Compliant Abandoned-Cart Recovery for.

Yes. Dispensary abandoned cart recovery is legal, but only to shoppers who created an account and opted in. Cannabis gets no exemption from federal email and texting law, so the rules are stricter, not looser, than they are for a generic store. Done right, it is one of the highest-return plays in cannabis industry AI.

Here is the uncomfortable part. The documented average online shopping cart abandonment rate is 70.19%, an average across 49 studies tracked by Baymard Institute. For a dispensary running online ordering, roughly seven of every ten started carts never become an order. Most teams leave that on the floor because they assume cannabis cannot legally chase a cart. It can. You just have to do it the way the law actually allows, not the way a generic ecommerce playbook tells you to.

Can dispensaries run abandoned-cart emails legally?

Short answer: yes, with conditions. Commercial email in the United States is governed by CAN-SPAM, the rule the FTC enforces. CAN-SPAM does not ban cannabis email. It does not require prior opt-in the way texting law does. What it requires is mechanical, and you must hit every item: a working opt-out link in every message, a real physical postal address for your business, an honest subject line that does not mislead, accurate "from" and routing information, and clear identification that the message is an advertisement.

That means an abandoned-cart email saying "You left 3.5g of Blue Dream in your cart" is legal to send if the recipient gave you their email, the message names you honestly, carries your postal address, and lets them unsubscribe in one click. Honor opt-outs within the window the FTC sets and stop sending. There is no cannabis carve-out making this harder, and there is no cannabis carve-out making it easier. CAN-SPAM applies to your dispensary exactly as it applies to a shoe store.

The catch most teams miss is upstream of CAN-SPAM. Your email service provider, your payment processor, and your menu platform all have their own acceptable-use policies, and several of them restrict cannabis sends regardless of what federal law allows. So "legal" and "your vendor will let you" are two separate gates. Clear both before you send.

What makes a cart-recovery email compliant versus a takedown risk?

Compliant: sent to a logged-in account holder who supplied their email during checkout or signup, with a one-click unsubscribe, your postal address in the footer, a subject line that matches the body, and no health or medical claims you cannot back. Takedown risk: sent to a scraped list, a purchased list, or an email harvested from a form where the shopper never actually consented to marketing. The difference is not the content of the message. It is whether the person on the other end is a real, consenting, identifiable account.

What is the difference between email consent and SMS consent for a dispensary?

This is where dispensaries get burned, because they treat email and text as one channel. They are not. They are governed by different laws with different consent standards, and a single opt-in checkbox does not cover both.

SMS marketing is governed by the TCPA, codified at 47 U.S.C. 227. Under the TCPA, marketing or autodialed texts require prior express written consent. The recipient must have specifically agreed, in writing, to receive marketing texts at that number. They can revoke that consent at any time, and you must stop. Willful violations run up to $1,500 per text. Send one non-compliant cart-recovery text to a thousand numbers and the exposure is measured in seven figures. Cannabis is not exempt from any of this.

Email under CAN-SPAM uses a lower bar: opt-out, not opt-in. You can email someone who has not explicitly agreed, as long as you stop the moment they unsubscribe. That asymmetry is the single most important fact in this whole article. It means your email cart-recovery audience is larger and easier to build legally, and your SMS audience is smaller, more expensive to acquire, and far more dangerous to get wrong.

Why a checkout checkbox is not enough for texting

A box that says "Email me about my order" does not authorize marketing texts. Even a box that says "Text me" may not meet the TCPA's prior-express-written-consent standard if it is not clearly tied to marketing and is not a deliberate, affirmative action by the shopper. The safe construction is a separate, unchecked SMS consent box with explicit language naming marketing messages, message frequency, and "reply STOP to opt out," stored with a timestamp. Email and SMS are separate consents. Collect them separately, store them separately, and never assume one implies the other.

How do you build a legal cart-recovery audience?

Recover only from shoppers who created an account and opted in. That single rule eliminates most of the risk. A guest checkout with no account and no opt-in is not a recoverable cart, no matter how full it was. If you cannot tie the cart to a consenting, identifiable account, it is not your audience.

Layer the age gate on top. Your store is 21-plus, and your recovery flow has to respect that. The account you are emailing should be an age-verified account, and your messaging should never land in a way that an underage person could have triggered. Age-gate the flow at signup and keep the verification attached to the account record so your recovery automation only fires for verified, adult, opted-in contacts.

The reproducible measurement: count your recoverable carts

Before you build anything, measure your actual legal audience. Pull last month's abandoned carts. Of those, count how many came from logged-in accounts that had opted in to email. Only those are your legal email audience. Then count how many of those same accounts gave separate, TCPA-grade written SMS consent. That smaller number is your legal text audience. Run this count every month. The gap between your total abandoned carts and your opted-in subset is the ceiling on what cart recovery can legally do for you, and it tells you whether your real opportunity is recovery or whether it is fixing your opt-in capture at checkout first.

Most dispensaries run this count once and discover the recoverable slice is a fraction of total abandonment. That is not a failure. That is the honest number, and it is the only one you can act on without inviting a complaint.

When should the first recovery email go out?

Send the first email within about an hour, while intent is warm. The shopper was on your menu minutes ago. They know what they wanted. An hour later they may still be deciding, comparing, or simply distracted. Wait a day and you are emailing a cold lead who has half-forgotten the cart.

The timing of the first recovery touch

The practical sequence for a compliant flow looks like this. Touch one goes out roughly one hour after abandonment: a plain reminder of what is in the cart with a link back to it. Touch two, if you choose to send it, goes the next day and reframes around availability ("this is still in stock"). Touch three, if your state and your list health support it, can carry a soft nudge a couple of days later. Every message in that sequence carries the CAN-SPAM footer (postal address, honest subject, one-click unsubscribe), and the whole sequence stops the instant the shopper buys or unsubscribes. Do not run more touches than your unsubscribe rate can absorb. If the third email spikes opt-outs, cut it.

Should the recovery email include a discount?

Be careful here. Several states restrict cannabis discounts and coupons, and some ban them outright or cap them. Check state law before offering a percent-off in any recovery message. A "10% off, come back" email that is standard in generic ecommerce can be a regulatory violation for a dispensary depending on where you operate. If discounts are restricted in your state, recover on availability and convenience instead: the product is in stock, the cart is saved, checkout takes thirty seconds. Those levers are legal everywhere your store is.

Which channel should a dispensary use for cart recovery?

Email first, SMS only if you have earned the consent, app push if you have an app. The governing rules, consent requirements, and best use differ enough that you should treat each as its own decision.

Read the table as a priority order, not a menu. Email is where the volume and the safety both live. SMS is a scalpel for your most engaged, fully consented buyers. App push is free of federal email and texting law but limited to the slice of customers who installed and allowed notifications. If you are starting from zero, build email recovery, do it well, and add SMS only once your separate consent capture is clean.

How does cart recovery fit with the rest of dispensary automation?

Cart recovery is one node in a larger system, and it works better when the surrounding pieces are solid. If your online menu shows products that are out of stock, your recovery emails will send shoppers back to carts they cannot complete, which trains them to ignore you. Get your menu sync automation right first so recovery messages point at real, available inventory.

The same logic applies to the questions a returning shopper has. If they abandoned because they were not sure about dosage, effect, or store policy, a recovery email that drops them back into a checkout with no answers will not convert. Pairing recovery with AI customer service for dispensaries means the shopper who clicks back in can get the one question answered that was blocking the order. Recovery is not just a reminder. It is the close on a sale that stalled for a reason, and the reason is usually fixable.

Treat the whole thing as plumbing. Consent capture at checkout feeds the audience. The age gate filters it. The menu sync keeps the offer honest. The recovery sequence does the reminding. Customer service removes the last objection. Pull any one piece and the recovered revenue drops.

What does a compliant recovery flow look like end to end?

Start with capture. At checkout and signup, collect email with a clear marketing opt-in, and collect SMS consent separately with TCPA-grade language if you plan to text. Age-verify the account. Store consent with timestamps so you can prove it if challenged.

Then the trigger. A shopper with a consenting, age-verified account starts a cart and leaves. About an hour later, the first email fires: the cart contents, a link back, your postal address, an honest subject, a one-click unsubscribe. If they do not return, a second email the next day reframes on availability. If your state and list health allow it, a third soft nudge follows. SMS, if you use it at all, sends one short reminder only to the subset with written text consent. The whole flow halts on purchase or unsubscribe.

Finally, the guardrails. No discounts unless your state permits them. No medical or health claims. No messaging to guest checkouts or scraped contacts. No assuming email consent covers texting. Honor every opt-out immediately. Run the recoverable-cart count monthly so you always know the size and shape of your legal audience. Done this way, cart recovery is one of the highest-return automations a dispensary can run, because the carts are already full and the shoppers already wanted to buy. If you want a hand wiring it to your state's rules, send a brief.

How we know this: methodology and sources

The 70.19% cart abandonment figure is the documented average across 49 studies compiled by Baymard Institute (2025), an independent ecommerce research firm. We use the cross-study average rather than any single vendor's number because it is the most defensible baseline for "carts are lost at scale."

The SMS consent rules come directly from the Telephone Consumer Protection Act, codified at 47 U.S.C. 227, as published by the Legal Information Institute at Cornell Law. The prior-express-written-consent standard, the right of revocation, and the statutory damages (up to $1,500 per willful violation) are statutory, not interpretive. Cannabis businesses receive no exemption.

The email requirements come from the CAN-SPAM compliance guide published by the FTC: working opt-out, physical postal address, honest subject line, and identification as an advertisement in every commercial message.

The operational guidance (recover only from opted-in account holders, treat email and SMS as separate consents, age-gate at 21-plus, verify state discount rules before offering coupons, send the first touch within about an hour) reflects the constraints those laws impose, applied to dispensary ecommerce. We deliberately express everything beyond the three cited facts as a reproducible measurement rather than a borrowed statistic, so you can verify the size of your own opportunity instead of trusting ours.