Mailchimp & GDPR: What you need to know to improve GDPR & PECR compliance

Email marketing tools have improved the way we communicate with customers. Not only can we send regular newsletters, we can also use marketing automation features to send communications to customers based on their interactions with our websites and apps. 

These emails can engage customers and lead to sales, and do all this in a cost-efficient way. Compared to other channels, the return on investment with email is almost unbeatable, reaching 36x by some estimates (Litmus). So it’s no surprise that for many marketers building email marketing into their marketing strategy is a no brainer. 

However, marketers should be aware that using these tools and their features can cause a legal compliance headache when it comes to data privacy laws like GDPR because of the sheer volume of personal data and data transfers required to make these campaigns work.

One such tool that offers great features but comes with it’s own fair share of compliance challenges is Mailchimp.It’s one of the most popular tools on the market, making up roughly 74% of the email marketing tool market.

But popularity does not correlate with compliance. Out of the box, it’s not fully GDPR compliant.

That’s why we’ve made this handy guide to Mailchimp GDPR compliance for companies marketing to customers who are based in the UK and the European Economic Area (EEA). As email marketing to customers falls under the definition of direct marketing, we will also cover PECR & E-privacy.

This guide is split into three sections:

  • What recent GDPR changes mean for email marketing tools.
  • How Mailchimp processes users’ data and why this can cause conflicts with GDPR and other data privacy laws.
  • What action points you can do to keep your email marketing compliant with GDPR & PECR when using Mailchimp.

What the invalidation of the EU-US Privacy Shield mean for email marketing tools like Mailchimp

A major update to GDPR in 2020 impacted the way that personal data of EEA citizens can be processed in the US. This change impacted any data transfers which you may have been making by using a CRM or email marketing tool that hosts data on US servers.

Previously, GDPR allowed for a legal mechanism called the EU-US Privacy Shield to make transfers of personal data between the EU and the US. This agreement between the two regions, set out standards for data protection and made assurances that each side would protect the personal data that was being transferred.

The aim of the agreement was to facilitate trade between the two regions. It worked because it was simple for companies to implement, they simply had to register with the EU-US Privacy Shield scheme and/or check that the suppliers they were using had registered.

The validity of this scheme changed when Max Schrems, a lawyer and privacy rights activist brought a complaint against Facebook Ireland to the Court of Justice of the European Union (CJEU) to prohibit transferring his data. This case is known as ‘Schrems II’. In the case Mr Schrems outlined that Facebook Ireland’s servers are located in the US and that by transferring Mr Schrems’s personal data to the US, it would be subject to US surveillance laws.

US surveillance laws would be a major issue in respect of GDPR because they effectively allowed unfettered access to the personal data of non-US citizens – stored in the US.

Facebook Ireland argued that the EU-US Privacy Shield meant that this data transfer was lawful, however the ECJ disagreed that it was sufficient. They found that US surveillance laws meant the data subject (in this case Max Schrems) would have no:

  • actionable rights before the courts against US authorities;
  • ability to access, rectify or erase their personal data.

in relation to the potential processing of his personal data by US security agencies.

The Privacy Shield was therefore not able to ensure a level of protection in the US that was equivalent to that under the GDPR. So the ECJ ruled that the Privacy Shield was invalid. 

This ruling is problematic for users of many digital marketing tools such as Mailchimp, because many of these tools store their data on US servers. Prior to this ruling, many of these tools relied on the EU-US privacy shield in order to facilitate data transfers.

Since it was invalidated, companies based in the UK and EEA wishing to continue making these transfers have had to find another legal mechanism. 

In many situations the most convenient alternative transfer mechanism for data transfers in/out of the US has become the IDTA (International data transfer agreement) or the SCC (Standard Contractual Clauses) .

Sidenote: The IDTA has replaced SCCs (Standard Contractual Clauses) within the UK. Standard contract clauses were similar but are now in the process of being phased out by the UK Government and the ICO.

What exactly is an IDTA?

The IDTA is essentially a contractual set of terms and conditions agreed between the sender and the receiver of the personal data. They include what obligations both sides have to protect personal data when it leaves the UK or EEA, and how this meets the standards of GDPR. These contracts must be signed by both parties and kept up to date.

Ideally they are checked by a legal advisor. Additionally third-party auditing may be appropriate to ensure that the proposed protective methods set out in the IDTA are actually being delivered.

In practice setting up an IDTA would look something like this:

‘Company A’ uses US based SAAS product ‘Email Toolio’ to send marketing emails to their UK customers. 

  • The sender is Company A as they are providing the personal data.
  • The receiver is ‘Email Toolio’. Companies use Email Toolio’s service to send email marketing to users and to do this Email Toolio processes user data on their US based servers.

Company A setups an IDTA with Email Toolio. Both parties sign the document and it is kept for review at a later date. Now if the IDTA is followed in theory it means that even when the personal data leaves the UK to be processed in the US, the personal data still has UK GDPR similar protections at all times.

Company A has met their obligations for restricted data transfers under UK GDPR and so they can continue to use Email Toolio.

What recent changes enable easier data transfers from the UK to the US?

A new data transfer framework called the UK-US Data Privacy Framework (DPF) came into effect on October 12, 2023. This allows qualifying US organisations to transfer personal data between the US-UK under a new certification called the “UK Extension”.

UK businesses can transfer data to US organisations certified under the UK Extension without needing additional transfer safeguards like SCCs or IDTAs. However, the US organisation must be certified under the DPF “UK Extension” requirements.

The DPF sets out specific data protection principles that certified US organisations must comply with when handling UK personal data. Key facts about the DPF UK Extension:

  • US organisations under FTC or DoT jurisdiction can participate.
  • Journalistic personal data is exempt.
  • Special category/sensitive personal data can be transferred but must be properly identified.
  • Before transferring data, UK senders must verify the certification status and data coverage of the US recipient organisation.
  • If the UK Extension does not apply, pre-existing transfer mechanisms like SCCs/IDTAs or Article 49 derogations may be required.

Does Mailchimp have the DPF UK Extension?

At the time of updating this article it would appear they do not. We do recommend checking their privacy docs though as we can expect they would be in the process of gaining this certification.

Where does Mailchimp process your users’ data?

Mailchimp’s servers are located in the United States. They also use US-based third party sub-processors. This means companies using Mailchimp to process UK user data will need to check if Mailchimp is certified under the new DPF UK Extension.

If Mailchimp is not DPF UK Extension certified, existing transfer mechanisms like SCCs/IDTAs would still be required for compliance when transferring UK user data to Mailchimp.

Should marketing teams avoid using Mailchimp?

The question is can you make sure you have safeguards in place to use Mailchimp, or do you want to save yourself the hassle by using an EEA-based provider?

Controllers can carry out an assessment to decide whether they want to continue using Mailchimp/US-based processors. In any case, they will need to fulfil the requirements laid down by GDPR when it comes to Restricted Transfers – which in practice means using an approved transfer mechanism or getting SCCs into place.

Here are the three key questions that data controller should ask when doing an internal audit of Mailchimp, or any other US-based email marketing tool:

  1. Are there alternatives that can be used instead? (Note: in the last section we’ll step out some Mailchimp alternatives.)
  2. If no equivalent alternative can be found, is all the reasoning documented e.g. risks to data by switching to a new processor, the level of sensitivity of the data and what possible consequences would there be for the data subjects if their data was accessed by US surveillance teams. For example a political party marketing newsletter would be high risk as it may give insights into user political views.
  3. Is your team aware of the user agreement with Mailchimp and how it protects personal data, and is this documented?

What steps you need to take to make your MailChimp GDPR compliant

Before using Mailchimp

You will need to:

  • Make sure you have policies and documentation updated including:
    • Privacy policy.
    • Cookie policy.
    • Data Protection Impact Assessment (DPIA) – if appropriate. Because the transfer is risky – to a third country without adequacy it may be wise to consider at least a light-touch DPIA.
  • Determine a transfer mechanism (likely being the IDTA or SCCs, see more on appropriate transfer mechanisms here)
    • As Mailchimp is a U.S. cloud service provider, they can be served with compulsory information requests e.g. U.S. government intelligence gathering under EO 12333. The encryption or agreements with sub processors does not make Mailchimp exempt.
  • Setup opt-in consent if required, this can be done using the GDPR field in Mailchimp where a user checks their consent. Remember that:
    • All EU/UK direct marketing contacts must give consent to receive email marketing messages unless a PECR soft-opt-in exception applies.
    • Consent must be specific, freely-given and informed.
    • Consent must be attributed to the user.
    • You must be able to evidence consent if requested by a supervisory authority like the ICO.
  • Limit access to those managing contacts and provide staff with training. All team members should know how to deal with ‘right to delete’ requests and how to flag data breaches.

When using Mailchimp

You will need to ensure:

  • If you are relying on consent, the consent must be managed and recorded:
    • Fields for consent must be kept up to date.
      • Date and time of last consent.
      • What exactly was consented to.
    • Unsubscribe links are clear and not clipped when the email is sent (a common Mailchimp issue when sending emails to Gmail accounts).
    • Unsubscribe links are tested and working.
  • Ensure that every email or communication to the subscriber has a link to privacy policy, option to opt-out and reason why the user is receiving this email.
    • All of this can be automated on Mailchimp, but it is up to you to keep it up to date.
  • Stored data is kept clean:
    • You should not store more user data than is reasonably required to fulfill your processing. This will help you comply with the proportionality principle of GDPR.
    • Data should be kept up to date and accurate.
  • Team members working with customer data and/or sending email campaigns are trained on DPA18 (UK-GDPR), EU GDPR and PECR.
    • Training is logged and refresher training is completed regularly.
  • User access to Mailchimp is regularly reviewed.
    • Mailchimp will be storing personal information, therefore only people who require access to this personal information to complete their role should have access to this information.
      • A common mistake we see is where our consulting clients will assign full access to marketing agency staff in order for them to send and manage email marketing campaigns. This is usually unnecessary, particularly if the agency staff are only creating email templates and adding content to emails.
      • The more you reduce access to personal information, the more you reduce your risk of data breaches and the more likely you are to comply with the proportionality principle of GDPR.

What steps you need to take to make your MailChimp campaigns PECR compliant

PECR is the UK’s implementation of the e-privacy Directive. It outlines specific rules on when and how direct marketing communications, such as emails can be sent and provides rules on the use of cookies and tracking technologies amongst other things. 

If you are sending marketing communications via Mailchimp to UK based people then you will likely need to comply with PECR.

There are different rules based on whether the recipient of the marketing communications is considered an individual or a business.

Here we outline the requirements for b2c and b2b emails.

For marketing emails to individuals:

  • Consent must be given
  • Organisations must not disguise or conceal their identity in any marketing texts or emails, and must provide a valid contact address for individuals to opt out or unsubscribe 
  • Organisations still need consent even if they do not send the messages themselves, but instead instigate others to send or forward them

For marketing emails to businesses:

  • Consent is not required
  • The sender must identify itself and provide contact details
  • Warning: employees with personal corporate email addresses (e.g. [email protected]), may be considered an “individual” if they are sole traders or some partnerships which are treated as individuals

For existing customers, you can send marketing messages as part of the soft opt-in specified under PECR. However, they must follow the rules that:

  • the customer’s contact details were obtained in the course of a sale (or negotiations for a sale) of a product or service
  • the organisation is only marketing their own similar products or services
  • the customer has a simple opportunity to refuse or opt out of the marketing, both when they obtained the contact details and in every message after that

Remember that soft opt-in is NOT applicable to charities, political parties, or other not-for-profit bodies.

Are there any alternatives to Mailchimp? 

Yes, there are many email marketing tools that you can use as alternatives to Mailchimp. You can choose tools that have UK or European based servers, including:

The choice will depend on your company’s needs, where your customers are based, and how comfortable your team is in using the tool.