You’ve probably heard of the General Data Protection Regulation (GDPR) by now, and might have a few questions about how to prepare for it. Here’s what we know about how it might affect MailChimp and our users.
This article is provided as a resource, but does not constitute legal advice. We encourage you to speak to a legal practitioner in your area to learn how the GDPR may affect your organization.
What and Who
The GDPR is a European Union (EU) privacy law that will affect businesses around the world when it becomes enforceable on May 25, 2018. It regulates how any organization treats or uses the personal data of EU citizens, including organizations located outside of the EU.
Personal data is any piece of data that, used alone or with other data, could identify a person.
If you collect, change, transmit, erase, or otherwise use or store the personal data of EU citizens, you'll need to comply with the GDPR.
The GDPR will replace an older directive on data privacy, Directive 95/46/EC, and it introduces a few important changes that may affect MailChimp users.
You need to have a legal basis, like consent, to process an EU citizen's personal data. Under the GDPR, you may use another legal basis for processing personal data, but we expect the majority of MailChimp users will rely on consent. This consent must be explicit and verifiable.
Verifiable consent requires a written record of when and how someone agreed to let you process their personal data. All MailChimp forms, regardless of opt-in method, collect the email address, IP address, and timestamp associated with everyone who submits the form.
Explicit consent requires that each contact takes an action to consent, so the opt-in can't use a pre-checked opt-in box. In addition, the opt-in message you use has to state all the ways you could possibly use the personal data you collect.
For a MailChimp user, this could mean, for example, that a contact agrees to let you do any or all of the following.
- Transfer their contact information to MailChimp
- Store their contact information in your MailChimp account
- Send them marketing emails from your MailChimp account
- Track interactions for email marketing and ad placement purposes
About Individual Rights
The GDPR also outlines the rights of individuals around their personal data. EU citizens will have the right to ask for details about the way you use their personal data and can ask you to do certain things with that data.
You should be prepared to support people's requests to have personal data corrected or completed, transferred to another organization, prohibited for certain uses, or removed completely—all in a timely manner.
You should also be able to tell someone how their personal data is being stored, and what you're using it for. If they ask, you'll also have to share the personal data you hold on an individual, or offer a way for them to access it.
What can I do?
As far as your email marketing is concerned, we suggest you start using a MailChimp signup form to grow your list, because we always store permission data in case you need it in the future. For additional evidence of permission, you may choose to turn on double opt-in.
No matter what opt-in method you choose, permission data is stored in list export files.
If you rely on consent to process subscribers' personal data, double check where and why your contacts shared their data with you to make sure that the consent you obtained meets the GDPR's standards. For example, check third-party integrations to be sure they don't automatically add people to your MailChimp list without a clear opt-in checkbox that clearly states how you'll use that person's data. You should also review the terms associated with any MailChimp add-ons or third-party integrations you use.
Another good way to prepare for the GDPR is simply to educate yourself. We want to help our users prepare for the change, but the GDPR's provisions could affect your business outside of how you use MailChimp. Here are some additional resources.
What is MailChimp doing to prepare?
We've been researching the GDPR and modifying many of our internal practices and policies over the last year, because we are committed to achieving compliance with the GDPR in 2018. For example, we're in the process of updating our Data Processing Agreement and third-party vendor contracts to meet the GDPR's requirements.
We're also assessing the impact of the GDPR on MailChimp's tools to see if we can make them more practical for users who are subject to the GDPR.
As further guidance is released and our research progresses, we'll continue to look for ways we can help our users around the world get ready for the GDPR.