It has probably happened to each of us to add products to a shopping cart in an online store and then not complete the purchase. The reasons may be various: a high delivery price only visible in the cart, other additional costs, the lack of the expected delivery method or payment method for the order, a system error, an interruption in internet access, or simply changing our mind. In the end, we closed the website and did not remove the items from the cart. From the store’s perspective, if the customer does not return to the cart and complete the purchase, this will mean a loss of potential profit. That is why online stores make efforts to encourage customers to return. This is precisely why they send, usually by e-mail, a reminder about an abandoned cart, often supplemented with an additional incentive, e.g. in the form of a discount on purchases.
Taking the legal aspect into account, in such a situation we may ask two questions:
- Is such action compliant with GDPR?
- Is such action compliant with other regulations in force in Poland?
A reminder about abandoned carts is processing of personal data
Sending a reminder about an abandoned cart to a website user involves processing at least their e-mail address. There is therefore no doubt that such action will constitute processing of personal data, in this case ordinary personal data. We must therefore base it on one of the legal grounds provided for in Article 6 of the GDPR.
The legal bases for processing that we may consider in this situation are:
- Article 6(1)(b) of the GDPR – processing is necessary to take steps at the request of the data subject prior to entering into a contract,
- Article 6(1)(a) of the GDPR – processing is based on consent,
- Article 6(1)(f) of the GDPR – processing is necessary for the purposes of the legitimate interests pursued by the data controller or by a third party.
Under the first criterion, the processing must take place at the request of the data subject and must aim at the conclusion of a contract. We could justify this legal basis where the reason for an unfinished purchase was technical difficulties, such as a system error or a payment error. However, if the customer closed the website for reasons unknown to us and did not complete the purchase, we cannot say that by sending a message we are acting at the customer’s request prior to the conclusion of a contract. After all, we do not know whether the customer intended to conclude a sales contract at all or whether they deliberately abandoned the purchase.
A safer basis, which does not require investigating why the order was not successfully placed, is the consent of the person who is to receive information about an abandoned shopping cart. Consent should be voluntary, informed, explicit and specific. The greatest difficulty, however, lies in obtaining it, as it must be an active action, for example by ticking a checkbox. Many customers to whom the data controller would gladly send an abandoned cart reminder will not give such consent. Relying on user consent for cart recovery is therefore possible, but it requires additional effort, which reduces the attractiveness of this sales-enhancing method.
Processing personal data by an online store for the purpose of contacting a customer regarding incomplete purchases may also take place on the basis of the controller’s legitimate interest. This consists in contacting a customer who, for reasons unknown to us, has abandoned the purchase. Such a reminder may take the form of an offer of assistance in completing the purchase or support in making a decision. In this case too, caution is required – it is impermissible to use in this way an email address that was entered solely in the abandoned order and recorded by cookies. The controller should already have a basis for processing the email address, for example in connection with a previous order or a created account. If the user’s data are not yet in the controller’s database, the only solution will be to obtain the user’s consent.
An analysis of the possible legal bases for processing data for the purpose of sending abandoned cart reminders leads to the conclusion that none of them is ideal or universally applicable. None of the legal bases also makes it possible to send reminders to all users who have abandoned a cart on a store’s website. Each basis requires additional effort or the fulfilment of additional conditions by the data controller. However, the safest basis is consent, which, as we point out in the second part of the article, will in any event have to be obtained due to other provisions in force in Poland.
Abandoned cart reminder as commercial information
Determining the legal basis for the processing of data and compliance with the GDPR in the sending of abandoned cart notifications is not the only issue we must take into account in order to act lawfully. When sending abandoned cart reminders, we cannot ignore the Act on the Provision of Electronic Services and the Electronic Communications Law, which impose additional obligations on entities operating in Poland and sending marketing information.
The definition of commercial information under the Act on the Provision of Electronic Services is very broad. Pursuant to it, commercial information should be understood to include, among other things, any information intended directly or indirectly to promote goods, services or the entrepreneur’s image. Sending abandoned cart notifications is certainly intended to encourage the recipient of the message to make a purchase and, as a result, to sell the goods from the cart, and thus to achieve a commercial effect.
It should be concluded that an abandoned cart reminder constitutes commercial information within the meaning of Polish law, which entails an additional obligation for the data controller to obtain consent.
Article 398 of the Electronic Communications Law introduces a prohibition on sending commercial information, including direct marketing, by means of automatic calling systems and telecommunications terminal equipment (e.g. e-mails, SMS messages or messengers), without the prior consent of the subscriber or end user. This means that an entrepreneur may send such communications only after obtaining the recipient’s explicit consent. Importantly, consent must be voluntary, specific, informed and constitute an unequivocal indication of wishes. The requirement to obtain consent under the Electronic Communications Law operates independently of the legal basis for the processing of personal data under the GDPR.
The Act permits consent to be given by providing an electronic address for the purpose of receiving commercial information. At the same time, the sending of such communications may not involve any costs for the user or subscriber. A breach of this obligation also constitutes an act of unfair competition within the meaning of the provisions of the Act on Combating Unfair Competition.
Sending abandoned cart reminders is a very popular marketing practice. Our clients operating online stores often ask us why companies based abroad, e.g. their group companies, do not have to obtain consents, while we inform them that such consents are necessary. The reason lies precisely in the above-mentioned provisions and in the differences in Polish regulations, which require active consent, whereas many countries apply a system under which marketing information may be sent to persons abandoning their carts unless and until they object.
How to legally send abandoned cart reminders
Under the current legal framework, the primary step is to obtain the appropriate consent as early as possible, so that as many users as possible can give it before closing the page with the incomplete order. It may be helpful to obtain consents by offering customers additional benefits in exchange for giving consent, e.g. a discount or a product sample. The appropriate moment to request consent will be during the account creation stage or the initial stage of placing an order.
In the consent obtained, it should be indicated who the data controller is, which data will be processed and for what purposes. It must also be stated that consent is voluntary and may be withdrawn at any time. For consent to be fully voluntary, it must be obtained separately for each communication channel – it should be possible to consent, for example, to marketing via e-mail independently of refusing consent to marketing via SMS message, and vice versa. Importantly, and somewhat surprisingly often forgotten by website controllers, the consents must be properly recorded by them in the system – so that, if explanations need to be provided, it is possible to indicate the time of consent and its content.
It is also necessary not to forget the obligation to provide information to customers. Information that the store sends abandoned cart reminders should be included in the online store's privacy policy, but the first layer of the privacy notice should already be placed where consent is given and the customer provides their e-mail address.
