The Privacy Act, the Spam Act, and industry codes all
affect how you use the details of online shoppers who have
abandoned their shopping carts before completing the
Online customers can sometimes enter their names, phone numbers,
and perhaps other contact details to start an order via a website,
but, on the check-out page (usually where credit card information
is requested), then decide to exit the website without completing
Instead of seeing this as a missed sale, savvy online retailers
see these abandoned shopping carts as a valuable target for sales
A simple but powerful marketing tool for a business is to
contact those individuals, using the details provided, in the hope
of closing the sales.
However, there are potential legal traps for the unwary if they
don't understand the legal limits of what they can (and
can't) do with those details.
Has the potential online customer consented?
Any business sending a commercial email, SMS or MMS message to
an individual who has abandoned a shopping cart will breach the
Spam Act 2003 (Cth) unless the individual has consented to being
contacted in this way.
Similarly, under the Do Not Call Register Act 2006 (Cth), a
business cannot make a telemarketing call to an individual whose
telephone number appears on the Do Not Call Register without that
Issues can also arise under Australia's privacy regime where
a business uses personal information collected from an individual
for direct marketing purposes without that person's
Consent can be express, for instance, where individuals tick a
box confirming the they are content to be contacted for marketing
purposes. Consent can also be inferred where individuals would
reasonably expect the business to use the information they provided
to contact them about the contents of their abandoned shopping
Businesses may believe that they have inferred consent to
contact potential customers for marketing purposes using the
details provided at the website. The difficulty is that it has not
been clearly established in Australia that the provision of
personal details for an abandoned shopping cart means that a
business can infer consent to contact those individuals for
marketing purposes. In at least one UK case, a court found that
there was no inferred consent in those circumstances.
This level of uncertainty creates a compliance risk because,
under the legislation, it is up to the business to prove that
consent was provided in any case where a complaint arises.
What you need to do so you can use information from an
abandoned shopping cart
Ensure that your webpages ask potential customers for permission
to contact them for marketing purposes when your business collects
their email addresses, telephone numbers and other personal
details. Be specific about how they will be contacted, and for what
explicitly disclose that personal information collected from both
customers and potential customers will be used for direct marketing
To ensure that your business has obtained express consent, make
sure that there is a positive opt-in through a tick box that all
potential customers are required to complete
before the order is completed. Don't rely on
opt-out mechanisms or pre-checked tick boxes as these are not
regarded by regulators as acceptable ways of gaining consent.
Recognise that issues can emerge with abandoned shopping carts
if a tick-box is left to the check-out page.
Bear in mind that express consent will be taken to last for a
period of three months from the date it was given, for the purposes
of the Do Not Call Register, unless the consent was expressed to
have been for a specified period or an indefinite period.
To ensure compliance with the Spam legislation, make sure that
any email, SMS or MMS your business sends contains clear and
accurate identifying information about you, as the business that
authorised the sending of the message. You must also ensure that
you provide a simple means by which the individuals may easily
request not to receive direct marketing communications from your
Finally, remember that all telemarketers are required to comply
with the new Telemarketing and Research Industry Standard 2017
which (like its 2007 predecessor) sets minimum levels of conduct
for the telemarketing and market research industries, but has also
introduced new restrictions on when calls can be made, and how the
caller identifies itself.
Clayton Utz communications are intended to provide
commentary and general information. They should not be relied upon
as legal advice. Formal legal advice should be sought in particular
transactions or on matters of interest arising from this bulletin.
Persons listed may not be admitted in all states and
To print this article, all you need is to be registered on Mondaq.com.
Click to Login as an existing user or Register so you can print this article.
It will soon be mandatory to notify the OAIC and any potentially affected individuals of an "eligible data breach".
Some comments from our readers… “The articles are extremely timely and highly applicable” “I often find critical information not available elsewhere” “As in-house counsel, Mondaq’s service is of great value”
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).