Dbrand - Unsolicited e-mails (spam)

[Loib]

Name of Brand:

Dbrand

 

Description of your issue:

Dbrand sends unsolicited e-mails when a cart is abandoned, in a violation of EU spam laws and GDPR.

 

How to replicate:

1. Visit http://iamveryshort.com
2. Add a product to your cart and go to the checkout-flow
3. Fill out your contact e-mail and uncheck "Send me emails - ones which are well-designed and contain exclusive offers."
4. Abandon cart

You will now receive 12(!) abandon cart e-mails as part of their abandon flow. Sure, you could go and unsubscribe on the first one, but they've never gotten permission to use the e-mail for promotion in the first place. Abandon cart again, and the flow starts over.

 

You could argue that providing an e-mail in the checkout is a "soft opt in", but that is not permitted in many EU countries.

 

Regardless of whether such consumer and privacy protections exist in other countries, including Canada, it's just not a good business practice to use customer data without prior consent.

 

Have you tried solving your issue through the brand's customer support channel? If so, what was the result?

Yes, but they don't reply.

 

I e-mail them on June 7, they promised to get back within 2-7 business days. I e-mailed them again on July 4th, where they likewise promised a reply within 2-7 business days. As of July 19th, I haven't heard back from them.

 

What would an ideal resolution of your issue look like?

Abandon cart e-mails work and is a staple for many webshops. But Dbrand should not send out any e-mails without consent, especially when the consent form has indeed had its pre-check removed ("Send me emails - ones which are well-designed and contain exclusive offers."). By the way, according to some European data protection laws, these check boxes are not even allowed to be pre-filled (should be opt-in rather than opt-out).

 

Bonus:

 

Dbrand has customers from all over the world, but using the IP address or browser language settings, they could easily identify which country customers are from. That would also allow them to not violate marketing laws in Europe as well:

1) I am from Denmark, Europe, where it is actually illegal to show a price without VAT to consumers. VAT was added on check-out. Sure, it is only on checkout that I specify my country, but they could have just used my IP to set it automatically or state on the product page that it is excluding VAT (which would be illegal in my country as well though, but at least shows some transparency).

2) The site said the order was eligible for free shipping, but that also wasn't the case. In total, the price increased by +30% because of these two factors.

[Dedayog]

19 minutes ago, Loib said:

Name of Brand:

Dbrand

 

Description of your issue:

Dbrand sends unsolicited e-mails when a cart is abandoned, in a violation of EU spam laws and GDPR.

 

How to replicate:

1. Visit http://iamveryshort.com
2. Add a product to your cart and go to the checkout-flow
3. Fill out your contact e-mail and uncheck "Send me emails - ones which are well-designed and contain exclusive offers."
4. Abandon cart

You will now receive 12(!) abandon cart e-mails as part of their abandon flow. Sure, you could go and unsubscribe on the first one, but they've never gotten permission to use the e-mail for promotion in the first place. Abandon cart again, and the flow starts over.

 

You could argue that providing an e-mail in the checkout is a "soft opt in", but that is not permitted in many EU countries.

 

Regardless of whether such consumer and privacy protections exist in other countries, including Canada, it's just not a good business practice to use customer data without prior consent.

 

Have you tried solving your issue through the brand's customer support channel? If so, what was the result?

Yes, but they don't reply.

 

I e-mail them on June 7, they promised to get back within 2-7 business days. I e-mailed them again on July 4th, where they likewise promised a reply within 2-7 business days. As of July 19th, I haven't heard back from them.

 

What would an ideal resolution of your issue look like?

Abandon cart e-mails work and is a staple for many webshops. But Dbrand should not send out any e-mails without consent, especially when the consent form has indeed had its pre-check removed ("Send me emails - ones which are well-designed and contain exclusive offers."). By the way, according to some European data protection laws, these check boxes are not even allowed to be pre-filled (should be opt-in rather than opt-out).

 

Bonus:

 

Dbrand has customers from all over the world, but using the IP address or browser language settings, they could easily identify which country customers are from. That would also allow them to not violate marketing laws in Europe as well:

1) I am from Denmark, Europe, where it is actually illegal to show a price without VAT to consumers. VAT was added on check-out. Sure, it is only on checkout that I specify my country, but they could have just used my IP to set it automatically or state on the product page that it is excluding VAT (which would be illegal in my country as well though, but at least shows some transparency).

2) The site said the order was eligible for free shipping, but that also wasn't the case. In total, the price increased by +30% because of these two factors.

WTF website is that?   I am very short?

[Loib]

11 minutes ago, Dedayog said:

WTF website is that?   I am very short?

It's a LTT-related vanity URL for Dbrand that Dbrand had paid LTT to use to both dig at Linus and measure the effectiveness of sponsoring LTT. You could also just go to Dbrand.com, but I wanted to show that I'm actually going to Dbrand because of their sponsorship of LTT.

[manikyath]

53 minutes ago, Dedayog said:

WTF website is that?   I am very short?

it's the LTT vanity URL for dbrand.

 

on topic: i'm personally very pro-abandoned-cart-mail, but 12 E-mails sounds ridiculous.

 

1 hour ago, Loib said:

I am from Denmark, Europe, where it is actually illegal to show a price without VAT to consumers.

dbrand is from canada, where that rule does not apply. if they would make a dbrand.eu flavour it could be aruged they should be applying EU law, they technically arent tied to any of it, because they arent operating within the EU.

prices are in dollarydoos, that should be your queue as a european consumer to realise your law does not apply there.

 

1 hour ago, Loib said:

The site said the order was eligible for free shipping, but that also wasn't the case. In total, the price increased by +30% because of these two factors.

free shipping* (to the north amercian mainland, i'm guessing.) this is EXTREMELY common, even within the EU. pretty much every webstore i know that has different levels of free shipping depending on region breaks in this exact way. (aka how far they have to ship determines the minimum spending amount) 

[Loib]

33 minutes ago, manikyath said:

 

dbrand is from canada, where that rule does not apply. if they would make a dbrand.eu flavour it could be aruged they should be applying EU law, they technically arent tied to any of it, because they arent operating within the EU.

prices are in dollarydoos, that should be your queue as a european consumer to realise your law does not apply there.

 

free shipping* (to the north amercian mainland, i'm guessing.) this is EXTREMELY common, even within the EU. pretty much every webstore i know that has different levels of free shipping depending on region breaks in this exact way. (aka how far they have to ship determines the minimum spending amount) 

 

This was not my main complaint, and while I personally don't expect them to adhere to EU law when they show pricing in $ (versus €, for instance), the fact is that the EU may still require that they adhere to EU law since they ship to EU and collect EU VAT. I think the very least they could do is add some fine print, a warning, an asterisk (*) or similar, or just have a popup for visitors outside NA warning about shipping, VAT and other charges being applied before checkout.

 

For the free shipping, you're absolutely right that there are usually thresholds for different markets, only applies to certain regions, etc. But there was no asterisk (*), it clearly stated that the order was eligible for free shipping (don't have a screenshot though). Besides, their own FAQ states that most orders over $65 include free shipping to Denmark with certain carriers (though they mention skins in their example), so it's not out of the question that a statement made to a user from a European IP address on free shipping with no T&C applied should be honoured.

 

I don't think the intention from Dbrand is to be dodgy about these things, but at the end of the day it's still highly misleading.

[BoomerDutch]

Lol, if that were to happen to me, that would simply killed the consideration of buying one. Just send one you fool dbrand. 

[Eigenvektor]

3 hours ago, manikyath said:

dbrand is from canada, where that rule does not apply

Technically it does: https://gdpr.eu/companies-outside-of-europe/. They are selling to EU citizens and storing data of EU citizens. Of course the EU can specify whatever they want, it's not worth much if it's not enforceable or enforced (~edit: of course the easiest enforcement here would be: you don't play by our rules, you can no longer sell goods to our citizens. Good day).

 

Though I'm not sure whether signing in to their site, putting something into your cart and then receiving a reminder for it would count as spam. If they kept nagging me about it, I'd possibly consider deleting my account, but otherwise I think it's at least a somewhat useful feature.

 

4 hours ago, Loib said:

What would an ideal resolution of your issue look like?

Abandon cart e-mails work and is a staple for many webshops. But Dbrand should not send out any e-mails without consent, especially when the consent form has indeed had its pre-check removed ("Send me emails - ones which are well-designed and contain exclusive offers.").

"Exclusive offers" (aka ads) and abandoned cart reminders are not the same thing. You've told them you don't want emails with ads, but that's not what you received. You received a reminder for something you explicitly put in a cart and handed them your email for.

 

Should this count as consent to remind you about it? Probably not. The GDPR explicitly requires opt-in, rather than opt-out. Even if the GDPR technically applies here, I'm not sure dbrand will be going out of their way to comply with it.

[Loib]

5 minutes ago, Eigenvektor said:

Though I'm not sure whether signing in to their site, putting something into your cart and then receiving a reminder for it would count as spam. If they kept nagging me about it, I'd possibly consider deleting my account, but otherwise I think it's at least a somewhat useful feature.

Unsolicited e-mails are the definition of spam.

 

Your point about considering to delete my account makes no sense - I have no account to delete. That's a part of the point. Also in terms of consent:

4 hours ago, Loib said:

You could argue that providing an e-mail in the checkout is a "soft opt in", but that is not permitted in many EU countries.

 

Regardless of whether such consumer and privacy protections exist in other countries, including Canada, it's just not a good business practice to use customer data without prior consent.

 

7 minutes ago, Eigenvektor said:

"Exclusive offers" (aka ads) and abandoned cart reminders are not the same thing. You've told them you don't want emails with ads, but that's not what you received. You received a reminder for something you explicitly put in a cart and handed them your email for.

Your distinction doesn't really make sense here; I never said I received ads, I said I received unsolicited e-mails in an abandon card flow. But many of them were indeed ads with no buttons to the abandoned cart of mention of that. Here's the flow of e-mails, that might bring some clarity to what we're talking about:

1. "Does clickbait work"? Simply contained a link to the cart.
2. "We're coming for you" also contained a link to the cart.
3. "this could have been us..." contained 25(!) customer photos of unrelated items (making it an ad)
4. "This is your last chance." contained a link to the cart.
5. "This email contains zero products." contained links to their social media channels including products (making it an ad)
6. "01001110 01010011 00110010" contained information on Switch 2 skins which was related to the cart, but I think that was more of an accident (so likely also an ad)
7. "Everything in this email is stolen." contained 32(!) customer photos of unrelated items (making it an ad)
8. "This is a bribe." contained a 10 % discount code (making it an "exclusive offer")
9. "we're pulling the strings 👁" contained influencer information, including LTT (no product references, ad)
10. "Our second-worst discount of all time..." was a promo for their "gfy prime day" with a $0.02 discount code (clearly an ad for their current limited "sale")
11. "Want some rare artifacts? " was an ad for their merch
12. "You earned this " was a discount code for 20 %

That is simply spam, no way around that.

 

25 minutes ago, Eigenvektor said:

Should this count as consent to remind you about it? Probably not. The GDPR explicitly requires opt-in, rather than opt-out. Even if the GDPR technically applies here, I'm not sure dbrand will be going out of their way to comply with it.

 

I agree that GDPR likely technically applies, but is to a large extent unenforceable. That does not change the fact that business have the option to act ethically around your data - just because something is technically unenforceable or even permitted in the jurisdiction of the company, doesn't mean that they should do whatever they want, or that customers - and brand partners like LTT - should accept that behaviour.

[Eigenvektor]

2 minutes ago, Loib said:

Your distinction doesn't really make sense here; I never said I received ads, I said I received unsolicited e-mails in an abandon card flow. But many of them were indeed ads with no buttons to the abandoned cart of mention of that. Here's the flow of e-mails, that might bring some clarity to what we're talking about:

Your initial post says you received 12 reminders for an abandoned cart, which is something else from what you're saying now.

 

I'm making a distinction, because that is most likely the distinction dbrand (or their lawyers) are going to make. You unchecked a checkbox that says "send me ads". They sent you reminders. Not the same thing.

 

Of course the email subjects you posted just now tell a different story, but that's not what you said in your initial post. If you received ads, why not say so right away?

 

8 minutes ago, Loib said:

I agree that GDPR likely technically applies, but is to a large extent unenforceable. That does not change the fact that business have the option to act ethically around your data - just because something is technically unenforceable or even permitted in the jurisdiction of the company, doesn't mean that they should do whatever they want, or that customers - and brand partners like LTT - should accept that behaviour.

You put stuff in a cart, gave them an email and they reminded you about it. Saying this is unethical behavior with your data sounds a bit far fetched and doesn't help make your point. Receiving 12 reminders is certainly excessive and possibly a bug. But if those emails did indeed contain ads rather than reminders, that's a different story. If that's the case, again, why not start with that right away?

[Loib]

My initial post stated that I received 12 abandon cart e-mails as part of their abandon flow. I agree with you that there is a legal distinction to whether they sent me abandon cart e-mails or ads, but I never made that distinction; As the person receiving the e-mails, I don't care if they are ads or not (they're by definition commercial, as it's a business trying to sell me something), as they are clearly a part of the abandon cart flow which is not only excessive but unsolicited, i.e. spam. But you started to make the distinction between "exclusive offers" and ads vs abandon cart, and I simply pointed out that by that definition (which again I don't agree is super relevant, it's excessive and unsolicited either way), the abandon cart flow did indeed contain ads. That is not me saying something different than what I initially wrote. Now, we're both clearly pedants, but I think it's starting to split hairs and irrelevant to the overall point of this being unsolicited and excessive. If you only take offence to the unsolicited ad parts of the flow, that's fine, but the point still stands.

 

31 minutes ago, Eigenvektor said:

You put stuff in a cart, gave them an email and they reminded you about it. Saying this is unethical behavior with your data sounds a bit far fetched and doesn't help make your point. Receiving 12 reminders is certainly excessive and possibly a bug. But if those emails did indeed contain ads rather than reminders, that's a different story. If that's the case, again, why not start with that right away?

 

The only thing that conceivably is a bug is the #10 (gfy prime day) that seemed to sneak in, they likely wanted that campaign to run to everyone in their e-mail list regardless of consent.

 

We're likely not going to see eye to eye on this, so I'm fine to agree to disagree on this, but here's my stance:

Unsolicited e-mails are spam. Spam is inherently unethical, no matter the jurisdiction of justification of the business. In jurisdictions with less protection than in the EU (which doesn't necessarily apply to a Canadian business, but I'd argue still technically applies, yet unenforceable), you could argue that abandon cart e-mails are allowed via "soft opt-in" (i.e. me entering my e-mail to purchase the product, but backing out once I found out that they were misrepresenting the delivery fee and not including the VAT), but I think it's reasonable to state that: 12 reminders is excessive. With ≈7 of those being ads I didn't opt-in to that is clearly spam. With ≈5 of those being more or less dedicated to the actual cart, it is still excessive. And I will maintain that all of it was unsolicited.

[wanderingfool2]

11 hours ago, Eigenvektor said:

You put stuff in a cart, gave them an email and they reminded you about it. Saying this is unethical behavior with your data sounds a bit far fetched and doesn't help make your point. Receiving 12 reminders is certainly excessive and possibly a bug. But if those emails did indeed contain ads rather than reminders, that's a different story. If that's the case, again, why not start with that right away?

You know if during the cart process they ask for an email but you haven't actually registered with them before and haven't purchased anything then I do feel that is 100% unethical.

 

It's one thing if someone had signed up for an account etc with them...but during a checkout process that was never completed you shouldn't be collecting information until either the purchase is done, or again if you are signing them up for something.

 

I am not sure though on what the OP means by the process in which he says though, because at least on the Canadian website I have to put my email in during the actual purchase.

[LogicalDrm]

Sadly this is very common with the US based sites and even sadder to see it extends to Canadian sites. With any box you enter email there should be either box for "send me emails which aren't directly connected to my order" or disclaimer about how entered email will be used. For those outside US, here how it looks (tested with Manscaped site variants:

 

TLDR;

• US site, no tickbox or disclaimers, sends cart and promotion emails 
• UK (has GDPR style legislation but isn't EU), tickbox, but still sends emails about cart
• EU, has opt-in tickbox, no emails about anything

[Loib]

3 hours ago, wanderingfool2 said:

You know if during the cart process they ask for an email but you haven't actually registered with them before and haven't purchased anything then I do feel that is 100% unethical.

 

It's one thing if someone had signed up for an account etc with them...but during a checkout process that was never completed you shouldn't be collecting information until either the purchase is done, or again if you are signing them up for something.

 

I am not sure though on what the OP means by the process in which he says though, because at least on the Canadian website I have to put my email in during the actual purchase.

I am unsure what you meant with the last sentence, but what you're describing is exactly what happened.

[Loib]

2 hours ago, LogicalDrm said:

Sadly this is very common with the US based sites and even sadder to see it extends to Canadian sites. With any box you enter email there should be either box for "send me emails which aren't directly connected to my order" or disclaimer about how entered email will be used. For those outside US, here how it looks (tested with Manscaped site variants:

 

TLDR;

• US site, no tickbox or disclaimers, sends cart and promotion emails 
• UK (has GDPR style legislation but isn't EU), tickbox, but still sends emails about cart
• EU, has opt-in tickbox, no emails about anything

Very interesting case, as Manscaped obviously choose to handle regions differently and go as far as possible, instead of aligning on best practice for consent.

 

Unfortunately, their approach will have a measurable positive outcome on their order values. I'd argue that it also comes with a negative impact on brand perception and therefore long-term sales, though likely not enough to make it worth doing it "right".

 

I've seen this abandon cart being triggered without consent from many Shopify sites, even from European online stores.

[LogicalDrm]

1 hour ago, Loib said:

I've seen this abandon cart being triggered without consent from many Shopify sites, even from European online stores.

Which hints is on by default when setting up the store. 

[wanderingfool2]

6 hours ago, Loib said:

I am unsure what you meant with the last sentence, but what you're describing is exactly what happened.

I mean on the Canadian website I will

Go to dbrand

Add product

Go to cart

At this stage it asks for email, but it also asks for the address and payment info...so the only way I can proceed from that point is clicking submit payment.

 

Of course I am not doing that as it completes the order, but that's what I mean by my last sentence.  As I've seen it doesn't send me any emails at all (I don't think it sends the information until I click submit payment).

 

My question though, have you created a dbrand account, and are you logged in when you are adding the item to your cart?

[Loib]

1 hour ago, wanderingfool2 said:

I mean on the Canadian website I will

Go to dbrand

Add product

Go to cart

At this stage it asks for email, but it also asks for the address and payment info...so the only way I can proceed from that point is clicking submit payment.

 

Of course I am not doing that as it completes the order, but that's what I mean by my last sentence.  As I've seen it doesn't send me any emails at all (I don't think it sends the information until I click submit payment).

 

My question though, have you created a dbrand account, and are you logged in when you are adding the item to your cart?

No, I did not progress. I did just as described initially, give them my e-mail and uncheck the permission box (I did provide my shipping address to see what the shipping would be, I see I left that part out in the first post, but I don't think it should matter, as I didn't add payment info or continue).

 

So to be clear: I didn't provide any payment information, choose a payment vendor or anything else, I just closed the window. I did not continue to payment, never progressed from that page, didn't save anything, didn't create an account (nor do I have one with Dbrand), or log in with any other service they may or may not support for creation of accounts or SSO. The e-mail provided was unique to Dbrand (catch-all) and not a SSO login e-mail (like Gmail).

 

I can't remember how much time progressed until I received the first e-mail, but it was likely a couple of hours after leaving the cart.

[JapSeyz]

On 7/19/2025 at 1:57 PM, Loib said:

Name of Brand:

Dbrand

 

Description of your issue:

Dbrand sends unsolicited e-mails when a cart is abandoned, in a violation of EU spam laws and GDPR.

 

How to replicate:

1. Visit http://iamveryshort.com
2. Add a product to your cart and go to the checkout-flow
3. Fill out your contact e-mail and uncheck "Send me emails - ones which are well-designed and contain exclusive offers."
4. Abandon cart

You will now receive 12(!) abandon cart e-mails as part of their abandon flow. Sure, you could go and unsubscribe on the first one, but they've never gotten permission to use the e-mail for promotion in the first place. Abandon cart again, and the flow starts over.

 

You could argue that providing an e-mail in the checkout is a "soft opt in", but that is not permitted in many EU countries.

 

Regardless of whether such consumer and privacy protections exist in other countries, including Canada, it's just not a good business practice to use customer data without prior consent.

 

Have you tried solving your issue through the brand's customer support channel? If so, what was the result?

Yes, but they don't reply.

 

I e-mail them on June 7, they promised to get back within 2-7 business days. I e-mailed them again on July 4th, where they likewise promised a reply within 2-7 business days. As of July 19th, I haven't heard back from them.

 

What would an ideal resolution of your issue look like?

Abandon cart e-mails work and is a staple for many webshops. But Dbrand should not send out any e-mails without consent, especially when the consent form has indeed had its pre-check removed ("Send me emails - ones which are well-designed and contain exclusive offers."). By the way, according to some European data protection laws, these check boxes are not even allowed to be pre-filled (should be opt-in rather than opt-out).

 

Bonus:

 

Dbrand has customers from all over the world, but using the IP address or browser language settings, they could easily identify which country customers are from. That would also allow them to not violate marketing laws in Europe as well:

1) I am from Denmark, Europe, where it is actually illegal to show a price without VAT to consumers. VAT was added on check-out. Sure, it is only on checkout that I specify my country, but they could have just used my IP to set it automatically or state on the product page that it is excluding VAT (which would be illegal in my country as well though, but at least shows some transparency).

2) The site said the order was eligible for free shipping, but that also wasn't the case. In total, the price increased by +30% because of these two factors.

Abandoned cart emails is somewhat a grey-area still. Usually it's something of objective interest to the customer, and sometimes even with a discount, so it's not entirely SPAM, but it is not a GDPR violation either. GDPR has become kind of a trashcan rule to throw around. If it is anything it's probably a violation of the CAN-SPAM act, but since it's not entirely spam, it is this grey area where it usually can benefit the customer to get this email. I don't believe this has anything to do with GDPR.

 

12 emails is definitely a CAN-SPAM violation though, and it should never be more than 1.

 

> I am from Denmark, Europe, where it is actually illegal to show a price without VAT to consumers.

 

Can confirm the law exists, I am also from Denmark. You did see the price in the end incl. VAT, when they were sure where the shipping was going, since the VAT changes based upon shipping country, not the country your IP belongs to. I am not a lawyer, I don't know if it good enough to show the VAT at the cart overview, but the spirit of the law you mention is simply to disallow wording like ($xxx + VAT), they must always show the price incl. VAT, so you know how much you're paying, and the VAT isn't unspecified. And thus the question becomes if it is enough to show it once the rate is objectively correct because they know the shipping destination.

 

 

 

[Loib]

16 minutes ago, JapSeyz said:

Abandoned cart emails is somewhat a grey-area still. Usually it's something of objective interest to the customer, and sometimes even with a discount, so it's not entirely SPAM, but it is not a GDPR violation either. GDPR has become kind of a trashcan rule to throw around. If it is anything it's probably a violation of the CAN-SPAM act, but since it's not entirely spam, it is this grey area where it usually can benefit the customer to get this email. I don't believe this has anything to do with GDPR.

 

12 emails is definitely a CAN-SPAM violation though, and it should never be more than 1.

I fully agree that GDPR has become a catch-all scapegoat for anything that might seem like misuse of data, and I am also not a lawyer, but to the mest of my understanding, a key part of GDPR is that I have to explicitly consent to any processing of my personal data (including email addresses) for specific purposes (e.g. to complete a purchase). Since I did enter my email, but did not follow through with the purchase, create an account or consent for marketing purposes, then sending these emails would be a violation. It is also not a legitimate purpose for collecting my email address, which is also a violation of GDPR.

 

Some quick Google-fu for the rest of this reply:

CAN-SPAM is US legislation, Dbrand is Canadian and I'm from Denmark, so CAN-SPAM doesn't apply. CASL (which is Canadian and would apply to Dbrand) likewise has explicit consent requirements and does not allow unsolicited marketing emails.

 

22 minutes ago, JapSeyz said:

Can confirm the law exists, I am also from Denmark. You did see the price in the end incl. VAT, when they were sure where the shipping was going, since the VAT changes based upon shipping country, not the country your IP belongs to. I am not a lawyer, I don't know if it good enough to show the VAT at the cart overview, but the spirit of the law you mention is simply to disallow wording like ($xxx + VAT), they must always show the price incl. VAT, so you know how much you're paying, and the VAT isn't unspecified. And thus the question becomes if it is enough to show it once the rate is objectively correct because they know the shipping destination.

The reason why I described the pricing was to describe why I backed out of the deal, and that was not my main complaint.

 

It is trivial for a website to estimate the location of a customer (IP address, browser language settings). And it turns out, this is not just relevant for Denmark, but all of EU:

 

I just looked it up, and the the EU Price indication directive specifically states that: 

Quote

"The selling price must be unambiguous, easily identifiable and clearly legible"

and the directive contains this definition: 

Quote

"selling price shall mean the final price for a unit of the product, or a given quantity of the product, including VAT and all other taxes;"

 

So, if a webshop wants to sell to European customers, they have to show the price including VAT, not just at checkout. But I'm just arguing that they could just add an asterisk (*), "excluding VAT", "VAT to be verified on checkout" or something else. Turns out, Dbrand is likely actually violating EU directives and Canadian legislation

PS: Fedt med en anden dansker her

[JapSeyz]

42 minutes ago, Loib said:

but to the mest of my understanding, a key part of GDPR is that I have to explicitly consent to any processing of my personal data

This is in part why it has become a catch-all, because would you call the email personally identifiable? If i had the email test@gmail.com, it couldn't be used to identify me. Same goes for the first name "John". Which is why GDPR is split up into 3 segments of data, ranging from "normal" (irrelevant) like names and emails, all the way to "Strict" which is what it is usually describing and working with. This is things like Social Security Numbers, Addresses along with full names etc.

An email in itself doesn't really constitute a GDPR issue. There are a million different interpretations and no real case-law yet, so this is based on personal experience when negotiating contracts with the local communes in Denmark and how they interpret it.

 

> but I'm just arguing that they could just add an asterisk (*), "excluding VAT", "VAT to be verified on checkout"

 

No, this is exactly what the danish law says they can't. That would still break the danish law. 

 

> "The selling price must be unambiguous, easily identifiable and clearly legible"

 

This in itself in a bit ambiguous. Since they cannot guarantee that you are shipping to where you are shopping from. They are giving you the exact selling price, and once they can guarantee you the correct price, they show it to you. They could ask or assume based on IP, but it's a crap-shoot at best, in the world where VPNs reign.

You get the see the correct VAT rate, as soon as they know your shipping location because they themselves don't know the VAT rate until then.

I live in Denmark, my ISP is from Germany. Sometimes I have an IP that originate from Germany. Image you were shopping books; they have 7% VAT in Germany, and 25% VAT in Denmark. If your ISP was giving you an IP that said you were in Germany, wouldn't you be pretty mad if all prices went up when going to the cart, because you suddenly had to pay a different VAT rate? Who should pay the difference? Who is to "blame" for the incorrect prices when an angry customer calls customer support?

 

> "selling price shall mean the final price for a unit of the product, or a given quantity of the product, including VAT and all other taxes;"

 

What is selling price here? It could easily be the price displayed in the cart before checkout. In the legislation linked, it is not clear if selling price is the price on the product-page or the price in cart/during checkout. IE. this simply means they cannot change the price after your purchase, they have to sell it at the agreed-upon price after you've placed the order.

 

I definitely get where you're coming from, but it's not as clear-cut as you want it to be.

In my opinion they are doing it the only way they can guarantee correct VAT charges/rates.

 

I am happy to talk with you in DMs to not spam the thread. I work as a developer for one of the biggest e-com sites in Denmark, and can give you some insights from that, if you want.

 

Edit:

> It is trivial for a website to estimate the location of a customer (IP address, browser language settings)

 

That is not really true. an IP address is not connected to a physical address, so what you can do is you can pay for someone to make an educated guess for you, usually using something like MaxMind (https://www.maxmind.com/en/geoip-demo), but it's costly, and not 100% accurate and there are updates daily. IE it is not a trivial at all. Browser language settings is also a no-go. I work in Denmark. I live in Portugal. My browser is English. Which VAT rate should I be shown? It isn't a trivial task, as far as i am aware.

 

[Loib]

41 minutes ago, JapSeyz said:

This is in part why it has become a catch-all, because would you call the email personally identifiable? If i had the email test@gmail.com, it couldn't be used to identify me. Same goes for the first name "John". Which is why GDPR is split up into 3 segments of data, ranging from "normal" (irrelevant) like names and emails, all the way to "Strict" which is what it is usually describing and working with. This is things like Social Security Numbers, Addresses along with full names etc.

An email in itself doesn't really constitute a GDPR issue. There are a million different interpretations and no real case-law yet, so this is based on personal experience when negotiating contracts with the local communes in Denmark and how they interpret it.

I didn't write personally identifiable, I wrote personal data. My point stands.

 

This is turning into a bit of a tangent (and I never argued about personally identifiable), but while I agree that an email address in and of itself does not necessarily mean that it is personally identifiable, many people use their full names for email addresses, or even use personal domains (like I do) which are very much personally identifiable even without combining it with other information. By the way, remember that Dbrands' form also asks for your name and address to give you a delivery estimate, so they very much have this information, and the combination of this makes even the email personally identifiable. Still, this discussion is not really relevant to the complain and more of a hypothetical one

 

49 minutes ago, JapSeyz said:

> but I'm just arguing that they could just add an asterisk (*), "excluding VAT", "VAT to be verified on checkout"

 

No, this is exactly what the danish law says they can't. That would still break the danish law. 

I'm going to assume you misread what I wrote before that sentence. The sentence right before it states that they very much have to. The sentence you quoted is not my interpretation of the law, but what I - as a person - would find less problematic as it then is at least somewhat obvious that it is not the final price. It is still very much against the law in the EU unless there's a good reason to do so (see below).

 

57 minutes ago, JapSeyz said:

> "The selling price must be unambiguous, easily identifiable and clearly legible"

 

This in itself in a bit ambiguous. Since they cannot guarantee that you are shipping to where you are shopping from. They are giving you the exact selling price, and once they can guarantee you the correct price, they show it to you. They could ask or assume based on IP, but it's a crap-shoot at best, in the world where VPNs reign.

You get the see the correct VAT rate, as soon as they know your shipping location because they themselves don't know the VAT rate until then.

I live in Denmark, my ISP is from Germany. Sometimes I have an IP that originate from Germany. Image you were shopping books; they have 7% VAT in Germany, and 25% VAT in Denmark. If your ISP was giving you an IP that said you were in Germany, wouldn't you be pretty mad if all prices went up when going to the cart, because you suddenly had to pay a different VAT rate? Who should pay the difference? Who is to "blame" for the incorrect prices when an angry customer calls customer support?

 

> "selling price shall mean the final price for a unit of the product, or a given quantity of the product, including VAT and all other taxes;"

 

What is selling price here? It could easily be the price displayed in the cart before checkout. In the legislation linked, it is not clear if selling price is the price on the product-page or the price in cart/during checkout. IE. this simply means they cannot change the price after your purchase, they have to sell it at the agreed-upon price after you've placed the order.

 

I definitely get where you're coming from, but it's not as clear-cut as you want it to be.

In my opinion they are doing it the only way they can guarantee correct VAT charges/rates.

 

I am happy to talk with you in DMs to not spam the thread. I work as a developer for one of the biggest e-com sites in Denmark, and can give you some insights from that, if you want.

 

 

You're absolutely correct that the Directive does not explicitly state that the selling price has to be shown on the product page and not at checkout, it emphasizes that the selling price must be clearly displayed to ensure transparency for consumers. I don't think there's any doubt what the intent is here. Just a quick search reveals a document from the EU Commissions' website called "Recommendations for a better presentation of information to consumers" which states that the price should be the:

Quote

total price (including all additional charges and taxes as well as shipping costs). If some of the possible,
additional costs cannot be calculated at this stage, mention the type of additional charges that could apply.

In other words, they could state "VAT to be calculated on check out" and follow these recommendations (yes, not case law), but not indicating VAT at all is a no-go.

 

1 hour ago, JapSeyz said:

Edit:

> It is trivial for a website to estimate the location of a customer (IP address, browser language settings)

 

That is not really true. an IP address is not connected to a physical address, so what you can do is you can pay for someone to make an educated guess for you, usually using something like MaxMind (https://www.maxmind.com/en/geoip-demo), but it's costly, and not 100% accurate and there are updates daily. IE it is not a trivial at all. Browser language settings is also a no-go. I work in Denmark. I live in Portugal. My browser is English. Which VAT rate should I be shown? It isn't a trivial task, as far as i am aware.

I wrote estimate, not determine. You're absolutely right about exceptions - you could throw a bunch of stuff in there, including VPN's, ordering for people in other countries, ordering while you're traveling, etc. My argument is this:

It is trivial for a website to estimate the location of a customer (IP address [in most cases accurate to country level], HTTP headers, CDN edge location). You can combine these factors to make an educated guess. Many websites do exactly this to redirect you to the right local version of their website. Or, they could simply ask people to verify where they're from before showing the prices (yes, this adds friction, but means they're compliant).

Then, the website could state it like this:

• $100 (incl. 25 % DK VAT, estimated by your location )

: We based your location on signals, the proper VAT will be added when you specify your delivery address.

Would that fit in all cases? Absolutely not. But I don't think you can argue that they can just leave the price without VAT anywhere other than the checkout flow/cart - there has to be some kind of indication or estimation. And even if they decided not to, they could at the very least solve it like this:

$100 (incl. CA VAT - [not shipping to Canada?])

[JapSeyz]

13 minutes ago, Loib said:

I didn't write personally identifiable, I wrote personal data. My point stands.

 

This is turning into a bit of a tangent (and I never argued about personally identifiable), but while I agree that an email address in and of itself does not necessarily mean that it is personally identifiable, many people use their full names for email addresses, or even use personal domains (like I do) which are very much personally identifiable even without combining it with other information. By the way, remember that Dbrands' form also asks for your name and address to give you a delivery estimate, so they very much have this information, and the combination of this makes even the email personally identifiable. Still, this discussion is not really relevant to the complain and more of a hypothetical one

 

I'm going to assume you misread what I wrote before that sentence. The sentence right before it states that they very much have to. The sentence you quoted is not my interpretation of the law, but what I - as a person - would find less problematic as it then is at least somewhat obvious that it is not the final price. It is still very much against the law in the EU unless there's a good reason to do so (see below).

 

 

You're absolutely correct that the Directive does not explicitly state that the selling price has to be shown on the product page and not at checkout, it emphasizes that the selling price must be clearly displayed to ensure transparency for consumers. I don't think there's any doubt what the intent is here. Just a quick search reveals a document from the EU Commissions' website called "Recommendations for a better presentation of information to consumers" which states that the price should be the:

In other words, they could state "VAT to be calculated on check out" and follow these recommendations (yes, not case law), but not indicating VAT at all is a no-go.

 

I wrote estimate, not determine. You're absolutely right about exceptions - you could throw a bunch of stuff in there, including VPN's, ordering for people in other countries, ordering while you're traveling, etc. My argument is this:

It is trivial for a website to estimate the location of a customer (IP address [in most cases accurate to country level], HTTP headers, CDN edge location). You can combine these factors to make an educated guess. Many websites do exactly this to redirect you to the right local version of their website. Or, they could simply ask people to verify where they're from before showing the prices (yes, this adds friction, but means they're compliant).

Then, the website could state it like this:

• $100 (incl. 25 % DK VAT, estimated by your location )

: We based your location on signals, the proper VAT will be added when you specify your delivery address.

Would that fit in all cases? Absolutely not. But I don't think you can argue that they can just leave the price without VAT anywhere other than the checkout flow/cart - there has to be some kind of indication or estimation. And even if they decided not to, they could at the very least solve it like this:

$100 (incl. CA VAT - [not shipping to Canada?])

This is a long tangent - I agree that. According to my Google-fu, abandoned cart-emails are legal and GDPR compliant.

 

 

And I do agree that showing the correct VAT or estimation would alleviate some friction when it comes to checkout, it's difficult to get it right across the globe, ie. in Denmark it is not allowed to write "Excl. VAT", but in other European countries it is. An estimation is fine, but as soon as they guess the wrong country for an IP address, you have the exact same case as here, where the VAT which they thought was included, is wrong, and the price increases at checkout, and this whole shebang restarts.
Thus, in my (again non-legal) opinion, showing the correct VAT-rate once it is known for certain, is a fair way to go with the implementation.

 

Anyways, I don't think dbrand is breaking any GDPR rules, but probably some spam and ethical rules when it comes to the sheer number of emails they sent you.

They probably did violate some parts of the CAN-SPAM act:

 

 

I've linked the two different entities that say Abandoned Carts are okay and allowed, but also highlighted the caveats that seem to not be followed.

[wanderingfool2]

5 hours ago, JapSeyz said:

This is a long tangent - I agree that. According to my Google-fu, abandoned cart-emails are legal and GDPR compliant.

If what the poster is saying is true though (in regards to what dbrand is doing), then it's actually not GDPR compliant from my understanding.

 

Not the specific aspect of abandoned cart, but rather collecting the email without the user then interacting further with things (such as clicking the submit button etc).  From my understanding the act of collecting the email itself would be a violation as the user hasn't given consent to having the email collected (as an example, I sometimes fill in information just to check out something but if I know they will collect information I won't use my real information).  Again this is if it's true that you simply type in your email without clearly progressing in the purchase by clicking buttons on the webpage.

 

Now sending abandoned emails, again I would say as the user didn't click buttons etc it wouldn't raise to the level of consent given for the ePrivacy as well...as I would argue that given what is described you didn't willingly give your email with knowledge.  Again it comes down to is someone typing in an email but not progressing further on the page enough.

[LogicalDrm]

8 hours ago, JapSeyz said:

Abandoned cart emails is somewhat a grey-area still. Usually it's something of objective interest to the customer, and sometimes even with a discount, so it's not entirely SPAM, but it is not a GDPR violation either. GDPR has become kind of a trashcan rule to throw around. If it is anything it's probably a violation of the CAN-SPAM act, but since it's not entirely spam, it is this grey area where it usually can benefit the customer to get this email. I don't believe this has anything to do with GDPR.

I'm gonna quote this while my reply would include this link https://www.enzuzo.com/blog/abandoned-cart-emails-gdpr-compliant. Which might be true, but also not. GDPR, in my understanding, doesn't legislate how and what kind of stuff can or cannot be sent. What is does legislate is storing customer or visitor data and how to use it. In this case, emails. Site must have data policy to outline how data is collected, stored and used. In lines of what forums have https://linustechtips.com/privacy/. When one registers account or makes online purchase there are minimum of two boxes to tick. One to agree with stores terms (these would include data management policy) and other to explicitly allow marketing emails. Now, if we take the link, it might still be true. And not. Abandoned cart messages can be fine within the marketing email rules. But might not if site has not announced that they will collect emails of anyone who enters such information and presses submit button. Or even just enters something (as in they have keylogger to log such). If they have fine print under email box, or somewhere before submit button, they have done what is required within GDPR and responsibility of what is entered is moved onto customer. As most important parts of GDPR are data COLLECTION and STORING rules. These prevent sites from selling customer data to 3rd party without customers consent. They also prevent storing data for longer than is required for national tax reasons. Or using data in any other way than what is directly linked to customer experience. 

 

Then back to dbrand. I just looked at their store. Now, I'm doing this from EU IP (Finland) which may or may not have effect on what kind of store page, and more importantly, what kind of checkout page I see.

 

dbrands own Privacy Policy says:

Quote

Express Informed Consent

 

We use personal information for the Purpose outlined above. When dbrand collects personal information online, we will request that you supply personal information in fields on web pages containing a link to this Privacy Policy. We will ask for your express consent by giving you a chance to check a checkbox before you submit that information to us electronically.

 

When collecting personal information by other means, our Staff will contact you (either by telephone or email) to request your express consent. You need to consent in writing before we proceed. That can be done by email or by a form we provide you with.

There's no link to Privacy Policy on that checkout page. Not before you click "Remember me" button right before paying. So any information collected without clicking that is against their own policy. That would include clicking the first tickbox since it doesn't have link to privacy policy while clearly saying they can send marketing emails if you click that.

 

Now, the privacy policy is written in a way where they could do "abandoned cart" emails if email has been stored. Its pretty vague with online accounts created by users:

Quote

Maintaining online "accounts" for our clients, linked to our website, that facilitate a more effective ecommerce experience;

Problem I see is that they state only 2 ways one's email could be collected in their own words, either by placing order or by creating account. Both would require customer to agree on terms and press clear submit, or by pressing "Pay Now".

 

So far from perfect implement of GDPR compliant system. But if they would add couple things, this could be dealt with shrug and "well, 'Murica".

[OhYou_]

just click the block button on the email.