Hessian data authority declares abandoned shopping cart emails illegal

The Data Protection Authority of Hesse has determined that promotional emails sent to shoppers who abandon their online shopping carts constitute illegal advertising under the General Data Protection Regulation (GDPR). The findings, detailed in the authority's latest annual report for 2024, address one of the most common digital marketing practices in e-commerce.

According to the DPA, promotional emails targeting cart abandoners are considered advertising since no contractual relationship exists between the company and the customer when purchases remain incomplete. Studies referenced in the report show that abandonment rates for online purchases range from 65 percent to over 80 percent depending on the sector. The authority reports receiving a high number of complaints associated with emails that companies send to re-engage shoppers who have left items in their carts without completing checkout.

In all complaints received by the DPA, there was no prior existing customer relationship and none of the data subjects had given their consent to data processing. Therefore, sending promotional emails to these individuals was not legally permissible under the GDPR. The authority's analysis reveals fundamental problems with how e-commerce companies interpret data processing laws for abandoned cart scenarios.

Since transactions are not finalized, there is no actual contract despite customers providing their email addresses during the initiated ordering process. Therefore, such reminders constitute advertising and are only permissible with explicit consent in accordance with Article 6(1)(a) GDPR in conjunction with Section 7 UWG (Unfair Competition Act; transposition of Article 13 ePrivacy Directive). The wording must clearly indicate that the person is agreeing to the collection and processing of their data. Simply entering an email address during an online ordering process does not suffice.

The assertion that these emails are pre-contractual measures and that the processing can be based on Article 6(1)(b) GDPR is legally unfounded. After the order process has been cancelled, promotional emails can no longer be justified as pre-contractual measures.

Summary

Who: The Data Protection Authority of Hesse issued regulatory guidance affecting e-commerce companies sending abandoned cart emails to non-customers without explicit consent.

What: The authority determined that promotional emails to cart abandoners constitute illegal advertising under GDPR when no prior customer relationship exists and explicit consent has not been obtained.

When: The findings were published in the authority's annual report for 2024, addressing complaints received throughout that year.

Where: The ruling applies within Hesse, Germany, but may influence enforcement interpretation across other German states and European Union jurisdictions.

Why: The authority found that abandoned cart emails violate GDPR consent requirements because incomplete transactions create no contractual relationship, making subsequent promotional communications unauthorized advertising that requires explicit consent rather than implied permission through email collection.

Different rules for existing customers

A different situation arises if the data subject has logged in with their account - so existing customers are affected. However, even in this case, additional UWG requirements (based on Article 13(2) ePrivacy Directive) apply. Only advertising for similar products and services is allowed, there must be no customer objection, and information on the right to object must be provided in every email.

The technical distinction between new and existing customers creates complex compliance requirements for e-commerce operators. Companies must implement systems that differentiate between logged-in customers with established relationships and anonymous browsers who provide email addresses but never complete purchases.

This regulatory interpretation has significant implications for email marketing compliance across digital retail platforms. Cart abandonment emails represent a cornerstone of e-commerce marketing automation, with many retailers depending on these communications to recover potentially lost sales.

Enforcement actions taken

In all cases reported to the DPA, the controllers were reprimanded under Article 58(2)(b) GDPR. The reprimands indicate that while violations occurred, the authority chose administrative warnings rather than monetary penalties for these specific infractions.

The Hessian authority's annual report for 2024 provides detailed statistics on data protection violations across multiple sectors. The document reveals that advertising and marketing violations represent a substantial portion of complaints filed with the regulator. The authority processed 5,751 total documented inputs in 2024, including 3,839 formal complaints, 1,171 advisory consultations, and 741 notifications.

Data violations in the credit economy, collections, trade and commerce sectors represented 537 cases in 2024, down from 718 cases in 2023. Technical and IT-related violations increased from 466 to 477 cases year-over-year. Healthcare sector violations rose from 299 to 323 cases.

Technical compliance requirements

The regulatory findings establish specific technical requirements for e-commerce platforms. Email collection during checkout processes cannot serve as implicit consent for promotional communications. Companies must implement explicit consent mechanisms that clearly explain data processing purposes before collection occurs.

For marketing automation systems, the ruling requires fundamental changes to cart abandonment workflows. Platforms must distinguish between customers with established relationships and first-time visitors. Anonymous browsers who provide email addresses but abandon purchases cannot receive promotional follow-up without separate, explicit consent.

The growing regulatory scrutiny of digital marketing practices reflects broader enforcement trends across European data protection authorities. Recent high-profile cases involving major technology platforms demonstrate increased willingness to impose substantial penalties for GDPR violations.

E-commerce companies operating across multiple European markets must now evaluate their cart abandonment strategies against varying national interpretations of GDPR requirements. The Hessian authority's position may influence similar rulings in other German states and potentially across the European Union.

Marketing industry implications

The ruling creates immediate compliance challenges for digital marketing teams across retail sectors. Cart abandonment emails typically generate substantial revenue recovery for e-commerce operators, with industry studies showing conversion rates between 10-30 percent for well-designed campaigns.

Marketing professionals must now implement consent collection mechanisms specifically for abandoned cart scenarios. This requirement may reduce email list growth rates and conversion performance metrics traditionally associated with these campaigns.

Privacy compliance in digital advertising continues evolving as regulators interpret GDPR applications to emerging marketing technologies. The intersection of automation, personalization, and consent requirements creates complex technical and legal challenges for marketing operations.

Companies utilizing marketing automation platforms must audit their current cart abandonment configurations against the new compliance requirements. This includes reviewing email templates, consent collection mechanisms, and data processing documentation.

The regulatory interpretation affects not only direct-to-consumer retailers but also marketplaces, subscription services, and any platform collecting email addresses during incomplete transactions. B2B companies with online ordering systems face similar compliance requirements when following up with incomplete business transactions.

Industry response required

E-commerce platforms must implement immediate changes to comply with the Hessian authority's interpretation. This includes developing explicit consent mechanisms for cart abandonment scenarios and modifying existing email workflows to exclude non-consenting users.

Legal teams across retail organizations are likely reviewing current practices against the regulatory guidance. The authority's detailed explanation of what constitutes acceptable versus prohibited practices provides clear implementation guidelines for compliance teams.

The ruling establishes precedent that may influence enforcement actions by other German data protection authorities. Companies operating across multiple German states should prepare for consistent application of these standards.

Marketing technology vendors specializing in e-commerce automation face pressure to update their platforms with enhanced consent management capabilities. The ruling affects not only individual retailers but also the broader ecosystem of tools and services supporting cart abandonment campaigns.

Technical implementation challenges include developing consent collection interfaces that don't significantly impact conversion rates while meeting explicit consent requirements. User experience designers must balance regulatory compliance with commercial objectives.

Timeline

• 2024: Data Protection Authority of Hesse releases annual report documenting cart abandonment email violations
• Multiple cases throughout 2024: DPA receives complaints about unauthorized cart abandonment emails
• 2024: All reported violators receive reprimands under Article 58(2)(b) GDPR
• May 2025: Related compliance monitoring extends to external platforms as Amazon implements AI scanning of brand websites
• February 2024: European Data Protection Board launches website auditing tool to help organizations assess GDPR compliance
• April 2025: Irish DPC launches investigation into AI training data usage showing increased regulatory focus on data processing practices