What does GDPR mean to emailing and e-commerce? How to do it right

🕒 8 min.

What is GDPR?

It means General Data Protection Regulation. It is a regulatory process that establishes the rules for how all European residents’ data must be managed. It impacts the handling of data pertaining to everything, which can go from medical history to financial records to internet activity.

GDPR's 6 main principles

There is still plenty for shop owners to be aware of. So let’s get familiar with GDPR.

What does GDPR mean to emailing and ecommerce?

Let’s find out how this regulations affects our ecommerce and email campaigns:

GDPR & Emailing

When the GDPR started, some people said it would be the end of email marketing, or the end of email spam. But it was not. Let’s make some things clear. Spam is always against the law, because it is an email you send without the prior permission of your customers, so it goes against the terms of use of most providers. The GDPR took effect in May 2018, but you still received spam emails since then, right?

And concerning to email marketing, the GDPR’s job is not to ban this type of communication, because it is not anti-business, but pro-consumer. A marketing email should be something people would like to receive in their inbox, something they are interested about. The only thing that the GDPR says is that the consent must be clear, and that organizations should ask for an affirmative opt-in to be able to send them. 

If a marketing email contains one or more of the following, it will be considered spam and will be violating the GDPR:

  • does not contain the  unsubscribe button
  • it is sent to random people who have not signed up for it
  • it doesn’t advertise a product or service related to one that the receiver uses

GDPR & eCommerce

It is the same with ecommerce. You’ll need to apply the necessary changes to make it GDPR-friendly. All consent must be explicit on your website (always being able to prove what the customer has consented to) because you’re also playing with people’s data. Failure to do so could incur fines of up to €20 million or 4 percent of annual turnover from the previous year.

The purpose of GDPR is not to make it more difficult for you to sell; it’s to give consumers greater control over who collects their personal data, what it is used for and how they’re keeping it safe. A Consumer Privacy study by TRUSTe/NCSA found that 92% of online customers cite data security and privacy as a concern. Furthermore, according to a report published by the Chartered Institute of Marketing57% of consumers don’t trust brands to use their data responsibly. So make sure you use it wisely.

Why is it relevant to abandoned cart emails?

Abandoned cart emails count as promotional (unnecessary, or non-transactional) emails.

So you must have clear consent from the data subjects (subscribers, existing customers, etc.) agreeing to receive promotional emails from you. If they don’t agree and you still send them abandoned cart emails, you will be breaking the regulation.

How can you have their permission?

I’m sure you have seen a message like the one below underneath the signup form of almost every website you have visited and create an account:

“Yes, please subscribe me to the [brand] newsletter to receive regular updates on new products, offers, and other promotions.”

In most cases, if you don’t click on it, you cannot have access to the site. It’s a little trick that most ecommerce businesses use to make sure they can collect data from their visitors.

Are standard abandoned cart emails GDPR compliant?

As we said, according to the GDPR, abandoned cart emails are an example of Direct Marketing which is a legitimate interest. So, in order to send an email to someone, there has to be a previous confirmation from the customer; the mail cannot be unsolicited. 

You will be able to mail if this is your lawful basis but you will need to comply with the principle of demonstrated accountability right from the first mail you send.

Usually, abandoned cart emails comply with the GDPR and the PECR (Privacy and Electronic Communications Regulations), following these steps:

1. Obtain consent: You must reflect clearly that you will send future communications or that the user’s data will be processed under the legitimate interest basis.

2. The unsubscribe option: Always include a bottom with the option to unsubscribe from your emails. If the customer asks you to not send more emails, you must comply. 

3. Registered address: There should be a registered address accompanying the email.

4. Objections: It may be the case that the client wants to file an objection, so this section must be available, and should be positioned apart from the rest of the information. 

How to make them compliant 

When customers enter and sign up on your website to purchase a product, you have to ensure you are following GDPR compliance on your future communications, within which we find abandoned cart emails. So we recommend you follow these steps:

Keep consent requests separate from other terms & conditions.​

Under GDPR, email consent needs to be separate. Don’t mix the usual terms and conditions with consent, make sure it is visible in another block of the message in which you specify they will receive these types of emails.

Consent requires a positive opt-in

A customer must actively confirm their explicit consent in order for this to be valid under the GDPR; for example, clicking an unchecked opt-in box. There are some cases where these boxes are already checked, assuming the customer’s consent, but these are not valid under GDPR, so it’s better for you not to use them. 

How-to and how-not-to do an opt-in box

Who? When? How?

You have to be able to provide proof of: 

  • Who consented
  • When they consented
  • How they consented (e.g., during checkout, via Facebook form, etc.)
  • What they were told at the time of consent
  • Whether they have withdrawn consent

Make it clear and easy for people to withdraw consent

Tell them how to do it. If they don’t want to receive more emails from your company, they should have this option. They may get tired of receiving the same abandoned cart email every two days, so each email you send must include the option to unsubscribe.

Opt-out option example

Every opt-out option should have these practices:

  • Don’t charge a fee
  • Don’t require more information than an email address
  • Don’t make subscribers get lost visiting many pages visit to submit their request
  • Don’t require a log-in

Keep record of the consents

You don’t have to re-collect consent every time they visit your website. If they already give you their consent, this means that they are likely to receive emails from you, including abandoned cart emails, any time you want. So check your consent practices and your existing consents.

Is this only for European Union?

The GDPR applies to:

  1. A company or entity which processes personal data established in the EU, regardless of where the data is processed; or
  2. A company established outside the EU and is offering services or is monitoring the behaviour of individuals in the EU.

It is basically intended to protect privacy and data of citizens from the European Union. This means that any business around the world that collects information from an EU citizen is technically covered by GDPR. 

So for example, if you run a company in Europe and provide services to European customers; yes, the regulation applies to this. 

Also, if you run a company outside the EU but with European customers, the regulation would apply to this.

But, if you run a company outside the European Union and your customers are not European citizens, then the regulation does not apply.

Things to avoid

If your organization needs to be compliant with the GDPR, there are some common misconceptions to avoid and take into account to get rid of penalties.  

Using data for different purposes 

You have asked your customers for their data because of certain reasons, and they have given you their permission for this. If you use this data for something you don’t have permission for, it will have a negative impact on your company’s reputation.

Not having a good database 

Customers’ data can disperse across the organization, having some of them in the cloud and some others on a local file. So it’s wise to implement a data lake where the entire organization can capture and reconcile personal data across systems and sources. 

Thinking it only applies to companies based in the EU

As we said before, even if your company is in a country outside the EU but treats with European clients, this regulation still applies to you.

Thinking it’s just data protection

It is not. It is about allowing the Data Subject (customer, prospect or employee) to take control of their data and specify their consent preference by opting in or out to personalized services, ask to be forgotten, etc.

Not taking GDPR into account because data was collected before

Whether or not your customer’s data was collected before or after GDPR was enforced (May 2018), it applies to you. This means that consent agreements must be well checked wherever possible. If there is any doubt, then it is better not to use it.

Leave a Comment