GDPR Reality Check – Consent and Abandoned Ecommerce Carts
GDPR is a complex set of rules and regulations centered on protecting the data privacy of EU citizens.
As an ecommerce or multichannel business, the complexities of GDPR compound if you’re not adequately prepared.
One of the most illuminating parts of our latest webinar, GDPR Reality Check: How Will Regulations Impact My E-commerce Business, was our section on GDPR and risk management. Several questions posed to GDPR expert Guy Pearce focused on managing your business’ risk exposure while protecting your business and the data it processes via GDPR compliance.
For much of the webinar conversation focused on the definition of consent. Under GDPR it is quite clear that a data subject’s consent must be informed and freely given when accepting how their data will be used and processed. To many, this is the familiar mechanism of clicking a checkbox to accept marketing or other messages from the business and, possibly, their third-parties.
But in discussing GDPR, consent, and abandoned cart messages, our panelists ended up on an extremely important subject:
An abandonded ecommerce cart does not equate with consent under GDPR.
Abandoned cart marketing and lead nurturing is a staple of ecommerce and multichannel commerce. So much so, in fact, that consumers have been virtually trained to leave their carts un-purchased to instead wait for the discount or incentive to return to show up in their inboxes first.
And that’s been best practices. But GDPR changes things — and significantly.
Pre-GDPR, the normal course of action for ecommerce and multichannel retailers would be to collect the information of consumers who failed to complete the full check-out process. From there, the consumer’s email address would be added into a marketing automation platform tailored to ecommerce merchants’ needs, and the emails with incentives in tow to connect consumers with their abandoned goods are off.
But in a post-GDPR world, this violates consent. Consent in the abandoned cart scenario, you see, is not conspicuously nor freely given by the consumer.
So if your ecommerce store, for example, stores the personal data of EU citizens alongside non-EU citizens and is not GDPR compliant, participating in abandoned ecommerce cart nurturing is risky to say the least. Even collecting consent from pre-checkout consumers may not cover you in the event of a data breach; GDPR requires deep documentation, planning, and adequate recording of these moments of consent.
With news of GDPR fines igniting in the past weeks, now is the perfect time to reflect on your business’ GDPR preparations. Being outside of the EU or in North America is not enough to guarantee your exemption from GDPR — you must do your due dilligence. At the very least, the exercise will help your business reflect on and bolster your overall risk tolerance!
We already know most ecommerce businesses are ignorant or misinformed in their responsibilities under GDPR. This type of detailed explanation of the regulations found below can empower ecommerce business the power to protect themselves and their customer’s data.
Keep scrolling to watch the discussion of abandoned ecommerce carts and consent under GDPR from the webinar: