You've probably heard about the General Data Protection Regulation (GDPR), and you might have a few questions about it. Here’s what we know about the law and how it affects Mailchimp and our users.
This article is provided as a resource, but it’s not legal advice. We encourage you to speak to legal counsel to learn how the GDPR may affect your organization.
What and Who
The GDPR is a European Union (EU) privacy law that affects businesses around the world. It regulates how any organization that is subject to the Regulation treats or uses the personal data of people located in the EU. Personal data is any piece of data that, used alone or with other data, could identify a person. If you collect, change, transmit, erase, or otherwise use or store the personal data of EU citizens, you'll need to comply with the GDPR.
The GDPR will replace an older directive on data privacy, Directive 95/46/EC, and it introduces a few important changes that may affect Mailchimp users.
You need to have a legal basis, like consent, to process an EU citizen's personal data. Under the GDPR, you may use another legal basis for processing personal data, but we anticipate that many Mailchimp users will rely on consent. This consent must be specific and verifiable.
Verifiable consent requires a written record of when and how someone agreed to let you process their personal data. Consent must also be unambiguous and involve a clear affirmative action. This means clear language and no pre-checked consent boxes.
About Individual Rights
The GDPR also outlines the rights of individuals around their personal data. EU citizens will have the right to ask for details about the way you use their personal data and can ask you to do certain things with that data. You should be prepared to support people's requests in a timely manner. People have the right to request their personal data be corrected, provided to them, prohibited for certain uses, or removed completely.
You should also be able to tell someone among other things, how their personal data is being used. If they ask, you’re obligated to share the personal data you hold on an individual, or offer a way for them to access it.
What is Mailchimp doing to prepare?
We have modified many of our internal practices and policies, because we are committed to compliance with the GDPR. We've updated our Data Processing Addendum and our third-party vendor contracts to meet the GDPR's requirements.
We’re also in the process of building and releasing tools that will make it easier for our users to handle their customer’s data appropriately.
What can I do to prepare?
Mailchimp offers tools related to consent and individual rights to help you comply with the GDPR. We encourage you to consult with legal or other professional counsel about your GDPR preparations.
Transparent data processing is mandatory, and it’s also an opportunity to strengthen your marketing relationships. We’ve updated Mailchimp signup forms to help you stay compliant with the latest laws.
If you’re going to rely on consent to process the personal data of EU citizens, the GDPR says you must obtain specific consent from your contacts and clearly explain how you plan to use their personal data. Our GDPR fields include checkboxes for opt-in consent, and editable sections that allow you to explain how and why you are using data.
Mailchimp stores your forms and contact data in case you need it in the future. If someone signed up to your audience through a Mailchimp hosted form, you can export that audience and view information related to the signup. For additional evidence of consent, you may choose to turn on double opt-in.
If you rely on consent to process contacts' personal data, double check whether the consent that you previously obtained meets the GDPR's standards. For example, check third-party integrations to be sure they don't automatically add people to your Mailchimp audience without an opt-in checkbox that clearly states how you'll use that person's data. You should also review the terms associated with any Mailchimp add-ons or third-party integrations you use.
To learn more about permission data, check out Export Proof of Consent
To learn more about using GDPR-friendly forms, check out Collect Consent with GDPR Forms
Understand Individual Rights
All Mailchimp users can access their Mailchimp audiences to correct or update information upon the request of their contacts. Your contacts can continue to update their own data, too, by contacting us or updating their preferences in any email they receive from you.
We want to help our users prepare for the change, but it’s important to note that the GDPR's provisions could affect your business outside of how you use Mailchimp. Here are some additional resources.