The Privacy Act, the Spam Act, and industry codes all affect how you use the details of online shoppers who have abandoned their shopping carts before completing the sale.

Online customers can sometimes enter their names, phone numbers, and perhaps other contact details to start an order via a website, but, on the check-out page (usually where credit card information is requested), then decide to exit the website without completing their orders.

Instead of seeing this as a missed sale, savvy online retailers see these abandoned shopping carts as a valuable target for sales revenue.

A simple but powerful marketing tool for a business is to contact those individuals, using the details provided, in the hope of closing the sales.

However, there are potential legal traps for the unwary if they don't understand the legal limits of what they can (and can't) do with those details.

Has the potential online customer consented?

Any business sending a commercial email, SMS or MMS message to an individual who has abandoned a shopping cart will breach the Spam Act 2003 (Cth) unless the individual has consented to being contacted in this way.

Similarly, under the Do Not Call Register Act 2006 (Cth), a business cannot make a telemarketing call to an individual whose telephone number appears on the Do Not Call Register without that individual's consent.

Issues can also arise under Australia's privacy regime where a business uses personal information collected from an individual for direct marketing purposes without that person's consent.

Consent can be express, for instance, where individuals tick a box confirming the they are content to be contacted for marketing purposes. Consent can also be inferred where individuals would reasonably expect the business to use the information they provided to contact them about the contents of their abandoned shopping carts.

Businesses may believe that they have inferred consent to contact potential customers for marketing purposes using the details provided at the website. The difficulty is that it has not been clearly established in Australia that the provision of personal details for an abandoned shopping cart means that a business can infer consent to contact those individuals for marketing purposes. In at least one UK case, a court found that there was no inferred consent in those circumstances.

This level of uncertainty creates a compliance risk because, under the legislation, it is up to the business to prove that consent was provided in any case where a complaint arises.

What you need to do so you can use information from an abandoned shopping cart

Ensure that your webpages ask potential customers for permission to contact them for marketing purposes when your business collects their email addresses, telephone numbers and other personal details. Be specific about how they will be contacted, and for what purposes.

Ensure that your privacy policy and privacy collection statement explicitly disclose that personal information collected from both customers and potential customers will be used for direct marketing purposes.

To ensure that your business has obtained express consent, make sure that there is a positive opt-in through a tick box that all potential customers are required to complete before the order is completed. Don't rely on opt-out mechanisms or pre-checked tick boxes as these are not regarded by regulators as acceptable ways of gaining consent.

Recognise that issues can emerge with abandoned shopping carts if a tick-box is left to the check-out page.

Bear in mind that express consent will be taken to last for a period of three months from the date it was given, for the purposes of the Do Not Call Register, unless the consent was expressed to have been for a specified period or an indefinite period.

To ensure compliance with the Spam legislation, make sure that any email, SMS or MMS your business sends contains clear and accurate identifying information about you, as the business that authorised the sending of the message. You must also ensure that you provide a simple means by which the individuals may easily request not to receive direct marketing communications from your business.

Finally, remember that all telemarketers are required to comply with the new Telemarketing and Research Industry Standard 2017 which (like its 2007 predecessor) sets minimum levels of conduct for the telemarketing and market research industries, but has also introduced new restrictions on when calls can be made, and how the caller identifies itself.