How to Get GDPR Consent for Marketing

Mailchimp makes it easy to connect with your customers and market smarter—all while protecting your customers' personal data.

What is the GDPR?

The GDPR, or General Data Protection Regulation, is a European privacy law that went into effect in May 2018. It regulates how personal data of individuals in the EU can be collected, used, and processed. The law impacts European companies and any business that targets European individuals or collects, uses, or processes the personal data of European individuals regardless of where the business is located. Essentially, this means the GDPR will apply to most organizations that process personal data of EU individuals—regardless of where they are established and regardless of where their processing activities take place.

How does Mailchimp make GDPR compliance easier?

Easily get consent and build loyalty. Our tools make it easy to comply with the GDPR's requirements as you grow your audience.


Contact profiles

Our contact profiles show when someone opted in to receive marketing from you, so you can prove consent and modify or remove personal information any time you need to.

Double opt-in settings

You can enable our double opt-in settings for your audience where needed, or to provide additional evidence of consent.

GDPR friendly forms

You can design GDPR friendly forms that are consistent with your brand. Edit built-in GDPR language so you still sound like yourself and collect the marketing permission you need. GDPR fields are available for hosted, embedded, pop-up, or landing page signup forms, and they can be enabled via our API.

Quickly respond to data requests from your contacts.

Individuals in the EU have certain rights under the GDPR. Our audience management tools allow you to easily respond to data requests from your contacts—without a cumbersome process or waiting for someone to handle the request for you.

  • You can export any of your audiences, or selected information within any audience, at any time in your Mailchimp account.

  • You can access and update your contact lists to correct or complete contact information at any time. You can also create a preferences center where your Contacts can update their information and preferences on their own.

  • If a contact objects to you processing their personal data you can remove them from your Mailchimp account at any time.

  • You can delete contacts from your Mailchimp account at any time. And when someone is removed from your contacts, we anonymize their data in your reports so you stay compliant without losing any audience insights.

  • You can export data about individual contacts from your Mailchimp account, which can help you fulfill access requests.

“Mailchimp's GDPR resources helped us and our clients understand and prepare for the biggest shake-up in data law in over 20 years. Plus, the GDPR-friendly signup forms were an absolute breeze to use.”

Alastair Thompson, Teapot Creative

What does Mailchimp do to comply with the GDPR?

  • Appointed a Data Protection Officer (DPO) to oversee our compliance program.
  • Continuously review our security measures to ensure any personal data we collect and process on our systems is adequately protected.
  • Ensure our Privacy Policy clearly explains Mailchimp's commitment to the GDPR, is transparent about how we use personal data, and gives individuals information about how they can exercise their data subject rights.
  • Incorporate the EU's Standard Contractual Clauses in our Data Processing Addendum which automatically forms part of our Standard Terms of Use (our contract with you) and applies to customer data protected by EU laws.
  • Provide our customers with GDPR-ready terms in our Data Processing Addendum and update our contracts with third party vendors to ensure they are GDPR-compliant.
  • Maintain formal processes around data subject rights to ensure we can help customers fulfill requests they receive.
  • Respond to and fulfill data subject rights requests in our role as a controller.
  • Complete Data Protection Impact Assessments to identify and minimize any risks from our processing activities.
  • Maintain accurate records of our processing activities, both as a processor and controller of personal data.
  • Pay close attention to regulatory guidance around GDPR compliance and making changes to our product features and contracts when they're needed.
  • Certify annually with the EU-U.S./Swiss-U.S. Privacy Shield Frameworks and continue to protect EEA, UK, and Swiss data in compliance with the Privacy Shield Principles. You can view our Privacy Shield certification here.

Data protection and GDPR FAQs

Why is data protection important?

Aside from the fact that you may be required to follow certain data protection laws based on your business operations, data protection offers several benefits. Following data protection best practices is especially important if your business deals with customers’ personal data.

Data breaches aren’t just a pain for your customers, they also can also be financially devastating for businesses. A data breach can cause you to lose customers, which means fewer sales and more money spent on new customer acquisitions. System downtime as a result of a data breach means you can lose even more money.

When it comes to GDPR compliance and data protection, you also have to consider the reputation of your company. Data breaches—especially repeated data breaches—can lead to customers losing trust in your business, especially if you’re dealing with sensitive identification or financial information. Some businesses have suffered a huge loss in terms of their reputation as a result of multiple data breaches. A commitment to protecting customers’ data also helps build trust with your customers, which helps you keep customers around for a long time and reduce customer acquisition costs.

Data protection is also great because it can help you change the way you manage your data and ensure it’s secure but always readily available. Proper data collection and management are cornerstones of data protection, so protecting your data and implementing things like GDPR consent can help you improve your data management as a whole. This means data is always available when you or your customers need it, so business operations aren’t interrupted.

What are the benefits of GDPR consent?

First and foremost, it’s essential that you’re following GDPR guidelines if you’re required to based on the data you collect. If your business collects personal data from anybody in the European Union, GDPR consent is an important part of making sure you’re collecting that data legally

Data must be processed using appropriate measures, which means you have to make sure your cybersecurity is up to standards to maintain GDPR compliance. While there are no specific guidelines you have to follow in terms of cybersecurity when it comes to following GDPR guidelines, you’re expected to maintain a certain level of cybersecurity to protect customers’ data. If you’re currently overlooking cybersecurity, this is the perfect time to work on it.

The last thing you want is for customers to think of your business as susceptible to data breaches. Many consumers are already skeptical enough about using credit and debit cards online without having to question the data protection practices of the company they’re doing business with. With GDPR consent, customers know their data is protected because you’re required to follow certain regulations. Plus, avoiding data breaches helps you keep your reputation intact, so people aren’t afraid to shop with you.

Improved data management is another benefit of GDPR compliance. When you use GDPR consent and collect data according to GDPR guidelines, you also have the opportunity to adopt data management best practices that you may not have used before. And because GDPR compliance requires you to collect, store, and manage data in a particular manner, it helps improve your data management by default. If you’re already overhauling your data collection and management processes, you can take the opportunity to make sure you’re on top of GDPR compliance as well.

Do I, as an individual, have to comply with GDPR?

As an individual, you are required to maintain GDPR compliance as long as you meet the criteria. As long as you collect data from people who are residents of the European Union, you’re required to follow GDPR guidelines when it comes to the collection, storage, and management of that data. That being said, there are certain cases where an individual isn’t required to maintain GDPR compliance even if they’re collecting data from people in the EU.

One of the most important things to keep in mind is that certain types of data are exempt from GDPR guidelines. Essentially, you’re only required to follow GDPR guidelines if you’re collecting personal information from residents of the EU for business purposes. Other types of data collection aren’t subject to GDPR guidelines. This includes personal data collection, such as lists of phone numbers, addresses, and other information that is intended for personal use. That being said, it’s still a good idea to maintain GDPR compliance if you’re collecting any type of data from EU residents. At the very least, maintaining GDPR compliance will help you make sure your data protection and management systems are up to date.

If you’re an individual, but you’re not collecting data from people in the EU, you don’t have to worry about GDPR compliance. However, following GDPR marketing and data protection guidelines can help you make sure you’re protecting customers’ private data, which goes a long way toward increasing customer loyalty and boosting your brand’s reputation.

Even as an individual, it’s important to understand whether or not you’re required to maintain GDPR compliance. You might think you’re collecting a small amount of data that isn’t particularly valuable, but data protection is crucial when you’re dealing with any type of sensitive information.

Are there regulations besides GDPR that I need to follow?

In addition to GDPR compliance for EU resident data collection, there are other regulations you need to follow when it comes to running an online business. Different states and countries have different laws, so the regulations you have to follow vary depending on your business operations.

California has the most well-known data protection law in the United States, which is called the California Consumer Privacy Act (CCPA). Although California residents are protected by the CCPA, the United States itself doesn’t have any national laws regarding data protection. Of course, you’re still required to maintain GDPR compliance and follow other regulations if you’re operating out of the United States but collecting data from customers in certain states or countries. CCPA compliance is a little different in terms of requirements. Your company isn’t required to maintain CCPA compliance unless you deal with California residents and have an annual revenue of at least $25 million, or collect and use data from at least 50,000 residents.

There’s also a Canada law regarding data protection that’s called the Personal Information Protection and Electronic Documents Act (PIPEDA). This law is often referred to as the Canadian equivalent of GDPR, so maintaining PIPEDA compliance is also important for many businesses. Like GDPR compliance, you’re required to maintain PIPEDA compliance if you collect, use, or disclose the personal information of Canadian citizens for business purposes.

The last thing to remember is that there are countless regulations when it comes to running a business, whether you’re running an online business or not. If you have an email marketing campaign, you have to follow the CAN-SPAM Act of 2003. And just like data protection regulations, there are different email marketing regulations for different countries. If you’re doing a lot of business internationally, it may be worth talking with an expert about which laws you’re required to follow.

More about Mailchimp and GDPR compliance.

It’s easy to make your marketing GDPR-friendly

Grow your audience and protect their data.