Mailchimp & GDPR: What you need to know to be GDPR & PECR compliant

Photo by Norbert Levajsics on Unsplash

Email marketing tools have improved the way we communicate with customers. Not only can we send regular newsletters, we can also use marketing automation features to send communications to customers based on their interactions with our websites and apps. 

These emails can engage customers and lead to sales, and do all this in a cost-efficient way. Compared to other channels, the return on investment with email is almost unbeatable, reaching 36x by some estimates (Litmus). So it’s no surprise that for many marketers building email marketing into their marketing strategy is a no brainer. 

However, marketers should be aware that using these tools and their features can cause a legal compliance headache when it comes to data privacy laws like GDPR because of the sheer volume of personal data and data transfers required to make these campaigns work.

One such tool that offers great features but comes with it’s own fair share of compliance challenges is Mailchimp.It’s one of the most popular tools on the market, making up roughly 74% of the email marketing tool market.

But popularity does not correlate with compliance. Out of the box, it’s not fully GDPR compliant.

That’s why we’ve made this handy guide to Mailchimp GDPR compliance for companies marketing to customers who are based in the UK and the European Economic Area (EEA). As email marketing to customers falls under the definition of direct marketing, we will also cover PECR & E-privacy.

This guide is split into three sections:

  • What recent GDPR changes mean for email marketing tools.
  • How Mailchimp processes users’ data and why this can cause conflicts with GDPR and other data privacy laws.
  • What action points you can do to keep your email marketing compliant with GDPR & PECR when using Mailchimp.

What GDPR changes mean for email marketing tools like Mailchimp

A major update to GDPR in 2020 impacted the way that personal data of EEA citizens can be processed in the US. This change impacted any data transfers which you may have been making by using a CRM or email marketing tool that hosts data on US servers.

Previously, GDPR allowed for a legal mechanism called the EU-US Privacy Shield to make transfers of personal data between the EU and the US. This agreement between the two regions, set out standards for data protection and made assurances that each side would protect the personal data that was being transferred.

The aim of the agreement was to facilitate trade between the two regions. It worked because it was simple for companies to implement, they simply had to register with the EU-US Privacy Shield scheme and/or check that the suppliers they were using had registered.

The validity of this scheme changed when Max Schrems, a lawyer and privacy rights activist brought a complaint against Facebook Ireland to the Court of Justice of the European Union (CJEU) to prohibit transferring his data. This case is known as ‘Schrems II’. In the case Mr Schrems outlined that Facebook Ireland’s servers are located in the US and that by transferring Mr Schrems’s personal data to the US, it would be subject to US surveillance laws.

US surveillance laws would be a major issue in respect of GDPR because they effectively allowed unfettered access to the personal data of non-US citizens – stored in the US.

Facebook Ireland argued that the EU-US Privacy Shield meant that this data transfer was lawful, however the ECJ disagreed that it was sufficient. They found that US surveillance laws meant the data subject (in this case Max Schrems) would have no:

  • actionable rights before the courts against US authorities;
  • ability to access, rectify or erase their personal data.

in relation to the potential processing of his personal data by US security agencies.

The Privacy Shield was therefore not able to ensure a level of protection in the US that was equivalent to that under the GDPR. So the ECJ ruled that the Privacy Shield was invalid. 

This ruling is problematic for users of many digital marketing tools such as Mailchimp, because many of these tools store their data on US servers. 

Prior to this ruling, many of these tools relied on the EU-US privacy shield in order to facilitate data transfers.

Now, companies wishing to continue making these transfers have had to find another legal mechanism. 

In many situations the most convenient alternative transfer mechanism for data transfers in/out of the US has become Standard Contractual Clauses (SCCs).

What exactly are Standard Contract Clauses?

SCCs are contractual terms and conditions agreed between the sender and the receiver of the personal data. They include what obligations both sides have to protect personal data when it leaves the UK or EEA, and how this meets the standards of GDPR. These contracts must be signed by both parties and kept up to date. Ideally they are checked by a legal advisor.

In practice this would look something like this:

‘Company A’ uses US based SAAS product ‘Email Toolio’ to send marketing emails to their UK customers. 

  • The sender is Company A as they are providing the personal data.
  • The receiver is ‘Email Toolio’. Companies use Email Toolio’s service to send email marketing to users and to do this Email Toolio processes user data on their US based servers.

Company A has a valid SCC in place with Email Toolio. This means that even when the personal data leaves the EEA to be processed in the US, the personal data still has GDPR equivalent protections at all times.

Company A has met their legal obligations under GDPR and the Schrems II ruling and so they can continue to use Email Toolio.

This appears to be a simple enough solution, but as we’ll explore next in this article because of further legal developments you cannot always rely on SCCs (at least in their initial form), especially when using Mailchimp.

Where does Mailchimp process your users’ data?

Mailchimp’s servers are located in the United States. They also use third-party vendors or ‘sub processors’ who are also US based. 

This means that SCCs or another legal mechanism should be in place for EEA or UK based companies that wish to use Mailchimp to process the personal data of EEA or UK based people – for example sending the name and email address of a customer in the UK to Mailchimp in order to send them a monthly newsletter. 

Sounds straightforward enough, right? Just get the SCCs signed… well it’s not that simple. 

The Schrems II judgement also cast doubt over the validity of SCCs as an alternative method to facilitate data transfers between the EEA and US. In their ruling judgement they concluded that SCCs could work but they would need further work to be legally valid.

“Since by their inherently contractual nature standard data protection clauses cannot bind the public authorities of third countries…” (Judgement, paragraph 132)

“In that regard, as the Advocate General stated in point 126 of his Opinion, the contractual mechanism provided for in Article 46(2)(c) of the GDPR is based on the responsibility of the controller or his or her subcontractor established in the European Union and, in the alternative, of the competent supervisory authority. It is, therefore, above all, for that controller or processor to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data, whether the law of the third country of destination ensures adequate protection, under EU law, of personal data transferred pursuant to standard data protection clauses, by providing, where necessary, additional safeguards to those offered by those clauses. (Judgement, paragraph 134)

Where the controller or a processor established in the European Union is not able to take adequate additional measures to guarantee such protection, the controller or processor or, failing that, the competent supervisory authority, are required to suspend or end the transfer of personal data to the third country concerned. That is the case, in particular, where the law of that third country imposes on the recipient of personal data from the European Union obligations which are contrary to those clauses and are, therefore, capable of impinging on the contractual guarantee of an adequate level of protection against access by the public authorities of that third country to that data.” (Judgement, paragraph 135)

Judgment of the Court (Grand Chamber) of 16 July 2020, EU.
Data Protection Commissioner v Facebook Ireland Limited and Maximillian Schrems.

Since then revised SCC templates and guidance has been drafted but not yet formalised. 

This has left EEA-US and UK-US data transfers in a grey area.

Many regulatory authorities have stopped short of calling for a total ban on EU-US or UK-US data transfers until the issue is resolved, such as the ICO.

However, other regulatory authorities in Europe have taken a tougher stance, and Mailchimp specifically has been the subject of a high profile complaint, which we’ll talk about below.

Why did a German company face a GDPR complaint for using Mailchimp?

A Munich-based fashion company used Mailchimp to send two newsletters to their users. The company had implemented an SCC but as we outlined above, there is further work needed to make sure that SCCs can be upheld.

In this case, the BayLDA assessed that Mailchimp could qualify as an “electronic communication service provider” under U.S. surveillance law (i.e. FISA 702). Despite the personal data (in this case email addresses) being “relatively manageable in sensitivity”, the Munich company had not put additional safeguards in place.

This meant that the users who received the newsletter would not have the equivalent GDPR protections so the use of Mailchimp was unlawful.

The company did not face fines from the BayLDA as it complied fully and said it would immediately stop using Mailchimp. Read more about the ruling here

Should marketing teams avoid using Mailchimp?

The question is can you make sure you have safeguards in place to use Mailchimp, or do you want to save yourself the hassle by using an EEA-based provider?

Controllers can carry out an assessment to decide whether they want to continue using Mailchimp/US-based processors. In any case, they will need to fulfill the requirements laid down by the BayLDA.

Here are the three key questions that data controller should ask when doing an internal audit of Mailchimp, or any other US-based email marketing tool:

  1. Are there alternatives that can be used instead? (Note: in the last section we’ll step out some Mailchimp alternatives.)
  2. If no equivalent alternative can be found, is all the reasoning documented e.g. risks to data by switching to a new processor, the level of sensitivity of the data and what possible consequences would there be for the data subjects if their data was accessed by US surveillance teams. For example a political party marketing newsletter would be high risk as it may give insights into user political views.
  3. Is your team aware of the user agreement with Mailchimp and how it protects personal data, and is this documented?

What steps you need to take to make your MailChimp GDPR compliant

Before using Mailchimp

You will need to:

  • Make sure you have policies and documentation updated including:
    • Privacy policy.
    • Cookie policy.
    • Data Protection Impact Assessment (DPIA).
  • Determine a transfer mechanism (likely being SCCs, see more on transfer mechanisms here)
    • As Mailchimp is a U.S. cloud service provider, they can be served with compulsory information requests e.g. U.S. government intelligence gathering under EO 12333. The encryption or agreements with sub processors does not make Mailchimp exempt.
    • All companies using Mailchimp with EEA customers will need to meet all SCC requirements and have documentation of this compliance.
  • Setup opt-in consent if required, this can be done using the GDPR field in Mailchimp where a user checks their consent. Remember that:
    • All EU/UK direct marketing contacts must give consent to receive email marketing messages unless a PECR soft-opt-in exception applies.
    • Consent must be specific, freely-given and informed.
    • Consent must be attributed to the user.
    • You must be able to evidence consent if requested by a supervisory authority like the ICO.
  • Limit access to those managing contacts and provide staff with training. All team members should know how to deal with ‘right to delete’ requests and how to flag data breaches.

When using Mailchimp

You will need to ensure:

  • If you are relying on consent, the consent must be managed and recorded:
    • Fields for consent must be kept up to date.
      • Date and time of last consent.
      • What exactly was consented to.
    • Unsubscribe links are clear and not clipped when the email is sent (a common Mailchimp issue when sending emails to Gmail accounts).
    • Unsubscribe links are tested and working.
  • Ensure that every email or communication to the subscriber has a link to privacy policy, option to opt-out and reason why the user is receiving this email.
    • All of this can be automated on Mailchimp, but it is up to you to keep it up to date.
  • Stored data is kept clean:
    • You should not store more user data than is reasonably required to fulfill your processing. This will help you comply with the proportionality principle of GDPR.
    • Data should be kept up to date and accurate.
  • Team members working with customer data and/or sending email campaigns are trained on DPA18 (UK-GDPR), EU GDPR and PECR.
    • Training is logged and refresher training is completed regularly.
  • User access to Mailchimp is regularly reviewed.
    • Mailchimp will be storing personal information, therefore only people who require access to this personal information to complete their role should have access to this information.
      • A common mistake we see is where our consulting clients will assign full access to marketing agency staff in order for them to send and manage email marketing campaigns. This is usually unnecessary, particularly if the agency staff are only creating email templates and adding content to emails.
      • The more you reduce access to personal information, the more you reduce your risk of data breaches and the more likely you are to comply with the proportionality principle of GDPR.

What steps you need to take to make your MailChimp campaigns PECR compliant

PECR is the UK’s implementation of the e-privacy Directive. It outlines specific rules on when and how direct marketing communications, such as emails can be sent and provides rules on the use of cookies and tracking technologies amongst other things. 

If you are sending marketing communications via Mailchimp to UK based people then you will likely need to comply with PECR.

There are different rules based on whether the recipient of the marketing communications is considered an individual or a business.

Here we outline the requirements for b2c and b2b emails.

For marketing emails to individuals:

  • Consent must be given
  • Organisations must not disguise or conceal their identity in any marketing texts or emails, and must provide a valid contact address for individuals to opt out or unsubscribe 
  • Organisations still need consent even if they do not send the messages themselves, but instead instigate others to send or forward them

For marketing emails to businesses:

  • Consent is not required
  • The sender must identify itself and provide contact details
  • Warning: employees with personal corporate email addresses (e.g. firstname.lastname@org.co.uk), may be considered an “individual” if they are sole traders or some partnerships which are treated as individuals

For existing customers, you can send marketing messages as part of the soft opt-in specified under PECR. However, they must follow the rules that:

  • the customer’s contact details were obtained in the course of a sale (or negotiations for a sale) of a product or service
  • the organisation is only marketing their own similar products or services
  • the customer has a simple opportunity to refuse or opt out of the marketing, both when they obtained the contact details and in every message after that

Remember that soft opt-in is NOT applicable to charities, political parties, or other not-for-profit bodies.

Are there any alternatives to Mailchimp? 

Yes, there are many email marketing tools that you can use as alternatives to Mailchimp. You can choose tools that have UK or European based servers, including:

The choice will depend on your company’s needs, where your customers are based, and how comfortable your team is in using the tool.

You should not feel limited or that you need to avoid using tools. Checking that tools meet your data compliance needs helps your organisation. We’re big fans of internal audits as they not only support you in meeting data regulatory requirements but they are best practice when it comes to checking that the tools you’ve chosen are fit for purpose.