General Data Protection Regulation FAQs

If your business is based in the European Union (EU), or you process the personal data of EU citizens, the General Data Protection Regulation (GDPR) affects you.

In this article, we'll answer common questions about Mailchimp and the GDPR.

Consent

Can I collect consent for other tools through Mailchimp's GDPR signup forms?

Yes. You can edit the suggested language for the GDPR fields of our signup forms to collect consent for processing activities that occur outside of Mailchimp. If you choose to write your own descriptions, make sure you’re explicit about why you’re collecting data.

How can I demonstrate that I collected consent?

• Export your audience.
  If a contact signed up for your audience through a Mailchimp-hosted form, you can export your audience and review the OPTIN_TIME and OPTIN_IP fields in your exported CSV file. These fields contain the date, time, and IP address associated with the signup.
• Turn on double opt-in.
  You can enable double opt-in, which includes an extra confirmation step that verifies each email address. After turning on double opt-in, export your audience and review the CONFIRM_TIME and CONFIRM_IP fields in your exported CSV file. These fields contain the date, time, and IP address associated with the confirmation.
• Take a screenshot of your signup form.
  You can capture an image of your signup form to document that you accurately described your marketing activities. You can also access this information in our form versions.

How can I use Mailchimp features to help comply with the GDPR?

• Use Mailchimp’s GDPR signup forms and double opt-in to collect your contacts.
• Ensure the language in your signup form accurately describes your marketing activities.
• Turn on 2-factor authentication for added protection.
• Update your website's privacy statement or policy to describe your use of Mailchimp.
• Make sure your Cookie Statement describes any cookies or tracking technologies you might use.
  If you’re not sure, Mailchimp’s Cookie Statement includes a section called Cookies served through the Services that describes technology you (or your website) might use, depending on the features you use through Mailchimp.

The GDPR could affect your business outside of Mailchimp. We recommend you contact your legal counsel to find out how the GDPR affects you.

Double opt-in

Do I need to use double opt-in?

We recommend you enable double opt-in if you are subject to data protection laws that require it.

Double opt-in includes an extra confirmation step that verifies each email address. This confirmation provides additional evidence of consent.

How can I see who signed up using double opt-in?

Export your audience and review the OPTIN\_TIME and CONFIRM\_TIME fields in your exported CSV file.

OPTIN\_TIME The time a contact submitted your signup form, if they used it to sign up. CONFIRM\_TIME The date and time the contact clicked the link in the opt-in confirmation email. If the values of the OPTIN\_TIME and CONFIRM\_TIME fields are different, it is likely the contact signed up using double opt-in.

If you’ve combined multiple audiences using the built-in combine audiences tool, the OPTIN\_TIME field won't be included in your exported file. You won’t be able to verify the opt-in status of contacts.

Imports and exports

Can I import contacts who have given consent outside of Mailchimp?

Yes. If you have GDPR-friendly forms enabled for an audience, you can import contacts who have given GDPR-friendly consent for marketing permissions.

Format Guidelines for Your Import File

Can I view marketing permissions in an audience export?

Yes. If you export a GDPR-enabled audience, one CSV file header will match the GDPR form field label in your segments. This field will display each marketing permission the contact has opted-in to.

Deleting contacts

How do I fully delete a contact's data?

Choose the Remove contact option from the Actions menu on the profile page, then choose Permanently delete. To delete more than one contact at the same time, navigate to the contact table to choose each contact you want to delete. Then, click the three vertical dots to choose Delete contacts for steps to permanently delete your contacts. For step-by-step instructions on this process, read Delete Contacts .

This action permanently removes all of a contact’s personal information and anonymizes their data in your reports. After you delete a contact, you won’t be able to add them back to your audience.

If one of your contacts asks us to remove their data from every account in Mailchimp, we'll notify you with an email. You are required to consider whether you have a legal obligation to respond to and address this individual's deletion request in accordance with your obligations under applicable laws.

Signup forms

Can I translate GDPR fields in Mailchimp's signup forms?

You can translate any GDPR field except the Privacy Policy and Terms field. You can also translate other parts of your signup form. For more information, check out Translate Signup Forms.

Can I edit the Privacy Policy and Terms field in my form?

No. The Privacy Policy and Terms field lets your contacts know that you’ll be storing their info in your Mailchimp account. A link to our Global Privacy Statement and Terms is included.

Can I make the Options field on GDPR forms required?

Yes. When you edit the fields on your GDPR-friendly form, check the box next to Require at least one option. If this is enabled for your form, a contact must select at least one marketing permission checkbox before they can submit the form. We suggest making any field related to email marketing a required field or enabling double opt-in. We recommend this so that the contact can’t submit the form and get added as a Subscribed contact to your audience without selecting how they would like to hear from you.

API

Are GDPR tools available in the Marketing API?

Yes. We've added marketing_permissions as a field with a boolean value, so you can enable GDPR fields and sync contact marketing permissions using the Marketing API. To learn more about managing your audience with the Mailchimp Marketing API, check out our API documentation.

To comply with requests to fully delete data, you can also permanently delete contacts using the Marketing API. After a contact is permanently deleted, they cannot be re-imported.

Integrations

What if I transfer data from a site or e-commerce store to my Mailchimp account?

You are responsible for determining whether other third-party applications, including integrations and e-commerce stores, meet GDPR requirements.

If you rely on consent to process subscribers' personal data, double check whether the consent that you previously obtained meets the GDPR's standards. For example, check third-party integrations to be sure they don't automatically add people to your Mailchimp audience without an opt-in checkbox that clearly states how you'll use that person's data. You should also review the terms associated with any Mailchimp add-ons or third-party integrations you use.

Legal requirements

Do I need to sign Mailchimp’s Data Processing Agreement?

Mailchimp's Data Processing Addendum which incorporates the EU’s Standard Contractual Clauses ("SCCs"), forms part of our Standard Terms of Use, which is our contract with you. By using Mailchimp or signing up for an account, you’re agreeing to these Terms.

What’s the penalty if I don’t comply with the GDPR?

Chapter 8 of the full text of the GDPR discusses remedies, liability, and penalties.

Where are Mailchimp’s servers?

Mailchimp is headquartered in and has offices in the United States. Our servers are also located in the United States. This means data we process may be transferred to, stored, or processed in the United States.

If you’re located in the EU or use Mailchimp to market to anyone in the EU, please review Section 20 of our Standard Terms of Use. These sections include important information about how Mailchimp treats EU data and what you should do if you’re keeping EU data in your Mailchimp account. For more information, read Mailchimp and European Data Transfers.