Email marketing tools have transformed how we communicate with customers. With automation, segmentation, and analytics, platforms like Mailchimp deliver impressive returns – by some estimates, email marketing generates £36 for every £1 spent.
But these powerful features create compliance obligations under UK GDPR and PECR. Mailchimp processes personal data on US servers, which means you need to understand data transfer rules. And the way you collect consent, track opens, and manage unsubscribes all have legal implications.
This guide covers what UK businesses need to know to use Mailchimp compliantly in 2026.
Mailchimp and International Data Transfers
Mailchimp’s servers are located in the United States. When you add UK contacts to your Mailchimp audience, their personal data is transferred to the US. Under UK GDPR, this is a “restricted transfer” that requires appropriate safeguards.
The UK-US Data Privacy Framework
Good news: Mailchimp is now certified under the UK-US Data Privacy Framework (DPF), including the UK Extension. This means UK businesses can transfer personal data to Mailchimp without needing additional transfer mechanisms like IDTAs or SCCs.
You can verify Mailchimp’s certification status on the official Data Privacy Framework website. Look for “The Rocket Science Group LLC d/b/a Mailchimp” under Intuit’s certification.
Mailchimp is also certified under:
- EU-US Data Privacy Framework
- Swiss-US Data Privacy Framework
Fallback Protections
If the Data Privacy Framework were ever invalidated (as happened with Privacy Shield in 2020), Mailchimp has Standard Contractual Clauses (SCCs) built into their Data Processing Addendum. These automatically apply as a backup transfer mechanism.
Signing Mailchimp’s Data Processing Addendum
If you have UK or EEA contacts in your Mailchimp audience, you must have a Data Processing Addendum (DPA) in place with Mailchimp. This is required under Mailchimp’s terms of use (section 20.5) and UK GDPR.
The DPA establishes:
- Mailchimp’s role as your data processor
- Your obligations as the data controller
- Security commitments and breach notification procedures
- Sub-processor arrangements
- Data transfer safeguards (SCCs)
How to sign the DPA:
- Log into your Mailchimp account
- Go to Account → Settings → Terms
- Review and accept the Data Processing Addendum
- Save a copy for your records
The DPA is incorporated into Mailchimp’s standard terms, so accepting it is straightforward. But make sure you actually do it – having a signed DPA is a compliance requirement, not optional.
Consent and PECR Compliance
Under PECR (the Privacy and Electronic Communications Regulations), you need consent to send marketing emails to individuals – with one exception.
The Soft Opt-In Exception
You can email existing customers without explicit consent if all these conditions are met:
- You collected their email during a sale or sale negotiation
- You’re only marketing your own similar products or services
- You gave them a clear opportunity to opt out when collecting their details
- Every email includes an easy unsubscribe option
The soft opt-in does not apply to charities, political parties, or other not-for-profit organisations.
When You Need Explicit Consent
For everyone else – newsletter subscribers, leads, prospects – you need GDPR-compliant consent:
- Freely given – Not bundled with other terms
- Specific – Clear about what they’re signing up for
- Informed – They know who you are and what you’ll send
- Unambiguous – An active opt-in, not pre-ticked boxes
Using Mailchimp’s GDPR Forms
Mailchimp offers GDPR-friendly signup forms with consent checkboxes. To enable them:
- Go to Audience → Signup forms
- Select Form builder
- Add GDPR fields to your form
- Customise the consent text to accurately describe your marketing
Consider enabling double opt-in for additional protection. While not legally required, double opt-in provides stronger evidence of consent if ever challenged.
B2B Email Rules
Marketing to businesses has different rules:
- Consent is not required for corporate email addresses (info@company.com)
- You must still identify yourself and provide contact details
- You must offer an unsubscribe option
Warning: Personal corporate emails (firstname.lastname@company.com) may be treated as individual subscribers, especially for sole traders and some partnerships. When in doubt, treat them as individuals requiring consent.
Email Tracking and Analytics
Mailchimp tracks email opens and link clicks by default. This tracking uses cookies and similar technologies, which has GDPR and PECR implications.
What Mailchimp Tracks
- Open tracking – A tiny invisible image loads when the email is opened
- Click tracking – Links are redirected through Mailchimp’s servers
- Location data – Approximate location based on IP address
- Device information – Email client and device type
Compliance Considerations
This tracking is generally considered legitimate interests processing – you have a genuine business reason to measure campaign performance, and subscribers would reasonably expect it. However:
- Disclose tracking in your privacy policy
- Explain what data you collect and why
- Consider whether extensive profiling crosses into requiring consent
If you want to be particularly privacy-conscious, you can disable open tracking in individual campaigns (Campaign → Settings → Tracking). Some organisations disable tracking entirely for sensitive communications.
Compliance Checklist
Before You Start
- Sign Mailchimp’s Data Processing Addendum
- Verify Mailchimp’s DPF certification status
- Update your privacy policy to mention Mailchimp and US data transfers
- Enable GDPR signup forms with appropriate consent checkboxes
- Consider enabling double opt-in
- Train team members on consent requirements and data subject rights
Ongoing Requirements
- Ensure every email has a working, visible unsubscribe link
- Test unsubscribe links regularly (Gmail can clip emails, hiding the link)
- Include your identity and contact details in every email
- Link to your privacy policy in email footers
- Keep consent records up to date (date, time, what was consented to)
- Respond to data subject requests promptly (access, deletion, etc.)
- Review user access regularly – limit who can see subscriber data
- Only collect data you actually need (data minimisation)
Common Mistakes to Avoid
- Giving agency staff full admin access when they only need content editing
- Importing purchased email lists without proper consent
- Using pre-ticked consent boxes
- Bundling marketing consent with terms of service
- Forgetting to update consent records when purposes change
Handling Data Subject Requests
Your subscribers have rights under UK GDPR. Here’s how to handle them in Mailchimp:
Right to access: Export the subscriber’s profile and activity data from Audience → All contacts → [Contact] → Export data
Right to erasure: Delete the contact permanently from your audience. Note: this removes all historical data.
Right to rectification: Update subscriber details directly in their contact profile.
Right to object: Unsubscribe them from marketing. You can keep them in your audience for transactional emails if applicable.
Train your team to recognise these requests and respond within 30 days.
Alternatives to Mailchimp
If you prefer to avoid US data transfers entirely, several email marketing platforms host data within the UK or EU:
- Brevo (formerly Sendinblue) – Servers in the European Union
- Mailjet – Servers in Germany and Belgium
- EmailOctopus – EU servers, with option to disable email tracking
- Encharge – Servers in Ireland
The right choice depends on your features needs, budget, and risk appetite. Mailchimp’s DPF certification means it can be used compliantly – but some organisations prefer the simplicity of EU-based providers.
Key Takeaways
- Mailchimp is certified under the UK-US Data Privacy Framework – transfers are lawful
- You must sign the Data Processing Addendum if you have UK/EEA contacts
- Get proper consent for marketing emails (unless soft opt-in applies)
- Disclose email tracking in your privacy policy
- Every email needs a working unsubscribe link and your identity
- Train your team on handling data subject requests
Further Resources
- Mailchimp GDPR Hub – Official guidance from Mailchimp
- Mailchimp European Data Transfers – DPF certification details
- ICO Direct Marketing Guidance – PECR rules explained
- Data Privacy Framework List – Verify certification status
A Note on This Guide
This article provides general information about using Mailchimp in compliance with UK GDPR and PECR. It does not constitute legal advice. Data protection requirements vary based on your specific business activities and the nature of data collected. For complex situations, consider seeking professional legal advice.
