Abandoned cart email compliance: CAN-SPAM, GDPR, CCPA

If you send abandoned cart reminders, you’re operating across overlapping rules: CAN-SPAM in the U.S., GDPR/UK GDPR plus PECR in Europe and the U.K., and CCPA/CPRA in California. This plain‑English checklist shows exactly what to configure—footer, consent, and opt‑out—so you can recover revenue without risking fines. It’s written for Shopify + Klaviyo teams, but the principles apply broadly. This is practical guidance, not legal advice—when in doubt, consult counsel.

Key takeaways

Here’s the deal: you don’t need prior consent under U.S. CAN‑SPAM, but you must include a working one‑click unsubscribe and a physical address, avoid deceptive headers/subjects, and honor opt‑outs within 10 business days per the Federal Trade Commission’s CAN‑SPAM guide. For EU/UK individuals, default to consent or ensure PECR’s soft opt‑in conditions and include opt‑out in every message, as set out by the U.K. ICO’s electronic mail marketing guidance. Under California’s CCPA/CPRA, emphasize transparency and choice: provide a Notice at Collection, disclose retention, offer a “Do Not Sell or Share” control, and honor Global Privacy Control (GPC) without dark patterns, following the CPPA’s final regulations and enforcement advisories.

Abandoned cart email compliance: the quick audit

Use this 10‑minute pass to catch the top risks before you turn anything on.

1. Footer shows your business name and a valid physical mailing address, plus a one‑click unsubscribe link that works for at least 30 days after send; opt‑outs are honored within 10 business days (see the Federal Trade Commission’s CAN‑SPAM compliance guide: https://www.ftc.gov/business-guidance/resources/can-spam-act-compliance-guide-business).

2. Subject lines and sender names are truthful; you’re not disguising a marketing reminder as a receipt.

3. EU/UK flows only email people who have explicit consent—or meet all PECR “soft opt‑in” conditions—and every message includes a clear opt‑out (per the U.K. ICO’s PECR electronic mail marketing guidance: https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guide-to-pecr/electronic-and-telephone-marketing/electronic-mail-marketing/).

4. Your California notices at collection cover email marketing purposes and retention; your “Do Not Sell or Share” control is easy to find and honors GPC automatically (per CPPA final regulations: https://cppa.ca.gov/regulations/pdf/20230329_final_regs_text.pdf).

5. Consent capture is recorded (timestamp, form location, checkbox copy); opt‑out logs are retained.

6. Shopify’s native abandoned checkout emails are disabled to avoid duplicates (Shopify Help: https://help.shopify.com/en/manual/orders/abandoned-checkouts/abandoned-checkout-emails).

7. Klaviyo segments and flow filters exclude “Unsubscribed” and “Never Subscribed” (for regions where consent is required) and rely on suppression lists (Klaviyo Help on consent states: https://help.klaviyo.com/hc/en-us/articles/360037101072).

The full regionalized checklist for abandoned cart email compliance

Follow these steps in order: before setup, during setup, and after launch. Regional rules are called out so you can apply the right standard.

• Before you build any flow

  • Choose your lawful basis by region.

    • U.S. (CAN‑SPAM): consent is not required to send commercial emails, but format and opt‑out rules apply; see the Federal Trade Commission’s CAN‑SPAM guide: https://www.ftc.gov/business-guidance/resources/can-spam-act-compliance-guide-business.

    • EU/UK (GDPR/UK GDPR + PECR): prefer explicit consent for individuals; PECR’s soft opt‑in may allow marketing about similar products/services if you offered an opt‑out at collection and include one in every email (ICO PECR guidance: https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guide-to-pecr/electronic-and-telephone-marketing/electronic-mail-marketing/).

    • California (CCPA/CPRA): focus on transparency and consumer choice (sale/sharing opt‑out, GPC), not email consent (CPPA regulations text: https://cppa.ca.gov/regulations/pdf/20230329_final_regs_text.pdf).

  • Update privacy notices.

    • Add the purposes for email reminders and any profiling used for triggering; disclose categories of data and retention (or criteria) for each, as required under CPRA (CPPA regulations above).

    • Link to your privacy policy from capture points and emails.

  • Prepare consent and capture points (EU/UK priority).

    • Use an unbundled checkbox (no pre‑ticks) for marketing emails at checkout or signup; record the exact wording (ICO consent standards are included within the PECR guidance hub above).

    • If using PECR soft opt‑in, show a clear “opt out of email marketing” choice at collection and ensure your abandoned cart content is strictly about similar products/services (ICO guidance as above).

• During setup

  • Footer format (applies globally; U.S. mandates specifics)

    • Include your business name and a valid physical postal address.

    • Add a one‑click unsubscribe link; no login, no extra data, no fee (FTC CAN‑SPAM guide above).

    • Keep the link working for at least 30 days after sending (FTC CAN‑SPAM guide).

  • Unsubscribe mechanics

    • Honor opt‑outs within 10 business days (U.S.) per FTC.

    • Provide an easy opt‑out in every message (EU/UK PECR), and make withdrawal of consent as easy as giving it (ICO PECR guidance).

  • Segmentation and suppression

    • Exclude “Unsubscribed” everywhere.

    • For EU/UK, include only email “Subscribed” profiles (or those qualifying for soft opt‑in—document that status) and exclude “Never Subscribed” (Klaviyo Help on consent states: https://help.klaviyo.com/hc/en-us/articles/360037101072).

    • Maintain a durable do‑not‑email suppression list (Klaviyo suppression behavior: https://help.klaviyo.com/hc/en-us/articles/115005246108).

  • Content constraints

    • Don’t use deceptive subjects or headers (FTC CAN‑SPAM guide).

    • If relying on soft opt‑in, keep to similar products/services and avoid cross‑sell into unrelated categories (ICO guidance).

  • California sale/sharing choices (if applicable)

    • Expose a “Do Not Sell or Share My Personal Information” control that is easy to find and understand.

    • Honor GPC automatically; avoid dark patterns (no asymmetrical choices or unnecessary friction) per CPPA regulations and enforcement advisory (https://cppa.ca.gov/pdf/enfadvisory202402.pdf).

• After launch (ongoing duties)

  • Logging and evidence

    • Store consent records: timestamp, source page, checkbox copy, and IP/geo when available.

    • Keep opt‑out logs and the exact email footer/version used.

  • Timelines and processes

    • U.S.: process unsubscribes within 10 business days; the opt‑out link must function for ≥30 days post‑send (FTC guide).

    • California: process sale/sharing opt‑outs as soon as feasible and within regulatory timelines; meet 45‑day windows for access/delete requests when received (CPPA/OAG materials in the regulations link above).

  • Testing and audits (quarterly)

    • Test an unsubscribe click end‑to‑end.

    • Validate a California GPC signal results in opt‑out treatment.

    • Confirm no duplicate sends (Shopify native vs Klaviyo) and that suppressed profiles never receive marketing.

Example snippets you can adapt

Footer line (U.S. format clarity)

You’re receiving this because you interacted with our store. Unsubscribe instantly here.
  Company Name · 123 Commerce Ave, City, ST 00000
  

EU/UK marketing checkbox copy (consent model)

Email me about products, offers, and cart reminders. You can unsubscribe anytime.
  

Shopify + Klaviyo playbook for abandoned cart email compliance

• Disable Shopify native abandoned checkout emails

  • Shopify Admin → Settings → Checkout → Customer emails → Abandoned checkout → turn off the native automation (or in Marketing → Automations, disable “Abandoned checkout”) (Shopify Help: https://help.shopify.com/en/manual/orders/abandoned-checkouts/abandoned-checkout-emails).

• Map consent into Klaviyo

  • Ensure your checkout/signup checkbox maps to “email marketing = subscribed” and records source and timestamp (Klaviyo consent states: https://help.klaviyo.com/hc/en-us/articles/360037101072).

  • Use double opt‑in for EU/UK lists when you want stronger proof.

• Segment and filter your abandoned cart flow

  • Include: email “Subscribed” profiles only (EU/UK) or your standard marketing‑eligible segment.

  • Exclude: “Unsubscribed,” “Never Subscribed,” hard bounces, and any suppression lists (Klaviyo suppression behavior: https://help.klaviyo.com/hc/en-us/articles/115005246108).

  • Add a frequency cap and fail‑safe: if a user unsubscribes mid‑flow, all remaining messages are skipped.

• Build compliant footers by default

  • Add business name, valid postal address, and one‑click unsubscribe to every template; use a shared partial to avoid drift.

• Test before launch

  • QA with a seed list across regions: confirm consent state routing, footer rendering, and unsubscribe behavior; click your own GPC‑enabled browser journey to verify opt‑out handling (CPPA regs: https://cppa.ca.gov/regulations/pdf/20230329_final_regs_text.pdf).

When a “transactional‑only” reminder makes sense (EU/UK)

Some teams prefer a single, purely transactional nudge for EU/UK visitors—no offers, no cross‑sell, no styling that implies marketing. If you take this path, keep it one time only, use neutral copy, and avoid any marketing content. Because this approach turns on narrow interpretations of “negotiations of a sale” and content boundaries, confirm with counsel based on your specific data flows.

Further resources

• Federal Trade Commission — CAN‑SPAM Act: A Compliance Guide for Business: https://www.ftc.gov/business-guidance/resources/can-spam-act-compliance-guide-business

• UK Information Commissioner’s Office — Electronic mail marketing (PECR): https://ico.org.uk/for-organisations/direct-marketing-and-privacy-and-electronic-communications/guide-to-pecr/electronic-and-telephone-marketing/electronic-mail-marketing/

• California Privacy Protection Agency — Final CCPA/CPRA Regulations (03/29/2023): https://cppa.ca.gov/regulations/pdf/20230329_final_regs_text.pdf

• CPPA Enforcement Advisory on dark patterns (2024‑02): https://cppa.ca.gov/pdf/enfadvisory202402.pdf

• Shopify Help Center — Abandoned checkout emails: https://help.shopify.com/en/manual/orders/abandoned-checkouts/abandoned-checkout-emails

• Klaviyo Help Center — Understanding consent in profiles: https://help.klaviyo.com/hc/en-us/articles/360037101072

• Example of transparent disclosures you can emulate in your own policy: Attribuly — Privacy Policy: https://attribuly.com/policies/privacy-policy/

— Re‑audit quarterly. Laws and platform behaviors evolve; keep logs, test your opt‑outs, and ask yourself: for your abandoned cart email compliance today, would a customer say their choices are obvious and respected?