If your business is based in the European Union (EU), or you process the personal data of EU citizens, the General Data Protection Regulation (GDPR) affects you.
In this article, we'll answer common questions about MailChimp and the GDPR.
MailChimp offers tools and information as a resource, but we don’t offer legal advice. We recommend you contact your legal counsel to find out how the GDPR affects you.
Can I collect consent for other tools through MailChimp's GDPR signup forms?
Yes. You can edit the suggested language for the GDPR fields of our signup forms to collect consent for use outside of MailChimp. If you choose to write your own descriptions, make sure you’re explicit about why you’re collecting data.
How can I prove consent?
- Export your list.
If a contact signed up for your list through a MailChimp-hosted form, you can export your list and review the OPTIN_TIME and OPTIN_IP fields in your exported CSV file. These fields contain the date, time, and IP address associated with the signup.
- Turn on double opt-in.
You can enable double opt-in, which includes an extra confirmation step that verifies each email address. After turning on double opt-in, export your list and review the CONFIRM_TIME and CONFIRM_IP fields in your exported CSV file. These fields contain the date, time, and IP address associated with the confirmation.
- Take a screenshot of your signup form.
You can capture an image of your signup form to prove you accurately described your marketing activities.
We’ll soon be releasing tools to make these processes easier.
How can I use MailChimp features to help comply with the GDPR?
Ensure the language in your signup form accurately describes your marketing activities.
Sign our Data Processing Agreement.
Turn on two-factor authentication for added protection.
Update your website's privacy statement or policy to state you use MailChimp to store information.
Make sure your Cookie Statement describes any cookies or tracking technologies you might use.
If you’re not sure, MailChimp’s Cookie Statement includes a section called Cookies served through the Services that describes technology you (or your website) might use, depending on the features you use through MailChimp.
The GDPR could affect your business outside of MailChimp. We recommend you contact your legal counsel to find out how the GDPR affects you.
Do I need to get consent from my existing contacts?
If you collected consent from existing contacts in a way that complies with the GDPR, you may not need to collect consent from those contacts again.
Otherwise, you'll need to collect GDPR-friendly consent from the contacts you already have. Send a consent email to everyone on your list that includes a link to update their settings.
To ensure maximum response before May 25, you might want to send a reminder a week after your first email. Use a descriptive subject line to let your contacts know that an action is required.
If my contacts don’t consent, should I stop communicating with them?
You need to have a legal basis, like consent, to process an EU data subject’s personal data.
After May 25 2018, use your Marketing Permissions segments to communicate only with contacts who have expressly opted-in to your marketing. You may find it helpful to bulk unsubscribe all contacts who have not opted to receive any marketing from you.
Do I need to use double opt-in?
We recommend you enable double opt-in if you are subject to the GDPR.
Double opt-in includes an extra confirmation step that verifies each email address. This confirmation provides additional evidence of consent.
How can I see who signed up using double opt-in?
Export your list and review the OPTIN_TIME and CONFIRM_TIME fields in your exported CSV file.
The time a contact accessed your signup form, if they used it to sign up.
The date and time the contact clicked the link in the opt-in confirmation email.
If the values of the OPTIN_TIME and CONFIRM_TIME fields are different, it is likely the contact signed up using double opt-in.
If you’ve combined your lists into a master list, the OPTIN_TIME field won't be included in your exported file. You won’t be able to verify the opt-in status of contacts.
How do I fully delete a contact's data?
We’ll soon be releasing tools to let you comply with deletion requests. You can use these tools to delete a contact’s data without affecting the accuracy of your MailChimp reports.
Can I translate GDPR fields in MailChimp's signup forms?
Can I use GDPR fields with embedded forms or MailChimp Subscribe?
No. GDPR fields are not compatible with embedded forms, form integrations, or MailChimp Subscribe.
Can I make the Options field on GDPR forms required?
No. On GDPR forms, the Options field uses checkboxes to get consent for each marketing activity you conduct. For the GDPR, consent must be unambiguous and involve a clear affirmative action. This mean no required or pre-checked consent boxes can be used.
Connected Sites and Integrations
What if I transfer data from a site or e-commerce store to my MailChimp account?
You are responsible for determining whether other third-party applications, including connected sites and e-commerce stores, meet GDPR requirements.
If you rely on consent to process subscribers' personal data, double check whether the consent that you previously obtained meets the GDPR's standards. For example, check third-party integrations to be sure they don't automatically add people to your MailChimp list without an opt-in checkbox that clearly states how you'll use that person's data. You should also review the terms associated with any MailChimp add-ons or third-party integrations you use.
Do I need to sign MailChimp’s Data Processing Agreement?
What’s the penalty if I don’t comply with the GDPR?
Chapter 8 of the full text of the GDPR discusses remedies, liability, and penalties.
Where are MailChimp’s servers?
Our servers are located in the United States. Because MailChimp certifies to the Privacy Shield framework, we can lawfully receive EU data.