You’re responsible for determining whether the Service is suitable for you to use in light of your obligations under any regulations like HIPAA, GLB, EU data privacy laws (including the General Data Protection Regulation) (collectively, “EU Data Privacy Laws”), United States export control laws and regulations and economic sanctions laws and regulations (“U.S. Export Control Laws and Regulations”), or other applicable laws.
The requirements are even more explicit if you’re located in the EEA (including the UK and Switzerland) or have anyone located in these regions on your mailing list:
If you’re located in the European Economic Area, the United Kingdom, or Switzerland (collectively, the “EEA”) and/or distribute Campaigns or other Content through the Service to anyone located in the EEA (each such Member an “EEA Member”) in creating your Campaign distribution list, sending Campaigns via the Service, and/or otherwise collecting information as a result of creating or sending Campaigns, you represent and warrant to Mailchimp that:
- You will get and maintain all necessary permissions and valid consents required to lawfully transfer data to Mailchimp and to enable such data to be lawfully collected, processed, and shared by Mailchimp for the purposes of providing the Service or as otherwise directed by you.
- You will comply with all laws and regulations applicable to the Campaigns sent through the Service, including those relating to (a) acquiring consents (where required) to lawfully send Campaigns, (b) the Content of Campaigns, and (c) your Campaign deployment practices.
In addition, if you are an EEA Member, you acknowledge and agree that we have your prior written authorization to respond, at our discretion, to any data subject access requests we receive from your contacts made under EU Data Privacy Laws, or, alternatively, we may direct any such contacts to you so that you can respond to the request accordingly.
Now that we’ve established that Mailchimp requires you to adhere to all applicable law, let’s take a look at the legal requirements below.
General privacy requirements
If you fall under the scope of laws such as the GDPR and even Canada’s PIPA, in order to be considered as valid, the consent you collect must meet specific requirements including that of fully and correctly informing your users’ of the purposes, methods, and parties involved in the processing of their data.
How to Comply
- Next, Add any service you might be using — be sure to include your own processing activities as well as those of any third parties. In this case, your direct processing activity would be your mailing list, so you’ll need to add the “Mailing List or Newsletter“; since you’re using Mailchimp to handle your mailing list, must also add the “Mailchimp” service. Important: also consider adding “Direct Email Marketing (DEM)” if you monetize your newsletter. Once you’re finished adding all applicable services, click Save & Close.
- Finally, (if you haven’t already) fill out your website owner and contact details and you’re done!
*All our policies are created by lawyers, monitored by our lawyers and hosted on our servers to ensure that they are always up-to-date with the latest legal changes and third-party requirements.
2. Enable Mailchimp’s GDPR fields
Mailchimp has long made available a feature called GDPR fields: GDPR-friendly forms include checkboxes for opt-in consent, and editable sections that explain how and why you are using data. Please note that just enabling GDPR fields on your signup forms does not make you compliant.
Here’s what you have to do:
- set up your GDPR-friendly signup form (enabling and editing GDPR fields);
- segment your list based on the marketing permissions you receive from your signup form; and
- collect valid consent from new and existing contacts.
Visit mailchimp.com/help to learn more about how to use these features.
Simply having these features enabled does not automatically make you compliant. Remember, consent must be collected in accordance with whichever countries’ law applies to you, and mailing lists must be managed in a compliant way. Some of these requirements depend heavily on how you design your forms and your actual newsletter. For a full overview of what’s required, and visual examples of how you can implement it, read our Email Newsletter guide.
Double Opt-In (optional)
Mailchimp offers two opt-in settings for your lists: single opt-in and double opt-in. While single opt-in only requires that users submit their information in order to be added to your list, double opt-in requires that users first validate their email address before being added to your mailing list. The validation is carried out when users click on a specific link contained in a confirmation message sent to their email address.
Depending on your organization’s needs, you may want to try the double opt-in process, which includes an extra confirmation step that verifies each email address. This method of registration is considered best practice in many countries and might be required in some (e.g. Germany).
You can read Mailchimp’s guide on how to enable double opt-in for your lists here.
3. Sign the Mailchimp DPA
4. Keep Valid Records of Consent
If you fall within the scope of the GDPR (and you likely do), it’s mandatory that you keep valid records of consent. These records should include:
- who provided the consent;
- exactly when and how you acquired consent from the individual user;
- the consent collection form the user was presented with at the time of the collection; and
- which conditions and legal documents were applicable at the time that the consent was acquired.
This is, of course, a technical challenge.
Our Consent Solution simplifies this process by helping you to easily store proof of consent and manage consent and privacy preferences for individual consents — allowing you to track every aspect of the consent collected.
Simply activate the Consent Solution, get the API key, then install via HTTP API or JS widget and you’re done! You’ll be able to retrieve consents at any time and keep them updated.
For more info on the consent solution, read the Consent Solution Introduction guide, or, for a practical look at how the solution can be used on a WordPress site, check out our guide on How to use the Consent Solution with Contact Form 7.
To get started simply: