of three is not enough.
What happens when the conditions aren’t met
When the soft opt-in conditions are not met, and no valid consent exists, sending a marketing email is a breach of PECR in the UK or the applicable ePrivacy rules in EU member states. And there are enforcement precedents for such violations.
In 2021, the ICO fined We Buy Any Car Limited £200,000 for sending millions of marketing emails to customers who had entered their details to get a vehicle valuation but did not complete a transaction. The We Buy Any Car case involved individuals initiating an online journey, not cold outreach, and the ICO still found a breach. The ruling confirmed that initiating a process does not automatically satisfy the soft opt-in conditions. The company failed because it did not provide a clear opportunity to opt out of marketing at the exact moment the contact details were typed into the form, instead only offering an unsubscribe option in later emails. Each condition must be independently met, and the choice to object must be provided at the point of collection without exception.
What happens if the customer doesn’t complete their purchase?
The soft opt-in may not apply — and you need a different lawful basis
Whether the soft opt-in applies to an incomplete purchase depends on how far through the checkout process the customer got. The condition requires that contact details be provided in the context of a sale or a sale negotiation. If the customer entered their email address at the checkout stage before abandoning, there is a reasonable argument that a negotiation of a sale was underway. If they never reached the email field at all, that argument does not hold.
Even where the email was captured, regulators and courts have not definitively confirmed that an abandoned checkout qualifies as a negotiation of a sale in every case. In its guidance, the ICO acknowledges the soft opt-in but stops short of providing a clear ruling on incomplete transactions specifically. This means businesses relying on the soft opt-in for abandoned cart emails are operating in an area where the legal position is not fully settled. The safer approach is to treat an incomplete purchase with caution and not assume the soft opt-in applies automatically.
Explicit consent at checkout is the cleanest solution
If you want certainty, the most defensible position is to obtain explicit consent at the checkout stage before sending any abandoned cart email. This means including a clearly worded opt-in — not pre-ticked or buried in terms and conditions — that specifically covers marketing communications. Under GDPR Article 7, consent must be freely given, specific, informed, and unambiguous. A checkbox stating something like “Send me a reminder if I don’t complete my order” satisfies this, where it is genuinely optional and separate from the purchase process.
Consent collected this way covers both GDPR and ePrivacy requirements in a single step. It removes the ambiguity around the soft opt-in and gives you a documented lawful basis that is straightforward to demonstrate to a regulator if challenged.
Legitimate interests is an option but requires a separate assessment
Where consent has not been collected, and the soft opt-in does not clearly apply, legitimate interests under GDPR Article 6(1)(f) may still be available — but it is not automatic. It requires a documented legitimate interests assessment, and it does not override ePrivacy rules.
Using legitimate interests for abandoned cart emails
Legitimate interests under GDPR Article 6(1)(f) is the lawful basis most businesses reach for when they do not have consent, and the soft opt-in does not clearly apply. Recital 47 of GDPR explicitly recognises direct marketing as a legitimate interest, which gives this basis a stronger footing than many assume. But Recital 47 does not make legitimate interests automatic. It simply confirms that direct marketing can qualify — whether it actually does in a specific case depends on passing a three-part assessment.
1. The purpose test
The first question is whether you have a genuine and real legitimate interest in sending the abandoned cart email. Recovering a lost sale is a recognised commercial interest, and Recital 47 supports this directly. For most e-commerce businesses, the purpose test is the easiest part of the assessment to satisfy. The interest is real, it is specific, and it is not trivial.
2. The necessity test
The second question is whether sending the email is necessary to achieve that purpose. Necessary under GDPR does not mean indispensable — it means that the processing is a targeted and proportionate way of achieving the goal, and that you could not reasonably achieve the same result through a less intrusive means. For an abandoned cart email, the necessity test is generally satisfied. There is no less intrusive way to remind a specific customer about their specific cart than to contact them directly.
3. The balancing test
The third question is the hardest. You must weigh your legitimate interest against the individual’s reasonable privacy expectations, rights, and freedoms. This is where the assessment is most likely to fail, and also where the existing customer versus prospect distinction matters most.
i) Existing customer who entered their email at checkout
Where the customer provided their email address during the checkout process, there is a reasonable expectation that the business may follow up. The individual was actively engaged in a transaction, where they chose to enter their details, and a single follow-up email about the items they left behind is unlikely to come as a surprise. In this scenario, the balancing test has a reasonable chance of passing, particularly for a single, timely email sent shortly after the abandonment.
ii) Prospect who never reached the checkout
Where the individual never entered their email address during the session, like where the email was obtained through a previous interaction, a newsletter signup, or a third-party source, the balancing test becomes significantly harder to pass. The person did not signal any intention to purchase, did not provide their details in a transactional context, and has a stronger reasonable expectation that their data will not be used to follow up on browsing behaviour.
Legitimate interests weakens the further someone is from a completed purchase. A customer who abandoned at the payment stage is in a different position to someone who browsed a product page and left. The assessment must reflect that distinction — and a single LIA template applied to all abandoned cart scenarios is unlikely to withstand regulatory scrutiny.
What does a compliant abandoned cart email actually require?
Getting the lawful basis right is only part of compliance. Even where the soft opt-in applies, or a legitimate interests assessment passes, the email itself and the processing around it must meet additional requirements under GDPR and ePrivacy. These are conditions that apply to every abandoned cart email regardless of which lawful basis you rely on.
1. A clear unsubscribe option in every message
Every abandoned cart email must include a clear and functional mechanism for the recipient to opt out of future marketing communications. This is a requirement under Regulation 22(3)(c) of PECR in the UK and the equivalent provision of the ePrivacy Directive in EU member states. It applies whether or not the customer has previously opted out, and it applies to every individual email — not just the first one in a sequence.
The unsubscribe mechanism must work. A link that is broken, buried in small print, or requires the recipient to log into an account to action it does not satisfy the requirement. Once an opt-out is received, you must stop sending marketing emails to that individual. Continuing to send after an opt-out has been received is one of the most common reasons regulators take enforcement action, as the WBAC case confirmed.
2. Content scoped to the abandoned cart and similar products
Where you are relying on the soft opt-in, the content of the email must stay within the scope of what the customer was already considering. You can remind them of the items in their cart. You can reference similar or related products in the same category. You cannot use the abandoned cart email as an opportunity to market an unrelated product line or promote a general sale that has nothing to do with the items they left behind.
This requirement comes directly from the similar products or services condition in the soft opt-in rule. Straying outside that scope does not just weaken your soft opt-in reliance, but it removes it entirely. If your abandoned cart emails include content that goes beyond the cart and similar items, you need a separate lawful basis for that additional marketing content.
3. Your privacy notice must cover this processing
Under GDPR Articles 13 and 14, individuals must be informed about how their personal data is being used at the point of collection or as soon as reasonably practicable. If you are capturing email addresses at checkout and using them to send abandoned cart emails, that processing must be described in your privacy notice in clear and specific terms.
A generic statement that you may use data for marketing purposes will not do you any good. The notice should explain that email addresses entered during checkout may be used to follow up on incomplete purchases, the lawful basis you are relying on, how long the data will be retained, and how the individual can object or unsubscribe. If your privacy notice does not currently cover abandoned cart processing specifically, it needs to be updated before you send any emails.
4. A defined data retention period for cart data
GDPR Article 5(1)(e) requires that personal data be kept no longer than necessary for the purpose for which it was collected. For abandoned cart data, this means you need a defined and documented retention period that is tied to the purpose of sending the follow-up email.
Holding a customer’s email address and cart data indefinitely on the basis that they might return is not compatible with the storage limitation principle. A short retention window — typically a few days to a few weeks, depending on your business context — is more defensible than an open-ended one. Once the retention period expires, the data should be deleted or anonymised. That retention period should be documented in your records of processing activities under GDPR Article 30 and disclosed in your privacy notice.
GDPR abandoned cart email compliance checklist
This checklist covers the minimum requirements for sending abandoned cart emails that are compliant with both GDPR and the ePrivacy Directive. It is not a substitute for legal advice, but it reflects the core obligations covered in this article and gives you a practical starting point for an internal compliance review.
1. Lawful basis
- You have identified a lawful basis under GDPR Article 6(1) for processing the customer’s email address — either consent, legitimate interests, or another applicable basis
- If relying on legitimate interests, you have completed and documented a legitimate interests assessment covering the purpose, necessity, and balancing tests
- If relying on the soft opt-in, you have confirmed that all three conditions are met: the email was collected in a transactional context, the email content relates to similar products or services, and an opt-out opportunity was provided at the point of collection
2. Consent — where applicable
- Consent was obtained through a clear, affirmative opt-in at checkout — not a pre-ticked box
- The consent request was specific to abandoned cart follow-up communications, not bundled with general terms
- A record of consent is stored and can be produced if challenged
3. The email itself
- Every abandoned cart email includes a clear, functional unsubscribe link
- Opt-out requests are actioned promptly and result in no further marketing emails being sent
- Email content is scoped to the abandoned cart items and similar products — not used as a vehicle for unrelated promotions
4. Transparency
- Your privacy notice specifically describes abandoned cart email processing, including the lawful basis, retention period, and the individual’s right to object or unsubscribe
- The privacy notice was accessible to the customer at the point their email address was collected
- You have a defined and documented retention period for abandoned cart data
- Cart data is deleted or anonymised once the retention period expires
- The retention period is documented in your Article 30 records of processing activities
6. Ongoing compliance
- You have a process for honouring opt-out requests across all marketing systems — not just the abandoned cart tool
- Your abandoned cart email programme is included in your data protection impact assessment process, where the processing is likely to result in high risk to individuals
Bottom line
Abandoned cart emails are a legitimate and effective marketing tool. GDPR and the ePrivacy Directive do not prohibit them — they just require you to be deliberate about how you collect data, what basis you rely on, and how you handle the people who don’t want to hear from you.
The businesses that run into trouble are rarely the ones trying to do something egregious. They are usually the ones who assume an existing customer relationship was enough, or who copied a competitor’s checkout flow without checking whether the legal groundwork was actually in place. The Amex case is a useful reminder that scale does not equal compliance, and that regulators will look at the mechanics of how marketing is sent, not just the intent behind it.
When unsure whether your current abandoned cart setup meets the standard, the checklist above is a reasonable starting point. But the underlying question — which lawful basis applies, and whether your LIA would withstand scrutiny — is worth getting proper advice on if your email volumes are significant or your customer base spans multiple EU member states.