Two Legal Frameworks Govern Abandoned Cart Tracking
Cart abandonment recovery sits at the intersection of two separate but overlapping privacy regimes. The ePrivacy Directive (specifically Article 5(3)) controls whether you can place tracking cookies and pixels on a visitor's device. The GDPR governs what you do with the personal data those trackers collect - including sending remarketing emails.
Getting this distinction wrong is common. Many online retailers assume that because a shopper typed in an email address at checkout, all subsequent tracking and emailing is fair game. It is not.
The cookie that records a visitor's browsing session, the pixel that fires when they add a product to the cart, and the email that lands in their inbox an hour later each carry their own legal requirements. Treating them as a single compliance question is a shortcut that regularly attracts regulatory attention.
Which Cookies Does Cart Abandonment Tracking Involve?
A typical cart recovery setup relies on several types of cookies and trackers working together. Some are strictly necessary; others are not.
| Tracker | Purpose | Category | Consent Required? |
|---|---|---|---|
cart_id / session cookie | Remembers items in the shopping cart during a session | Strictly necessary | No |
_ga, _ga_* | Google Analytics - tracks user journey and cart events | Analytics | Yes |
_fbp | Meta Pixel - identifies user for remarketing audiences | Marketing | Yes |
| Tracking pixel (email) | Detects email opens and click-throughs | Marketing | Yes (under CNIL guidance) |
_tt_ / TikTok pixel | Tracks add-to-cart events for ad optimisation | Marketing | Yes |
| Cart recovery platform cookie | Links anonymous browsing to an email address for remarketing | Marketing | Yes |
The session cookie that holds a visitor's basket is exempt from consent under Article 5(3) of the ePrivacy Directive because the user explicitly requested the service. Every other tracker in the table above requires prior consent before it fires.
Article 5(3) and the Consent Trigger
Article 5(3) of the ePrivacy Directive is not limited to cookies. The EDPB's 2023 guidelines on the technical scope of Article 5(3) confirmed that tracking pixels, tracking links, device fingerprinting techniques, and any mechanism that stores or accesses information on a user's device all fall within scope.
For cart abandonment, this means the Meta Pixel, TikTok Pixel, and any similar remarketing tag must not fire until the visitor has given consent through a valid cookie banner.
A cart recovery platform that drops its own cookie to match a browsing session to an email address is performing non-essential tracking. That cookie requires consent too.
The Soft Opt-In Exception for Emails
The ePrivacy Directive includes a narrow exception often called the "soft opt-in" (Article 13(2) as transposed into national law - for example, Regulation 22 of the UK's PECR). This provision allows you to send direct marketing emails to existing customers without explicit consent, provided three conditions are met:
- The customer's email address was collected during a sale or negotiation of a sale
- The emails promote only your own similar products or services
- Every email offers a clear, free, and simple way to opt out
Cart abandonment emails can potentially fall under this exception. The shopper began a transaction by adding items and entering their email at checkout. The email reminds them about those specific products.
But the soft opt-in has limits. If the visitor only browsed without reaching checkout, no sale was in progress and the exception does not apply. Sending a "you left something behind" email to someone who never provided their address during a purchase flow requires explicit opt-in consent.
Legitimate Interest Is Not a Free Pass
Some retailers rely on legitimate interest as their GDPR legal basis for processing personal data in cart recovery. A legitimate interest assessment (LIA) can work here, but it does not override the ePrivacy Directive's cookie consent requirement.
Even if your LIA concludes that sending a cart reminder email serves a legitimate business interest, you still need consent before placing the tracking cookies that power the system. These are two separate legal questions answered by two separate laws.
The CNIL has been particularly active in enforcing this distinction. Between December 2022 and December 2024, the French authority issued combined fines exceeding 139 million euros for breaches of Article 5(3) as implemented in French law. In June 2025, the CNIL launched a public consultation specifically on tracking pixels in emails, signalling that even basic email open tracking may soon require explicit consent in France.
How to Build a Compliant Cart Recovery Flow
A compliant abandoned cart system separates the consent layer from the email permission layer. Here is a practical breakdown.
Step 1: Cookie Consent Before Tracking
Before any marketing or analytics cookies fire, present a compliant cookie banner. Block scripts for your cart recovery platform, analytics, and advertising pixels until the visitor grants consent. Use a consent management platform to handle conditional script loading so that tags only execute after a positive signal.
Step 2: Email Permission at Checkout
At the checkout stage, collect email consent separately. If you plan to rely on the soft opt-in, ensure the email field is part of an active purchase flow. Add an unticked checkbox or clear notice informing the shopper that their email may be used for cart reminders. Always include an opt-out mechanism at the point of collection, not just in subsequent emails.
Step 3: Respect Consent Signals in Your Email Platform
Sync your eCommerce platform's consent records with your email service provider. If a visitor rejected marketing cookies, do not send them pixel-tracked emails. If they opted out of emails at checkout, suppress them from cart recovery workflows immediately.
Step 4: Limit Email Frequency and Content
Regulatory guidance across the EU flags aggressive email sequences as a compliance risk. Restrict cart recovery sequences to one or two emails. Keep content focused on the abandoned items - do not cross-sell unrelated products, as this exceeds the "similar products" boundary of the soft opt-in.
Jurisdiction-Specific Differences
The rules vary depending on where your customers are located.
| Jurisdiction | Cookie Consent Model | Email Soft Opt-In? | Key Regulation |
|---|---|---|---|
| EU (GDPR + ePrivacy) | Prior opt-in required | Yes, with conditions | ePrivacy Directive Art. 5(3), 13(2) |
| UK | Prior opt-in required | Yes (PECR Reg. 22) | UK GDPR + PECR |
| California (CCPA/CPRA) | Opt-out model | No soft opt-in concept | CCPA + CAN-SPAM |
| Brazil (LGPD) | Prior consent for marketing | Limited (legitimate interest) | LGPD Art. 7 |
| Canada (PIPEDA/CASL) | Implied consent possible | Yes, within 2 years of inquiry | CASL s.10(9) |
Under US law, the picture is different. The CAN-SPAM Act does not require prior consent for commercial emails but does mandate an opt-out mechanism and accurate sender information. California's CCPA opt-out requirements apply to the sale or sharing of personal information collected through cookies, but the email itself follows CAN-SPAM rules.
Common Mistakes That Trigger Enforcement
Regulators have identified recurring patterns in cart abandonment compliance failures.
- Pre-loading tracking scripts - Firing the cart recovery pixel before cookie consent is granted violates Article 5(3). The ICO issued cookie compliance warnings to 134 UK websites in 2025 for similar infractions.
- Treating cart emails as transactional - No purchase was completed, so these emails are direct marketing under both GDPR and PECR. Classifying them as "service messages" to avoid consent rules does not hold up.
- No opt-out at collection - The soft opt-in requires an opt-out opportunity when the email address is first collected, not only in the follow-up email.
- Emailing visitors who only browsed - If no sale or negotiation of sale occurred, the soft opt-in does not apply. Matching a logged-in user's browse history to their account email and sending a remarketing message without consent is a GDPR violation.
- Excessive email frequency - Sending five or more recovery emails for a single abandoned cart has drawn regulatory criticism across multiple EU member states.
Tracking Pixels Inside Emails Need Consent Too
Email tracking pixels - tiny transparent images that report when a recipient opens a message - fall under Article 5(3) of the ePrivacy Directive. They access information stored on the recipient's device (IP address, email client data, timestamp) without the recipient's knowledge.
The CNIL's 2025 public consultation on email tracking pixels suggests stricter enforcement is coming. If your cart recovery emails contain open-tracking pixels and you have not obtained consent for that specific tracking, you may face compliance exposure even if the email itself was lawfully sent under the soft opt-in.
Consider using click-based conversion tracking as an alternative, or strip tracking pixels from cart recovery emails entirely and measure success by redemption rates instead.
Frequently Asked Questions
Are abandoned cart emails legal under GDPR?
Abandoned cart emails can be GDPR-compliant if you have a valid legal basis. The ePrivacy Directive's soft opt-in exception allows them when the email was collected during a sale or negotiation of a sale, you only promote similar products, and you offer an opt-out in every message. The tracking cookies that power the system still require separate consent.
Do I need cookie consent before tracking cart abandonment?
Yes. Session cookies that hold basket contents are strictly necessary and exempt, but analytics cookies, marketing pixels, and cart recovery platform trackers all require prior consent under Article 5(3) of the ePrivacy Directive before they can fire.
Can I send abandoned cart emails without opt-in consent?
Under the soft opt-in provision in EU and UK law, yes - if the email was collected during an active purchase attempt, the email only promotes similar products, and every message includes an opt-out link. If the visitor only browsed without reaching checkout, explicit consent is required.
Is an abandoned cart email transactional or marketing?
It is classified as direct marketing because no transaction was completed. This means full marketing communication rules apply, including consent or soft opt-in requirements and mandatory opt-out mechanisms.
How many abandoned cart emails can I legally send?
No specific number is set in law, but EU regulatory guidance flags more than two or three emails per abandoned cart as potentially aggressive. Keep sequences short and focused on the abandoned items to stay within the soft opt-in's "similar products" boundary.
Do email tracking pixels require cookie consent?
Tracking pixels in emails fall under Article 5(3) of the ePrivacy Directive because they access information on the recipient's device. The CNIL launched a public consultation in 2025 specifically on this topic, indicating stricter enforcement may follow. Consent for email pixel tracking should be obtained separately from cookie consent on your website.
Take Control of Your Cookie Compliance
If you are not sure which cookies your site sets, start with a free scan. Kukie.io detects, categorises, and helps you manage every cookie - so your visitors get a clear choice, and you stay on the right side of the law.
