How to Convert in Ecommerce in the GDPR Era

Mac Hasley
February 1, 2018 ·
How to Convert in Ecommerce in the GDPR Era

You Might Want to Rethink Your Cart Abandonment Campaign

If you’re working in Ecommerce, take a second to inventory how you use data. From the moment someone lands on your site, to the second they click “purchase”—how much do you know about them?

Do they submit their name and address and payment information? Did you collect their email address in exchange for a coupon? Have you stored their shopping cart across sessions? Automated personalized recommendations for them? Tracked their location to point them to their nearest brick-and-mortar location, or to list prices in their preferred currency?

These micro-moments of data collection and storage are all par for course in the Ecommerce landscape right now. And for good reason! A lot of them are good for user experience and lead to higher conversion rates.

But, with the implementation of GDPR, we’re entering a new landscape of data privacy and security law. One which greatly restricts how we collect, use, and store personal data throughout the customer lifecycle.

GDPR: Why it matters

GDPR, or the General Data Protection Regulation, is the EU’s broadest sweeping piece of legislation on data privacy since the 90s. It defines and solidifies the rights individuals have to their data trail online.

Of course, this doesn’t seem like anything new. Europe has always had rules about how one can process the data of its citizens.

But GDPR makes things clearer, and stricter and expands the legislative scope. Now, if you’re based in the EU, store data in the EU, or collect ANY personal data, from ANY EU citizens—you have to follow the new rules.

The Lowdown on Personal Data

Arguably, the biggest change GDPR will bring for marketers has to do with how we collect, store, and use personal data.

And GDPR definition of personal data is strict. It means any piece of information that can identify someone. So name, id number, location data, email, phone, address, company, etc—all require that you ask for consent. Even (most) cookies count as personal data and require user permission to run.

Now, all of us (I hope) have privacy policies. Most of us mention our site uses cookies if our site uses cookies.

This is only such a big deal because, now, how you ask permission has changed.

Consent cannot be implied.

No more; “by entering this site you accept the use of cookies.”

No more: “by downloading this piece of content you agree to be contacted about other offers and promotions.”

No more pre-checked “Contact me with the latest” boxes.

Users now have to explicitly, affirmatively, and unambiguously give you permission to use their personal data.

So let’s discuss how these new standards will influence how you market in Ecommerce.

Cart Abandonment Campaigns

You have to make a tough choice here.

Back in the good old days—it was best practice to separate your checkout process into steps. To collect an email first thing, so, if your customer abandons their cart, and doesn’t end up buying—you can follow up, send them a quick set of reminder emails—perhaps offer them a discount.

No more.

GDPR is very clear: just because you have someone’s email, doesn’t mean you can use it to contact them.

Unless they consent to be contacted—ABOUT the things you want to contact them about.

Now I know what you’re thinking…you sneaky marketer.

“What if, when I collect the email addresses, underneath the form, I write something like this?”

[By submitting my email, I confirm the right to be contacted about offers and promotions by COMPANY NAME].

A big “no” to that.

Remember what GDPR says about consent-getting? Not only do users need to be consent to be contacted to comply with GDPR—they need to explicitly, and *actively* consent.

They have to see your statement soliciting consent, it has to be written in clear-as-day English, and they have to check the box themselves before you have the “OK.”

A few things you can do…

1. You can make checking the consent box a mandatory step before moving on to the next stage of checkout.

So, as you probably have before: separate your check out process. Collect the email first. Ensure proper consent to be contacted by the user. Then move on to credit card information, shipping information, etc.

But ask yourself first: what will this do to your overall conversion rate?

How many additional potential customers are going to drop out right here, and abandon their carts—because they don’t want to sign away their inbox—just to buy a $6 shirt?

And the number of customers you’re losing here: will it be fewer than the number of folks you win back over on your cart abandonment campaign?

2. Incentives, incentives, incentives. It’s already an ecommerce best practice to usher folks away from guest checkouts, and into registration.

Or to try and get visitors onto your email list with a popup, like the folks at Modcloth:


These campaigns may become increasingly important.

If you already have someone’s email, and their explicit, active consent to use it for promotions and alerts…

And IF you (or likely, your automation software), can match this email address, to an email that’s abandoned a cart…

Then, finally, can you contact them to complete their purchase.

The important note here is to make sure you’re getting GDPR-qualifying consent, the first time you collect their emails. If your registrants aren’t actively consenting to hear from you about alerts—you don’t get to contact them with alerts.

(Psst…we wrote a much more substantive article on how to solicit explicit consent on forms. Read it over here.)

(Excessive) Data Collection

When’s the last time you’ve called a customer?

If 99% of your customers are purchasing for themselves—do you need to include the company name in your form?

These are the questions GDPR demands we start acting on.

A huge part of GDPR is “privacy by design.” And a huge part of privacy by design is something called “data minimization.”

For a brief explanation of this concept, we can turn to GDPR’s Article 23. It calls for data collectors to only hold and process data that’s necessary to complete their duties.

So basically: if it doesn’t serve the user, it shouldn’t be sitting in your database.

This is actually good news. All sorts of studies have shown a higher completion rate on shorter forms. If you’ve been lazy about auditing your form fields on your check-out process—GDPR gives you an excuse to act.

So there are no work arounds with this one. Stop collecting data you don’t need—it’ll comply with GDPR, keep you sane, and keep your users happy.


So we’ve already dropped this piece of bad news: Cookies are considered personal data under GDPR.

But here’s the silver lining: not all cookies can personally identify a user, and some cookies are singled out as an exception to the rule.

It may be possible that some require user consent, whereas others do not. The particulars will be determined by the new ePrivacy Regulations—once they’re approved. For now, we have draft 15333, which makes some exceptions for common Ecommerce cookies.

In full:

Exceptions to the obligation to obtain consent to make use of the processing and storage capabilities of terminal equipment…For instance, consent should not be requested for authorizing the technical storage or access which is necessary and proportionate for the legitimate purpose of enabling the use of a specific service requested by the end-user. This may include the storing of cookies for the duration of a single established session on a website to keep track of the end-user’s input when filling in online forms over several pages, authentication session cookies used to verify the identity of end-users engaged in online transactions or cookies used to remember items selected by the end-user and placed in shopping basket. Cookies can also be a legitimate and useful tool, for example, in assessing the effectiveness of a delivered information society service, for example by helping to measure to the numbers of end-users visiting a website, certain pages of a website or the number of end-users of an application. This is not the case, however, regarding cookies and similar identifiers used to determine the nature of who is using the site.

In plain English:

Your session cookies are probably okay. As long as they stay on a browser, and retain information only until a browser session ends—they’re unlikely to identify an individual.

Most of them will fit the criteria of “authorizing the technical storage or access which is…enabling the use of a specific service requested by the end-user.”

For example, keeping track of what a user has added to their cart throughout a browser session (but no longer). Or holding onto their wish list (for as long as the session they’re browsing lasts).

Your persistent cookies—the ones that store data over several browser sessions—those are tricky.

They may fall into the exception of: “assessing the effectiveness of a delivered information society service…for example by helping to measure to the numbers of end-users visiting a website, certain pages of a website or the number of end-users of an application.”

But the second this data becomes personally identifying, we’re entering dangerous territory.

For example: storing the number users visit a certain item page? (without any tie to the individual users themselves). Fine.

Identifying the behavior of one user who visits that page, across separate browser sessions—not fine.

That potentially “determines the nature of who is using the site.”

Some persistent cookies you may be running, and that may require consent:

  1. Customer log-in data, address, and payment information
  2. Persistent shopping carts (across sessions)
  3. Product Recommendations (resulting from specific user data)
  4. Custom user interfaces / Personalizations (i.e. “Welcome back, Joanne! Continue shopping?”

Even these come with gray areas. For example, you might be okay on product recommendations—if they’re generated based only on data stored during a particular user session. And if they’re based on mass, anonymized consumer data, and product popularity.

But in general: if your cookies are tied to a User ID, or ANY unique identifier, across sessions—they can potentially be attributed to a specific site visitor without their permission. And that could get you in trouble with GDPR.

So at this point, you’re at a crossroads. Kill your persistent cookies altogether, or only start using them once you ask for consent—and someone gives you the okay.

To sum it up…

Data touches every step of the buying process for Ecommerce customers. So for marketers, collecting, and using, data appropriately needs to be a concern—every step of the way.

Many ecommerce best practices—using cookies to personalize an experience, or following up with an email after a cart has been abandoned—are now going to require straight-forward, unambiguous, and active consent.

And with that extra step, the digital marketing landscape is changing for the better. As we turn to implement GDPR, we’re turning towards a greater concern for our user’s privacy. Towards a stronger email list, of customers who actually want to hear from us. And towards a higher set of expectations as to what it means to market decently, and transparently.

Originally published February 01, 2018 - Updated January 21, 2022
Mobile reading? Scan this QR code and take this blog with you, wherever you go.
Mac Hasley
Mac Hasley Mac is a content strategist at Convert, a copywriter across the webz, and an advocate for marketing that is humble and kind

Start Your 15-Day Free Trial Right Now.
No Credit Card Required

You can always change your preferences later.
You're Almost Done.
I manage a marketing team
I manage a tech team
I research and/or hypothesize experiments
I code & QA experiments
Convert is committed to protecting your privacy.

Important. Please Read.

  • Check your inbox for the password to Convert’s trial account.
  • Log in using the link provided in that email.

This sign up flow is built for maximum security. You’re worth it!