If you have a website, a contact/subscribe form and you use Mailchimp to manage your email newsletter, you’re likely wondering if you need to disclose this in your privacy policy (or you might be wondering if you even need to have a privacy policy in the first place).
The answer is YES, a privacy policy containing the correct disclosures is required from both a legal and third-party perspective.
This guide will show you how to create a privacy policy for Mailchimp, and as a bonus, will explain the additional steps you may need to take to ensure that your mailing list and newsletter activities are compliant.
Mailchimp explicitly states in Section 20 of their Terms of Use, that you must be compliant with all applicable laws. This usually means your country’s privacy laws and those of your users’.
You’re responsible for determining whether the Service is suitable for you to use in light of your obligations under any regulations like HIPAA, GLB, EU data privacy laws (including the General Data Protection Regulation) (collectively, “EU Data Privacy Laws”), United States export control laws and regulations and economic sanctions laws and regulations (“U.S. Export Control Laws and Regulations”), or other applicable laws.
The requirements are even more explicit if you’re located in the EEA (including the UK and Switzerland) or have anyone located in these regions on your mailing list:
If you’re located in the European Economic Area, the United Kingdom, or Switzerland (collectively, the “EEA”) and/or distribute Campaigns or other Content through the Service to anyone located in the EEA (each such Member an “EEA Member”) in creating your Campaign distribution list, sending Campaigns via the Service, and/or otherwise collecting information as a result of creating or sending Campaigns, you represent and warrant to Mailchimp that:
- You will clearly post, maintain, and abide by a publicly accessible privacy notice on the digital properties from which the underlying data is collected that satisfies the requirements of applicable data protection laws, describes your use of the Service, and includes a link to Mailchimp’s Privacy Policy.
- You will get and maintain all necessary permissions and valid consents required to lawfully transfer data to Mailchimp and to enable such data to be lawfully collected, processed, and shared by Mailchimp for the purposes of providing the Service or as otherwise directed by you.
- You will comply with all laws and regulations applicable to the Campaigns sent through the Service, including those relating to (a) acquiring consents (where required) to lawfully send Campaigns, (b) the Content of Campaigns, and (c) your Campaign deployment practices.
- …
In addition, if you are an EEA Member, you acknowledge and agree that we have your prior written authorization to respond, at our discretion, to any data subject access requests we receive from your contacts made under EU Data Privacy Laws, or, alternatively, we may direct any such contacts to you so that you can respond to the request accordingly.
Now that we’ve established that Mailchimp requires you to adhere to all applicable law, let’s take a look at the legal requirements below.
Under most countries’ laws, you’re required to have a valid privacy policy in place. The privacy policy should include accurate and clearly stated details of who is doing the processing and for what purpose. Not doing so can often result in major fines and sanctions.
If you fall under the scope of laws such as the GDPR and even Canada’s PIPA, in order to be considered as valid, the consent you collect must meet specific requirements including that of fully and correctly informing your users’ of the purposes, methods, and parties involved in the processing of their data.
Under laws such as the GDPR, if you do not have valid records of the Consents collected, you consents may be considered invalid — in some instances requiring to re-obtain consent. Your consent records should relevant details of the individual consent including method of collection, proofs related to the actual form and the privacy policy active at the time of collection. Read more about records of consent here.
*All our policies are created by lawyers, monitored by our lawyers and hosted on our servers to ensure that they are always up-to-date with the latest legal changes and third-party requirements.
Mailchimp has long made available a feature called GDPR fields: GDPR-friendly forms include checkboxes for opt-in consent, and editable sections that explain how and why you are using data. Please note that just enabling GDPR fields on your signup forms does not make you compliant.
Here’s what you have to do:
Visit mailchimp.com/help to learn more about how to use these features.
Simply having these features enabled does not automatically make you compliant. Remember, consent must be collected in accordance with whichever countries’ law applies to you, and mailing lists must be managed in a compliant way. Some of these requirements depend heavily on how you design your forms and your actual newsletter. For a full overview of what’s required, and visual examples of how you can implement it, read our Email and Newsletter Compliance Guide.
Mailchimp offers two opt-in settings for your lists: single opt-in and double opt-in. While single opt-in only requires that users submit their information in order to be added to your list, double opt-in requires that users first validate their email address before being added to your mailing list. The validation is carried out when users click on a specific link contained in a confirmation message sent to their email address.
Depending on your organization’s needs, you may want to try the double opt-in process, which includes an extra confirmation step that verifies each email address. This method of registration is considered best practice in many countries and might be required in some (e.g. Germany).
Try our Newsletter Opt-in Booster 👉 it adds a customizable signup form to your site, allowing you to collect and manage consent through a double opt-in process for a more engaged and responsive audience.
Activate nowYou can read Mailchimp’s guide on how to enable double opt-in for your lists here.
As stated in their terms of use (section 20.5), if you’re located in the EEA (including the UK and Switzerland) or may have anyone located in these regions on your mailing list, you’re required to sign a DPA with Mailchimp.
You will sign and return Mailchimp’s Data Processing Addendum, which sets out your and Mailchimp’s obligations with respect to data protections and security when processing personal information. Once signed, the Data Processing Addendum will form part of and be incorporated into the Agreement. You can access our data processing agreement here, where you will be directed to log in to your account to sign the agreement online.
-Mailchimp Terms of Use
If you fall within the scope of the GDPR (and you likely do), it’s mandatory that you keep valid records of consent. These records should include:
This is, of course, a technical challenge.
Our Consent Database simplifies this process by helping you to easily store proof of consent and manage consent and privacy preferences for individual consents — allowing you to track every aspect of the consent collected.
Simply activate the Consent Database, get the API key, then install via HTTP API or JS widget and you’re done! You’ll be able to retrieve consents at any time and keep them updated.
For more info on the Consent Database, read the Consent Database introduction guide, or, for a practical look at how the solution can be used on a WordPress site, check out our guide on How to use the Consent Database with Contact Form 7.
To get started simply: