The General Data Protection Regulation (GDPR) has interrupted the digital landscape by promoting new regulations on the manage and security of personal data. This new legislation affects data at all levels: collection, processing, storage and updating.

Firstly, obtaining consent is the basis of this regulation, and the collection of emails through an acceptance process is no longer enough. As a result, in addition to obtaining consent, there must also be an approach to maintaining consent. This process is not exclusively of new subscribers for your newsletter, it also affects any other transactional communication including cart abandonment emails.

According to article 4.11 of the GDPR, the consent must be “free, specific, informed and unambiguous”. This means the passive subscription (marking by default the box that indicates that the user accepts to receive communication) is prohibited. Most importantly, the notion of proof is also essential, hence the interest of establishing double acceptance on your site.

How do I know that I have consent to send transactional emails?

Before setting up any new automation or start sending transactional emails, do an audit of your current database. In other words, the GDPR not only applies to the data collected after its implementation in May 2018 but also to the data collected before. So, while you are auditing your subscribers, you should:

  • Delete inactive contacts
  • Make an inventory of the data you have (geographic, sociodemographic information, etc.)
  • Check the origin of the addresses collected
  • Confirm the evidence of the consent

In the context of the GDPR, it is necessary to verify if you maintained traces of the origin of your contacts. Do they come from a voluntary participation base collected through a form on your website? You should be able to know and test how the contact has arrived at your site.

Collect and use data

The cookie warning banners have already set the tone. After that, do the same with your emails and communicate transparently to the user about how did you get the data and how you are using it. In fact, don’t forget to include an easy way to unsubscribe from any communication. The process must be clear and simple. The unsubscribe link must be visible.

The legal implications

The GDPR exists to punish companies that sell emails to third parties. If you receive a complaint after sending a transactional email, just rectify and follow your user’s request. Most importantly, if the person wants to be removed from your database and not receive any other communication from your side, just do that.

You may not need consent to send cart abandonment emails. It may be possible to rely on the legal ground of “legitimate interest.” However, don’t take any chances. Better if you have or can obtain explicit consent from your users to receive communications from you. Make your subscriber feel confident about your policy and how you are using its personal data.

Furthermore, abandoned cart emails are an example of direct marketing which is a legitimate interest. You will be able to mail if this is your lawful basis. Although, you will need to comply with demonstrated accountability right from the first mail you send. To avoid any misunderstanding:

  • The abandoned cart email should have an option to obtain consent for future communications or to inform the user that data will be processed under the legitimate interest basis
  • The abandoned cart email should have an unsubscribe mechanism because the right to object is absolute in case of direct marketing. If a user asks you to stop sending the mail, you have to.
  • There should be a registered address accompanying the email
  • The right to object should be stated clearly apart from the other information