Iubenda logo
Start generating

Documentation

Table of Contents

Privacy policy, GDPR forms and consent collection for Mailchimp

If you have a website, a contact/subscribe form and you use Mailchimp to manage your email newsletter, you’re likely wondering if you need to disclose this in your privacy policy (or you might be wondering if you even need to have a privacy policy in the first place).

The answer is YES, a privacy policy containing the correct disclosures is required from both a legal and third-party perspective.

This guide will show you how to create a privacy policy for Mailchimp, and as a bonus, will explain the additional steps you may need to take to ensure that your mailing list and newsletter activities are compliant.

Third-party Requirements

Mailchimp explicitly states in Section 20 of their Terms of Use, that you must be compliant with all applicable laws. This usually means your country’s privacy laws and those of your users’.

You’re responsible for determining whether the Service is suitable for you to use in light of your obligations under any regulations like HIPAA, GLB, EU data privacy laws (including the General Data Protection Regulation) (collectively, “EU Data Privacy Laws”), United States export control laws and regulations and economic sanctions laws and regulations (“U.S. Export Control Laws and Regulations”), or other applicable laws.

The requirements are even more explicit if you’re located in the EEA (including the UK and Switzerland) or have anyone located in these regions on your mailing list:

If you’re located in the European Economic Area, the United Kingdom, or Switzerland (collectively, the “EEA”) and/or distribute Campaigns or other Content through the Service to anyone located in the EEA (each such Member an “EEA Member”) in creating your Campaign distribution list, sending Campaigns via the Service, and/or otherwise collecting information as a result of creating or sending Campaigns, you represent and warrant to Mailchimp that:

  1. You will clearly post, maintain, and abide by a publicly accessible privacy notice on the digital properties from which the underlying data is collected that satisfies the requirements of applicable data protection laws, describes your use of the Service, and includes a link to Mailchimp’s Privacy Policy.
  2. You will get and maintain all necessary permissions and valid consents required to lawfully transfer data to Mailchimp and to enable such data to be lawfully collected, processed, and shared by Mailchimp for the purposes of providing the Service or as otherwise directed by you.
  3. You will comply with all laws and regulations applicable to the Campaigns sent through the Service, including those relating to (a) acquiring consents (where required) to lawfully send Campaigns, (b) the Content of Campaigns, and (c) your Campaign deployment practices.

In addition, if you are an EEA Member, you acknowledge and agree that we have your prior written authorization to respond, at our discretion, to any data subject access requests we receive from your contacts made under EU Data Privacy Laws, or, alternatively, we may direct any such contacts to you so that you can respond to the request accordingly.

Now that we’ve established that Mailchimp requires you to adhere to all applicable law, let’s take a look at the legal requirements below.

Legal Requirements

General privacy requirements

Under most countries’ laws, you’re required to have a valid privacy policy in place. The privacy policy should include accurate and clearly stated details of who is doing the processing and for what purpose. Not doing so can often result in major fines and sanctions.

Consent requirements

Informed Consent

If you fall under the scope of laws such as the GDPR and even Canada’s PIPA, in order to be considered as valid, the consent you collect must meet specific requirements including that of fully and correctly informing your users’ of the purposes, methods, and parties involved in the processing of their data.

Consent Records

Under laws such as the GDPR, if you do not have valid records of the Consents collected, you consents may be considered invalid — in some instances requiring to re-obtain consent. Your consent records should relevant details of the individual consent including method of collection, proofs related to the actual form and the privacy policy active at the time of collection. Read more about records of consent here.

How to Comply

1. Create a privacy policy for Mailchimp

  • Click on Start Generating, select either Website or App and fill in the name, set your language and click the generate button. This will create and take you to your site area. Now, under Privacy and Cookie Policy, click Generate now.
  • Next, Add any service you might be using — be sure to include your own processing activities as well as those of any third parties. In this case, your direct processing activity would be your mailing list, so you’ll need to add the “Mailing List or Newsletter“; since you’re using Mailchimp to handle your mailing list, must also add the “Mailchimp” service. Important: also consider adding “Direct Email Marketing (DEM)” if you monetize your newsletter. Once you’re finished adding all applicable services, click Save & Close.
  • Finally, (if you haven’t already) fill out your website owner and contact details and you’re done!
  • You can then click on the Manage and Embed link near the top of the page to integrate the privacy with your site using one of these available methods. Best practice is to include a link to your privacy policy from your newsletter footer (where it’s easily accessible to subscribers), in addition to the mandatory links on your website.

*All our policies are created by lawyers, monitored by our lawyers and hosted on our servers to ensure that they are always up-to-date with the latest legal changes and third-party requirements.

2. Enable Mailchimp’s GDPR fields

Mailchimp has long made available a feature called GDPR fields: GDPR-friendly forms include checkboxes for opt-in consent, and editable sections that explain how and why you are using data. Please note that just enabling GDPR fields on your signup forms does not make you compliant.

Here’s what you have to do:

  • set up your GDPR-friendly signup form (enabling and editing GDPR fields);
  • segment your list based on the marketing permissions you receive from your signup form; and
  • collect valid consent from new and existing contacts.

Visit mailchimp.com/help to learn more about how to use these features.

Caution

Simply having these features enabled does not automatically make you compliant. Remember, consent must be collected in accordance with whichever countries’ law applies to you, and mailing lists must be managed in a compliant way. Some of these requirements depend heavily on how you design your forms and your actual newsletter. For a full overview of what’s required, and visual examples of how you can implement it, read our Email and Newsletter Compliance Guide.

Double Opt-In (optional)

Mailchimp offers two opt-in settings for your lists: single opt-in and double opt-in. While single opt-in only requires that users submit their information in order to be added to your list, double opt-in requires that users first validate their email address before being added to your mailing list. The validation is carried out when users click on a specific link contained in a confirmation message sent to their email address.

Depending on your organization’s needs, you may want to try the double opt-in process, which includes an extra confirmation step that verifies each email address. This method of registration is considered best practice in many countries and might be required in some (e.g. Germany).

You can read Mailchimp’s guide on how to enable double opt-in for your lists here.

3. Sign the Mailchimp DPA

As stated in their terms of use (section 20.5), if you’re located in the EEA (including the UK and Switzerland) or may have anyone located in these regions on your mailing list, you’re required to sign a DPA with Mailchimp.

You will sign and return Mailchimp’s Data Processing Addendum, which sets out your and Mailchimp’s obligations with respect to data protections and security when processing personal information. Once signed, the Data Processing Addendum will form part of and be incorporated into the Agreement. You can access our data processing agreement here, where you will be directed to log in to your account to sign the agreement online.

-Mailchimp Terms of Use

If you fall within the scope of the GDPR (and you likely do), it’s mandatory that you keep valid records of consent. These records should include:

  • who provided the consent;
  • exactly when and how you acquired consent from the individual user;
  • the consent collection form the user was presented with at the time of the collection; and
  • which conditions and legal documents were applicable at the time that the consent was acquired.

This is, of course, a technical challenge.

Our Consent Database simplifies this process by helping you to easily store proof of consent and manage consent and privacy preferences for individual consents — allowing you to track every aspect of the consent collected.

Simply activate the Consent Database, get the API key, then install via HTTP API or JS widget and you’re done! You’ll be able to retrieve consents at any time and keep them updated.

For more info on the Consent Database, read the Consent Database introduction guide, or, for a practical look at how the solution can be used on a WordPress site, check out our guide on How to use the Consent Database with Contact Form 7.

To get started simply:

Create a privacy policy for Mailchimp

Start generating

See also