Checkout abandonment is one of the most disappointing yet unavoidable realities of the ecommerce industry. Not to mention, it significantly hurts conversion rates and bottom lines of ecommerce brands everywhere.

While sending abandoned checkout emails to customers can be an effective strategy for recovering lost sales, it's important to be mindful of the legal obligations imposed by data protection laws.

This article will explore what abandoned checkout emails are, what major privacy laws say about them, the legal requirements involved, and best practices for sending out these emails in a legally-compliant way.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.

    TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  2. Answer some questions about your website or app.

    TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  3. Answer some questions about your business.

    TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  4. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.

Checkout Abandonment in Ecommerce: An Overview

An "abandoned checkout" depicts a scenario in ecommerce where a potential customer adds items to their online shopping cart and initiates the checkout process (i.e., providing payment or shipping information) but doesn't complete the purchase.

It's closely related to an "abandoned shopping cart," where customers don't get to the checkout point before leaving their purchases.

Abandoned checkouts are especially prevalent in the ecommerce industry today. Case in point, a recent study conducted by Baymard Institute found that an average of 69.99% of customers abandon their shopping carts without completing a purchase.

In other words, about 7 in 10 customers will not complete their transactions on an ecommerce platform.

While the actual abandonment rate can vary widely depending on the product type, industry, and region, the losses remain substantial.

To push that point home, a research study by Forrester found that ecommerce businesses lose $18 billion annually in sales revenue due to abandoned checkouts.

The most common causes for these alarming statistics include:

  • High additional costs
  • Complicated checkout process
  • Mandatory account creation
  • Payment security concerns
  • Slow delivery

The simple truth is that despite your best efforts to address these common causes, abandoned checkouts are inevitable, thanks to the unending distractions in life and the digital spectrum. But when they do occur, all hope is not lost.

Since customers showed enough interest to get to the checkout point before reneging, a little extra push can go a long way in convincing them to return and complete their purchases.

This is where abandoned checkout emails come in handy.

What is an Abandoned Checkout Email?

What is an Abandoned Checkout Email?

An abandoned checkout email is an email reminder sent to customers who initiated the checkout process on an ecommerce platform but didn't complete the purchase. These emails typically encourage customers to return to the platform and complete their transactions.

Here's an example of an abandoned checkout email from Grove Collaborative:

Grove Collaborative Abandoned Checkout Email

Practically speaking, sending email reminders is one of the most effective means of recovering lost sales due to abandoned checkouts.

In fact, a Klaviyo report found that with an open rate of 41.18%, abandoned checkout emails can help ecommerce businesses recoup as much as 15% of lost revenue.

Needless to say, this is an email marketing campaign every ecommerce business needs to implement.

However, before attempting to capitalize on the opportunity presented by abandoned checkout emails, it's essential to observe the legal requirements imposed by data protection laws in your jurisdiction.

Failing to do so may result in significant fines, thereby defeating the purpose of your email campaigns. After all, your goal is to generate more revenue, not incur additional costs.

Privacy Laws and Abandoned Checkout Emails

Privacy Laws and Abandoned Checkout Emails

Email addresses are considered personal information under many privacy laws. As a result, obtaining customers' email addresses and sending them abandoned checkout emails will likely place your ecommerce business under the scope of privacy laws.

It's important to note that most privacy laws have an extraterritorial application. This means as long as you offer products or services to customers in a different country, you may be subject to that country's laws even without a physical presence there.

Below are some of the major privacy laws regulating personal information and email marketing campaigns, including abandoned checkout emails.

General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is a comprehensive data protection law that governs how businesses collect, use, and store the personal data of individuals in the European Union (EU).

Under the GDPR, abandoned checkout emails are allowed if you've identified at least one of the regulation's six lawful bases to justify sending them. They include:

  • Consent
  • Contract
  • Legal obligation
  • Vital interests
  • Public task
  • Legitimate interests

Among these, consent and legitimate interests are the most applicable grounds for sending abandoned checkout emails. (More on this later in this article).

Keep in mind that sending abandoned checkout emails in violation of the GDPR can result in fines of up to €20 million or 4% of your business's annual global turnover (whichever is higher).

ePrivacy Directive

The ePrivacy Directive regulates all forms of electronic communications in the EU. Among other things, it addresses cookies and similar technologies, telephone marketing, and email campaigns, including abandoned checkout emails.

It's important to note that the ePrivacy Directive complements the GDPR, which means that applicable businesses must also comply with the GDPR's requirements for processing personal data.

Interestingly, the ePrivacy Directive allows businesses to send abandoned checkout emails to existing customers (not prospects) without getting explicit opt-in consent. It does so through a provision called the "soft opt-in."

The idea is that since customers showed interest in a transactional relationship with your business and provided their email addresses at the checkout point, you can send them email reminders of their abandoned cart items without consent.

However, you must take note of the following requirements:

  • Limit the email content to customers' abandoned cart items and similar products only
  • Provide a simple unsubscribe link or button in every email to allow customers to opt out of future communications

California Consumer Privacy Act (CCPA/CPRA)

The California Consumer Privacy Act (CCPA) is a U.S. state privacy law that regulates the collection, use, storage, and disclosure of California residents' personal information. It was amended and expanded by the California Privacy Rights Act (CPRA).

The CCPA (CPRA) requirements are notably less stringent than the GDPR when it comes to email marketing campaigns, including regarding abandoned checkouts.

While the CCPA (CPRA) doesn't require customers' opt-in consent (except for minors), it does provide California residents with several rights over their personal information - in this case, their email addresses.

In short, California customers have the right to know how you plan to use their email addresses and with whom you may sell or share them. They also have the right to opt out of abandoned checkout emails and request that you delete their email addresses from your records.

CAN-SPAM Act of 2003

The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, or CAN-SPAM Act, is a law that regulates commercial email marketing in the United States and is enforced by the Federal Trade Commission (FTC).

Although abandoned checkout emails are permitted under the CAN-SPAM Act, businesses must observe several specific guidelines to avoid spamming their customers.

The highlights are as follows:

  • Don't deceive or mislead customers, e.g., through deceptive subject lines
  • Clearly state the purpose of the email as a solicitation or advertisement
  • Provide customers with a prominent way to opt out of future communications and promptly honor opt-out requests
  • Disclose your business address or location in your emails
  • Ensure that any hired external agency also complies with these requirements

Now that we've examined what major privacy laws say about abandoned checkout emails, let's go over the requirements and practical steps for compliance.

Requirements and Best Practices for Sending Abandoned Checkout Emails

Requirements and Best Practices for Sending Abandoned Checkout Emails

In light of the major privacy laws regulating personal information and email marketing campaigns, your ecommerce businesses must observe several key requirements to legally send abandoned checkout emails.

It's important to note that not all these requirements may apply depending on the specific law(s) to which your business is subject.

That said, you must take the following steps to legally send abandoned checkout emails under most privacy laws.

Under the GDPR, businesses must establish at least one of six legal bases to carry out any data processing activity.

When it comes to sending abandoned checkout emails, consent and legitimate interests are the most applicable. Let's briefly go over both.

Operating under the legal basis of consent means you must obtain explicit opt-in consent from your customers before collecting their email addresses to send them abandoned checkout emails.

According to the GDPR, consent must be "freely given, specific, informed, and unambiguous." In other words, obtaining consent for general email marketing campaigns won't suffice. Instead, you must do the following:

  • Get separate consent for abandoned checkout emails
  • Explicitly mention that you'll send customers email reminders
  • Request affirmative action through a simple process (e.g., asking customers to check an empty "I Agree" checkbox or click a prominently labeled "I Agree" button)
  • Keep proper records of customers' consent and opt-out requests

Here's an example of GDPR-compliant consent through separate empty checkboxes from Coca-Cola:

Coca-Cola sign-up form with Agree checkboxes highlighted

You can adopt the same consent request style as Coca-Cola's above. However, you'll need to create an additional empty checkbox to obtain separate consent for abandoned checkout emails.

Similarly, ByValentinaCastro obtains opt-in consent from its customers and clarifies how it will use their personal data at its checkout point:

ByValentinaCastro checkout screen with checkboxes highlighted

When we examine ByValentinaCastro's Privacy Policy, we can see that it clearly mentions that it will send its users abandoned cart emails:

ByValentinaCastro Privacy Policy: Recover Abandoned Cart clause

Legitimate Interest

Under the legal basis of legitimate interests, you can carry out data processing activities as long as you don't interfere with your customers' fundamental rights and freedoms.

There's a bit more to it than that, but if you collect and process personal data in a way your customers will reasonably expect, you're in the clear.

Interestingly, the GDPR outrightly states in Recital 47:

"The processing of personal data for direct marketing purposes may be regarded as carried out for a legitimate interest."

This means you can rely on legitimate interests for direct marketing, including abandoned checkout emails. In fact, legitimate interest is arguably more appropriate for abandoned checkout emails than consent since it gives you better coverage and allows you to reach more customers.

In terms of the practicalities, you'll need to conduct a Legitimate Interests Assessment through a 3-part test:

  1. The purpose test: why do you want the customer's data?
  2. The necessity test: is the data processing necessary to achieve your goals?
  3. The balancing test: does your legitimate interest override the customer's rights and freedoms?

For more information, check out our 3-part test for determining if you have a lawful basis of legitimate interests in our feature article here: 3 Part Test for Legitimate Interests Under the GDPR.

Provide a Simple Way for Customers to Opt Out

For your abandoned checkout emails to be considered legal, your customers must be able to easily opt out of receiving them. After all, data privacy is all about the freedom to make choices: opting in vs. opting out.

Accordingly, every abandoned checkout email should contain a prominent unsubscribe link or button for easy opt-out access.

Here's how Baddest Bod includes an unsubscribe link in its abandoned checkout email footer:

Baddest Bod abandoned checkout email with unsubscribe link highlighted

And here's how JOY does the same at the bottom of its abandoned checkout email:

JOY email footer with unsubscribe link highlighted

Clicking on the unsubscribe link automatically removes customers from JOY's mailing lists with no ambiguity or extra steps involved, and this is a best practice:

JOY unsubscribe emails confirmation page

Inform Customers of Abandoned Checkout Emails

Under many privacy laws (including the GDPR and CCPA/CPRA), customers have the right to know how you will use their personal information, and you must explain this information in plain language (i.e., free of any legalese or technical jargon).

In the context of email marketing, you must disclose that you'll use customers' email addresses to send them abandoned checkout emails whenever they have incomplete purchases.

The best place to present this information is within your Privacy Policy. If you don't have a Privacy Policy, get one written post haste, as it's legally required under many privacy laws.

Here's how Julian Lennon explains abandoned cart emails in a concise clause within its Privacy Policy:

Julian Lennon Privacy Policy: Abandoned Cart Emails clause

It's worth noting that your Privacy Policy must be easily accessible to your customers and the general public. You can accomplish this by placing a prominent link to your Privacy Policy in your website's footer section among other places.

Get more information about the best way to display a Privacy Policy in our feature article: Where Should I Place My Privacy Policy?

Avoid Dark Patterns and Similar Practices

You've probably once received an email with a deceptive or misleading subject line from a corporate body. Worse still is when you can't seem to unsubscribe from the email list, no matter how hard you try. These types of situations fall under the concept of dark patterns.

When it comes to abandoned checkout emails, employing dark patterns to trick customers into returning to your platform and completing their purchases will, more often than not, backfire.

This practice will not only hurt your business's reputation in the long run but may result in legal liability under many privacy and anti-spam laws (such as the CCPA/CPRA and the CAN-SPAM Act).

In essence, you should only send abandoned checkout emails to customers who have abandoned the checkout process without completing their purchases. And only do so after satisfying the legal requirements of applicable privacy laws.

Furthermore, you shouldn't use these emails as an opportunity to manipulate your customers or send them irrelevant or unrelated marketing messages.


Abandoned checkouts are one of the most serious challenges facing the ecommerce industry today. They represent a loss of potential sales opportunities and can cost your business dearly. Fortunately, you can reduce their effects through abandoned checkout emails.

However, before gathering email addresses and sending out shopping cart reminders to your customers, it's crucial to consider the privacy law(s) regulating personal information and email marketing in your jurisdiction.

The more common ones include the GDPR, ePrivacy Directive, CCPA/CPRA, and CAN-SPAM Act.

To comply with the abandoned checkout requirements of most privacy laws, you need to take the following steps:

  • Identify a legal basis for sending abandoned checkout emails
  • Obtain customer consent if needed
  • Provide a prominent unsubscribe link or button in every email you send
  • Inform customers that you'll send them abandoned checkout emails in your Privacy Policy
  • Avoid using dark patterns and similar vices

Remember, noncompliance with privacy laws can be incredibly costly, including reputational damages and substantial fines.

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy