You installed a GDPR consent banner. You added an abandoned cart plugin. You assumed they work together. American Express was fined £90,000 for sending 4 million unsolicited emails — and the compliance gap in most WooCommerce stores works the same way. The banner handles cookies. The cart plugin handles something the banner never touches.
The GDPR Data Collection Problem Nobody Talks About
Here’s what actually happens when a visitor types their email address into your WooCommerce checkout field. Most abandoned cart plugins — Abandoned Cart Lite, WooCommerce’s own follow-up emails, Retainful, CartFlows — use JavaScript to capture the email address the moment it’s typed. Not when the form is submitted. Not after consent is confirmed. The moment the key is pressed and focus leaves the field.
That captured email address is then stored server-side, associated with the cart session. Your consent banner hasn’t fired yet. The visitor hasn’t accepted anything. The email exists in your database.
Capturing an email address from a form field is itself a personal data processing event under GDPR Article 4(2). Article 6 requires a lawful basis for every processing event. The consent banner governs cookies. It says nothing about what happens to the text entered into checkout fields before any purchase is completed.
You may be interested in: Your Consent Plugin Shows Compliance. Your Tracking Plugins Don’t.
The Three Legal Bases — and Why Two Don’t Apply Here
When your abandoned cart plugin captures an email mid-checkout, there are three legal bases a store owner might reach for. Two of them don’t hold up.
Contract Performance (Article 6(1)(b))
Contract performance allows processing data necessary to fulfil a contract the user is entering into. The problem: the user hasn’t entered into a contract. They’ve typed into a form field and left. There is no contract. This basis fails at the threshold.
Legitimate Interests (Article 6(1)(f))
This is where most legal analyses get complicated. LI requires a three-part balancing test: the interest must be legitimate, the processing must be necessary, and the interest must not be overridden by the data subject’s fundamental rights. GDPR enforcement decisions have consistently found that capturing pre-consent email data for commercial follow-up fails the balancing test — particularly where the individual hasn’t even completed the transaction that initiated the interaction.
The EDPB’s October 2024 Guidelines 1/2024 on Legitimate Interests explicitly noted that processing for direct marketing purposes requires careful balancing, with particular scrutiny on whether the individual reasonably expects their data to be captured at all. Typing into a checkout field and abandoning is not a clear signal of consent to email marketing.
Consent (Article 6(1)(a))
Consent is the cleanest legal basis here — but most abandoned cart plugins don’t gate the capture on it. They capture first, regardless of what the visitor does with the consent banner.
60–70% of EU visitors reject cookie banners when genuinely compliant. If your plugin is capturing emails pre-consent and those visitors subsequently reject the banner, you now hold data you have no valid basis to retain.
You may be interested in: GDPR Legitimate Interest: Track WooCommerce Orders Without Cookie Consent
What About the ePrivacy Soft Opt-In?
The ePrivacy Directive includes a “soft opt-in” provision that allows businesses to email existing customers about similar products without fresh consent. This applies to the sending of the email — not to the underlying data capture. You still need a valid legal basis to have captured and retained the email address in the first place.
The soft opt-in is also limited to existing customers: people who have previously purchased from you. An abandoned cart visitor who never completed a transaction is not an existing customer. The soft opt-in doesn’t apply to them at all.
GDPR fines for improper email consent reached €479.6 million in September 2025 alone — nearly 10% of all fines issued since 2018. Abandoned cart email practices are now a documented enforcement area across EU supervisory authorities, not a theoretical risk.
Where the Actual Problem Lives in Your Stack
The compliance failure isn’t in your email template or your send frequency. It’s in where your plugin sits in the event pipeline. Client-side JavaScript capture — the standard implementation for almost every WooCommerce abandoned cart plugin — fires before any server-side consent check is possible. The data exists before your systems know whether the visitor consented.
The architectural solution is moving the capture event to the server side and enforcing the consent gate there. WooCommerce fires server-side hooks at specific checkout stages: woocommerce_checkout_update_order_meta, woocommerce_new_order, and woocommerce_checkout_order_processed. These hooks fire only when the visitor has actively progressed the checkout — a clear signal of intent, and a logical point to evaluate consent state before storing contact data.
This is where Transmute Engine™ and the inPIPE WordPress plugin create a different data architecture. inPIPE hooks into WooCommerce’s server-side event layer rather than JavaScript field listeners. Consent state is evaluated at the hook level — before data is batched and forwarded to any destination. The email address doesn’t enter the tracking pipeline until there’s a valid basis to process it.
You may be interested in: Why add_payment_info and add_shipping_info Never Fire in WooCommerce
Three Things to Check in Your Store Right Now
- When does your plugin actually capture the email? Look at the plugin’s source or documentation. Does it mention “real-time capture”, “keypress tracking”, or “partial form submission”? Those phrases mean client-side, pre-consent capture.
- What happens when a visitor rejects your consent banner? If a captured email address persists in your database after a visitor rejects the banner, you’re holding data without a legal basis. Test it — reject your own banner and check your abandoned cart records.
- Is your consent banner actually blocking the plugin? Cookie consent banners don’t disable JavaScript plugins unless you’ve explicitly configured them to. Most implementations allow the cart plugin to run regardless of what the visitor chose.
The consent banner and the abandoned cart plugin are solving different problems. They don’t automatically interact. Assuming they do is the compliance gap — and it’s the gap regulators find first.
Frequently Asked Questions
Yes — capturing an email address from a checkout field is a personal data processing event under GDPR Article 4(2), and Article 6 requires a lawful basis for every processing event. Most abandoned cart plugins capture emails via JavaScript keypress detection before any consent is confirmed. The consent banner governs cookies, not form field data capture. These are separate compliance questions requiring separate legal bases.
It depends on the legal basis applied. Contract performance doesn’t apply because no contract exists until purchase is completed. Legitimate Interests requires a balancing test that abandoned cart email practices often fail. Consent is valid, but only if the plugin actually gates capture on a positive consent signal — which most don’t. The default implementation for most WooCommerce abandoned cart plugins captures first and asks no questions.
The strongest legal basis is explicit consent, where the visitor actively agrees to receive follow-up about their incomplete cart before the email address is captured. This requires either a consent checkbox at the point of email entry or integration with your CMP that prevents capture until consent fires. The soft opt-in under ePrivacy covers sending emails to existing customers — it doesn’t create a legal basis for capturing the email in the first place.
Only for existing customers who have previously completed a purchase from your store — and only for the act of sending the email. The soft opt-in doesn’t provide a legal basis for the initial data capture from an incomplete checkout. Visitors who abandoned without purchasing are not existing customers, and the soft opt-in doesn’t apply to them. You still need a valid Article 6 basis for capturing and retaining their email address.
The question your abandoned cart plugin’s documentation answers is how to recover revenue. The question GDPR asks is whether you had the right to capture the contact data that made the recovery possible. These are different questions with different answers — and most WooCommerce stores have only checked one of them.