next post: What Do Customers Expect From An Online Retail Returns Policy?

Read parcelLab's TEI study to learn how this retailer experienced a 358% incremental ROI by switching to our software.


Post-purchase communication in age of GDPR – what is and isn’t allowed since 25th May


Published on: August 16, 2018

Updated: October 18, 2023

The GDPR replaced the previously valid Data Protection Act 1998 in the UK. Its implementation caused of confusion and unease within the British society. According to a recent survey by the Federation of Small Businesses, fewer than one in ten small businesses in Britain were fully prepared for the new EU-wide rules on personal data.

The general disarray also touches the field of post-purchase communication, a speciality of Munich-based company parcelLab. Retailers have been asking themselves, am I even allowed to tell my customers that their order is on its way? Do I need a special opt-in-agreement to inform them about the estimated delivery date? In order to answer these questions and clear up any data protection insecurities surrounding post purchase communication, here comes our GDPR post purchase fact check:

What is personal data?

The European Unions’ General Data Protection Regulation regulates the processing of personal data – both by private companies and public authorities – and places them under unprecedented protection. The goal, to harmonize data protection law within the EU and to make it more user-friendly, so that any person can get authority over their data back. Therefore, once users are tracked, customer data collected, newsletters or promotional emails sent, the new regulation takes effect.

Personal data is for example:

  • Name and surname
  • Address
  • Email address
  • Location data
  • Phone or mobile number
  • Date of Birth

From 25th May, whenever an online retailer wants to collect such personal data, he needs the user’s consent. Even with said consent he is not allowed to collect any data he wants. On the contrary, the retailer is allowed to collect only the data he needs to process and ship the customer’s order, such as name, address and e-mail address – nothing else.

Are online-retailers allowed to communicate with their customers post-purchase?

Article 6 in GDPR (1) (B), which deals with the lawfulness of (data) processing, states:

The processing is lawful if [it] is for the performance of a contract, party to the data subject, or necessary to carry out pre-contractual action.

This means that if messages are required for contract fulfilment, they may be sent. But even if the data processing is (necessarily) connected with the fulfilment of the contract without directly serving the fulfilment of the main service, it is permitted. This means that transaction-based customer communication is permitted without the need for explicit consent.

Strictly speaking, this is part of customer service – not advertising. However, as soon as the content of the notification is no longer related to the order processing, the customer must explicitly give consent in order for retailers to send any further communication.

So, any e-mails that inform the customer about

  • Order confirmation
  • Status updates before shipping
  • Shipping status
  • Parcel tracking information
  • Directions to the delivery station the parcel has been delivered to
  • Information about status of returns

are legal by GDPR standards and don’t need a special consent by the user. By ordering at an online store the customer has already agreed to receive this kind of information.

What about advertising in post-purchase communication? Is that still allowed?

Emails that – apart from relaying necessary information on the customer’s order – also provide the customer with additional information on the product he bought are still considered customer service and therefore allowed. These can be (video) tutorials that explain to the customer, for example, how to use their new food processor best. Or a recipe for cooking. If the customer has bought a bike, retailers can also stir up anticipation by incorporating a link to cycling routes in their surroundings or sending assembly instructions. This information helps the customer, adds value and enhances the actual product experience without being promotional.

Additional information on the product are still allowed.

Advertising may also be included in order confirmations, status updates and dispatch messages – such as offers and sales promotions, coupons or simple product recommendations. Although this is only permitted for (similar) goods from the same segment that match the product the customer has just purchased. So, an advertisement for a bicycle helmet after purchasing a bicycle is okay – while advertising an iPhone in the bike’s dispatch message isn’t.


Even in the times of GDPR, post-purchase communication is possible – if anything, it will be even more relevant to the customer than before, because retailers must concentrate on content that is valuable and interesting to their customer. And that will, in the long run, help the retailers too – by increasing customer loyalty, customer happiness and therefore the number of returning customers in their shop.

Written by