We’re strong advocates for data privacy and ownership, and many new regulations strongly enforce user rights for data processing. The largest and most all-encompassing regulation is the GDPR. The GDPR also works hand-in-hand with PECR (also referred to as the EU e-privacy directive); the GDPR governs data protection and processing, while PECR outlines practices for data collection online. Our own efforts focus on compliance with both of these pieces of regulation.
While this is a great step forward for user privacy as a whole, it’s also difficult to know how your business should make adjustments to respect these rights. For Jilt, GDPR compliance involves a couple different areas:
- Our ability to be GDPR-compliant ourselves as a data controller. This relates to the data you provide to us to use Jilt, such as your payment details and your own email address. As a merchant, you are also a data controller for your customers.
- Our ability to work as a data processor for merchants to provide a service. This involves the information we handle for your store and your customers, such as storing customer email addresses and email sending.
We’ve been hard at work at addressing each of these points for a few months. For our own compliance as a data controller, as well as a data processor, we’ve been working on:
|Completing our EU-U.S. Privacy Shield self-certification||completed||—|
|Updating our Terms of Service||completed||See our updated Terms of Service|
|Adding a Cookie Statement (part of Terms of Service)||completed||See our Cookie Statement|
|Adding a Data Processing Agreement (DPA) for EU Customers||completed||Contact us for a copy of our DPA|
|Adding more details about our security program||completed||Read about our security program|
|Documenting our data sub-processors||completed||See our data sub-processors|
|Support the Right to Erasure (Deletion)||completed||A user can request that we delete all of personal data. Contact us to request deletion.|
|Support the Right to Access/Portability||completed||A user can request a copy of the personal data we’ve collected. Contact us to request access.|
|Support the Right to Modification||completed||In Jilt, a user can change most of their personal data. For all other modifications, get in touch with us.Contact us to request a modification.|
|Appoint a Data Protection Officer||completed||Contact firstname.lastname@example.org with any requests or questions you have about your data.|
As a merchant, you are a data controller as well, and therefore are also required to comply with the GDPR (and PECR). Ultimately, compliance for your business is your responsibility, which involves following best practices for data collection and usage. However, as a small business ourselves, we know legal compliance is really difficult. One of the most popular questions our support team has gotten over the past month as been, “Are abandoned carts GDPR-compliant?” because it’s costly and difficult to attempt this analysis independently.
We care about helping your business, and we’re in a position to do so — in fact, it’s in our best interest to help you meet compliance, too. smile As such, we’re doing what we can to help merchants using Jilt meet GDPR compliance themselves.
Here are some tools for customers using Jilt that we’ve been working on:
|Developing a Privacy Notice for Visitors to our users’ stores||completed||This clarifies the data that Jilt collects from your visitors and customers as part of providing our service to you. Read this notice.|
|Completing a sample Legitimate Interests Assessment for abandoned cart recovery emails||completed||This assessment may help you complete your own. Read more below about this and get in touch with our support team from our app dashboard and let us know you’d like to take a look.|
|Updating our integrations to provide notice and opt-out||completed||Providing notice & opt-out to visitors and customers that your store collects emails and other data for the purposes of abandoned cart recovery and other direct marketing is important for compliance. Learn how to enable this feature|
|Updating our integrations to collect customer consent in a GDPR-compliant way||completed||By collecting consent at checkout, you can email customers non-transactional marketing emails like post-purchase follow-ups (product review, discount for a future purchase, etc. Learn how to enable this feature|
We’ll also take a deeper look at these tools below, and how the emails Jilt sends for your store fit into GDPR compliance (we’ll look exclusively at GDPR-email marketing relationships, not GDPR as a whole in this document).
First, you know we have to do this…we’re software developers, not lawyers. We pay lawyers to help us just like everyone else, so:
Truly, though: the content of your emails, when you send them, and how your site is structured all affect your own compliance with the GDPR. As such, while we’re happy to share what we’ve learned, we ultimately cannot tell you what your particular business needs, or solve compliance issues for all of our merchants within Jilt.
We’ve invested a lot of time and money consulting with our legal counsel to make compliance easier when you use Jilt, and many team members have been working on privacy regulation compliance. These are their stories.
How does email marketing fit into the GDPR?
The GDPR outlines how businesses can process or store personal information from their customers and users. Many merchants are under the impression that consent is the only acceptable basis for processing data, but this is incorrect. Consent is one of six lawful reasons to process data; while consent can be used to allow email marketing under the GDPR and PECR, there are also other equally valid bases for using email marketing, for which consent is not required (or encouraged, for that matter).
Do I need consent?
Consent is not “better” or “worse”, nor does it have more weight, than any other data processing basis. It’s easy to think consent is “foolproof”, because it seems explicit on the surface: I have permission to email people, that’s easier to justify than contractual obligations or legitimate interest, right?
However, consent is just as subject to argument as any data processing basis. A customer can argue consent is not valid if it didn’t have positive opt-in, wasn’t specific or granular enough, wasn’t unbundled from other consent (like consenting to terms of service), didn’t have enough detail while also being concise (yeah, that part is hard!), or it wasn’t clear that consent wasn’t required as a precondition for a service.
Because of the requirements around consent, the UK ICO’s (Independent Commissioner’s Office, an independent regulatory office for data protection) recommends avoiding over-reliance on consent:
(The ICO governs PECR, which dictates how data should be collected, so they are the best source of information on consent vs other means of data collection and processing.)
As a result, consent should be used when it is the most appropriate reason for data processing — as a fallback if no other lawful reason exists (e.g., for purely promotional emails).
When should I avoid consent?
As an eCommerce store, while consent can apply to your data processing, there are other lawful reasons for processing that may likely apply to you:
- processing is necessary for the performance of a contract (such as fulfilling an order or providing membership benefits).
- processing is necessary for compliance with a legal obligation (such as storing data for tax compliance, reporting, or remittance).
- processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party (except for public authorities, who cannot use this basis).
When using a valid basis for processing other than consent, you need to provide notice, with the ability to opt out of processing. The ICO is very clear on this point with respect to email (emphasis added):
In addition, you should not attempt to use consent in addition to another valid basis for processing, as one does not “outweigh” the other. In fact, if consent conflicts with another valid basis for processing, such as fulfillment of a contract, you’ve created a legal catch-22 for yourself, as you cannot fulfill one obligation without violating the other. See this video snippet from Shopify Unite as to why they are not adding general consent opt-ins to checkout to illustrate this point.
Legitimate interest as a basis for processing
Legitimate interest is the most difficult basis for processing to understand, and is also the most broad. What constitutes “legitimate interest” and how it is considered equal to consent? Does it apply to email marketing?
Legitimate interest and consent are both listed equally as valid reasons for processing data; because of this, one does not supercede the other. Legally, having a legitimate interest for processing data is the same as having consent for processing data. Therefore, consent should be used only when legitimate interest cannot be established.
So does the GDPR tell us what legitimate interest is? Unfortunately not — the ICO analysis of legitimate interest clearly shows the ambiguity of this processing basis:
Because the term ‘legitimate interest’ is broad, the interests do not have to be very compelling (although in some instances they may be) and it does not rule out interests that are more trivial.
To keep this simple, the ICO states that legitimate interest must pass three tests:
- Purpose – is there a legitimate interest behind the processing?
- Necessity – is the processing necessary for that purpose?
- Balancing – is the legitimate interest overridden by the individual’s interests, rights, or freedoms?
Let’s take a look at this from the perspective of recovering abandoned carts:
- Purpose — contacting customers who have abandoned a cart serves a legitimate interest to my business to grow sales and solicit valuable feedback from customers, uncovering issues with my online store.
- Necessity — processing an email address and sending an email is necessary to fulfill this purpose, as I cannot save sales or get feedback without communicating with the customer.
- Balancing — customers have indicated interest in my store by adding items to the cart and entering an email address. So long as I give customers the ability to opt out, I am balancing their freedoms and rights with this interest.
Essentially, legitimate interest analysis means you should follow best practices and use common sense. If you prepared a legitimate interest analysis similar to this, you couldn’t therefore justify sending a series of 12 emails, or sending emails over a month after a cart is abandoned, as these stray from your purpose in processing data.
Even further, the ICO has further details on the how other regulations relating to electronic communications interact with the GDPR with respect to online marketing and advertising, and it outlines rules on email marketing very clearly with 2 separate bases for sending emails:
- they have specifically consented to electronic mail from you; or
- they are an existing customer who bought (or negotiated to buy) a similar product or service from you in the past, and you gave them a simple way to opt out both when you first collected their details and in every message you have sent.
When customers are negotiating to buy a product, so long as you’ve provided a way to opt out of data collection, you are able to send email marketing to them, further supporting this legitimate interest analysis.
We have prepared sample legitimate interest analyses, reviewed by our legal counsel, and are happy to share them with our active users as a starting point for your own analysis. Get in touch with Tabitha or Max from your app dashboard to request this.
How is Jilt helping with notice or consent?
To our most widely used feature and the key point of this document: abandoned carts GDPR-compliance. Are abandoned cart emails okay under the GDPR and PECR? Yes.
They also meet a non-consent basis for data processing. Abandoned cart reminders fall under legitimate interest for data processing, as outlined above, and therefore do not require consent to be sent to your customers; they require notice, with the ability to opt out.
For WooCommerce and Easy Digital Downloads stores, our Jilt plugins can show your visitors a notice of data processing (under this legitimate interest basis) as data is gathered, with the ability to opt out:
For more details on this feature, please read our How can I provide notice to my visitors that their email & cart is saved? help article.
For Shopify stores, we can’t implement a similar solution, as Shopify’s checkout page is not available to apps or merchants for modification. As such, we rely on Shopify’s “I accept marketing” checkbox for consent, and use this to determine if abandoned cart emails can be sent instead. We are keeping a very close eye on Shopify changes as well for any opportunities to improve this workflow, as it’s currently unclear if this checkbox meets all standards outlined by the GDPR and PECR.
For other emails, such as post-purchase follow ups, these emails may use legitimate interest or consent as the basis for processing; this depends entirely on how you use them. If your emails are transactional in nature, such as emails that ask for feedback (“How is your order?”, “Did you receive your package?”), then this will likely pass a legitimate interest analysis.
However, if you send post-purchase emails with a sales or marketing purpose (“Ready to purchase again?”, “Please leave a product review!”), then these are more difficult to justify in a legitimate interest assessment, and therefore may require consent to be sent to customers. The Jilt plugins can collect consent at checkout for marketing emails. For more details on this, please read our How can I collect consent at checkout for marketing emails? help article.
To start, we recommend that merchants use the legitimate interest basis for sending emails, and therefore keep their own processing to practices that pass the three-part legitimate interest analysis. Very shortly, we will add the ability in Jilt for WooCommerce and Jilt for EDD to collect consent in a GDPR-compliant way as email addresses are collected for your other marketing emails if required.
Frequently Asked Questions
Q: Is recovering abandoned carts GDPR-compliant?
A: Yes, abandoned cart emails are sent on the basis of legitimate interest, which is the most flexible lawful basis for processing data but also the most open to interpretation. It’s important to follow our recovery email best practices and limit your sending to only recent abandonments with a series of 3-5 emails, sent within a week or so of abandonment. Sending dozens of emails over a long period of time after a cart abandonment would be significantly more challenging to justify.
Q: Do I need consent to send emails through Jilt?
A: This depends entirely on the kind of email you’re sending, as well as the content of your emails, so we can’t say definitively. However, for abandoned cart emails, they very strongly fall under legitimate interest for data processing, while other emails, such as post-purchase emails, may fall under legitimate interest, or require consent.
Q: Is Jilt GDPR-certified?
A: There is no certification process for GDPR compliance. Rather, this is a process and outline of practices in processing data. To that end, as a data controller, we do comply with GDPR regulations for handling your data, and as a processor, we respect your customers’ data and give you as many tools as we can to comply with the GDPR. However, your own compliance depends on how you handle data, so you must review your own privacy policies, terms of service, marketing practices, and more.
Looking to lose yourself in some legalese? Here are some really useful resources for understanding the GDPR, how it relates to online stores, and how it relates to email marketing.