You’re responsible for determining whether the Service is suitable for you to use in light of your obligations under any regulations like HIPAA, GLB, EU data privacy laws (including the General Data Protection Regulation) (collectively, “EU Data Privacy Laws”), United States export control laws and regulations and economic sanctions laws and regulations (“U.S. Export Control Laws and Regulations”), or other applicable laws.
The requirements are even more explicit if you’re located in the EEA (including the UK and Switzerland) or have anyone located in these regions on your mailing list:
If you’re located in the European Economic Area, the United Kingdom, or Switzerland (collectively, the “EEA”) and/or distribute Campaigns or other Content through the Service to anyone located in the EEA (each such Member an “EEA Member”) in creating your Campaign distribution list, sending Campaigns via the Service, and/or otherwise collecting information as a result of creating or sending Campaigns, you represent and warrant to Mailchimp that:
- You will get and maintain all necessary permissions and valid consents required to lawfully transfer data to Mailchimp and to enable such data to be lawfully collected, processed, and shared by Mailchimp for the purposes of providing the Service or as otherwise directed by you.
- You will comply with all laws and regulations applicable to the Campaigns sent through the Service, including those relating to (a) acquiring consents (where required) to lawfully send Campaigns, (b) the Content of Campaigns, and (c) your Campaign deployment practices.
In addition, if you are an EEA Member, you acknowledge and agree that we have your prior written authorization to respond, at our discretion, to any data subject access requests we receive from your contacts made under EU Data Privacy Laws, or, alternatively, we may direct any such contacts to you so that you can respond to the request accordingly.
Now that we’ve established that Mailchimp requires you to adhere to all applicable law, let’s take a look at the legal requirements below.
If you fall under the scope of laws such as the GDPR and even Canada’s PIPA, in order to be considered as valid, the consent you collect must meet specific requirements including that of fully and correctly informing your users’ of the purposes, methods, and parties involved in the processing of their data.
*All our policies are created by lawyers, monitored by our lawyers and hosted on our servers to ensure that they are always up-to-date with the latest legal changes and third-party requirements.
Mailchimp has long made available a feature called GDPR fields: GDPR-friendly forms include checkboxes for opt-in consent, and editable sections that explain how and why you are using data. Please note that just enabling GDPR fields on your signup forms does not make you compliant.
Here’s what you have to do:
Visit mailchimp.com/help to learn more about how to use these features.
Simply having these features enabled does not automatically make you compliant. Remember, consent must be collected in accordance with whichever countries’ law applies to you, and mailing lists must be managed in a compliant way. Some of these requirements depend heavily on how you design your forms and your actual newsletter. For a full overview of what’s required, and visual examples of how you can implement it, read our Email and Newsletter Compliance Guide.
Mailchimp offers two opt-in settings for your lists: single opt-in and double opt-in. While single opt-in only requires that users submit their information in order to be added to your list, double opt-in requires that users first validate their email address before being added to your mailing list. The validation is carried out when users click on a specific link contained in a confirmation message sent to their email address.
Depending on your organization’s needs, you may want to try the double opt-in process, which includes an extra confirmation step that verifies each email address. This method of registration is considered best practice in many countries and might be required in some (e.g. Germany).
If you fall within the scope of the GDPR (and you likely do), it’s mandatory that you keep valid records of consent. These records should include:
This is, of course, a technical challenge.
Our Consent Database simplifies this process by helping you to easily store proof of consent and manage consent and privacy preferences for individual consents — allowing you to track every aspect of the consent collected.
Simply activate the Consent Database, get the API key, then install via HTTP API or JS widget and you’re done! You’ll be able to retrieve consents at any time and keep them updated.
For more info on the Consent Database, read the Consent Database introduction guide, or, for a practical look at how the solution can be used on a WordPress site, check out our guide on How to use the Consent Database with Contact Form 7.
To get started simply: