If your business is based in Brazil, or you process the personal data of individuals located in Brazil, the Brazilian Data Protection Act (LGPD) affects you.
In this article, we'll answer common questions about Mailchimp and the LGPD.
Mailchimp offers tools and information as a resource, but we don’t offer legal advice. We recommend you contact your legal counsel to find out how the LGPD affects you.
What is the LGPD?
The LGPD, or the Brazilian Data Protection Act, is a Brazilian privacy law that went into effect in August 2020. It regulates how personal data of individuals located in Brazil can be collected, used, and processed. The law impacts Brazilian companies, businesses that target Brazilian individuals, and those that collect, use, or process the personal data of Brazilian individuals. Essentially, this means the LGPD will apply to most organizations that process personal data of Brazilian individuals—regardless of where they are established, and regardless of where their processing activities take place.
Due to the similarities between the LGPD and the European Union’s General Data Protection Regulation (“GDPR”) you can leverage our GDPR compliance features and tools for LGPD compliance.
Can I collect consent for other tools through Mailchimp's signup forms?
Yes. You can edit the suggested language for the GDPR fields of our signup forms to collect consent for LGPD purposes. If you choose to write your own descriptions, make sure you’re explicit about why you’re collecting data.
How can I prove consent?
- Export your audience.
If a contact signed up for your audience through a Mailchimp-hosted form, you can export your audience and review the
OPTIN_IPfields in your exported CSV file. These fields contain the date, time, and IP address associated with the signup.
- Turn on double opt-in.
You can enable double opt-in, which includes an extra confirmation step that verifies each email address. After turning on double opt-in, export your audience and review the
CONFIRM_IPfields in your exported CSV file. These fields contain the date, time, and IP address associated with the confirmation.
- Take a screenshot of your signup form. You can capture an image of your signup form to prove you accurately described your marketing activities. You can also access this information for LGPD purposes in our GDPR form versions.
How can I use Mailchimp features to help comply with the LGPD?
Because the LGPD’s requirements are similar to the GDPR’s requirements, you can use Mailchimp’s privacy features and tools, including Mailchimp’s GDPR tools, to work toward LGPD compliance.
- Enable Mailchimp’s GDPR signup forms and double opt-in to collect your contacts.
- Ensure the language in your signup form accurately describes your marketing activities.
- Turn on two-factor authentication for added protection.
- Update your website's privacy statement or policy to state you use Mailchimp to store information.
- Make sure your Cookie Statement describes any cookies or tracking technologies you might use. If you’re not sure, Mailchimp’s Cookie Statement includes a section called Cookies served through the Services that describes technology you (or your website) might use, depending on the features you use through Mailchimp.
The LGPD could affect your business outside of Mailchimp. We recommend you contact your legal counsel to find out how the LGPD affects you.`
Do I need to get consent from my existing contacts?
If you collected consent from existing contacts in a way that complies with the LGPD, you may not need to collect consent from those contacts again. For example, if you used GDPR-enabled signup forms, you may not need to collect consent for LGPD compliance purposes from existing contacts.
Otherwise, you'll need to collect LGPD-friendly consent from the contacts you already have. You can do this by sending a consent email through our GDPR-friendly forms, to everyone in your audience that includes a link to update their settings. We are not aware of anything that specifically prohibits you from sending a reconfirmation email after LGPD went into effect, August 15, 2020.
The important thing is that you need to ensure that you have a lawful basis, such as consent or a legitimate interest, to send an email to a contact.
If you don’t feel like you have a proper basis under the LGPD to email a contact, you may want to refrain from sending a reconfirmation email and remove the contact from your audience. As always, we suggest you reach out to local counsel in your area to discuss the specifics of your situation.
If my contacts don’t consent, should I stop communicating with them?
You need to have a lawful basis, like consent, to process a Brazilian data subject’s personal data.
Use your Marketing Permissions segments to communicate only with contacts who have expressly opted-in to your marketing. You may find it helpful to bulk unsubscribe all contacts who have not opted to receive any marketing from you.
Do I need to use double opt-in?
While you should consult with qualified legal counsel to determine your legal requirements, you can enable double opt-in through Mailchimp.
Double opt-in includes an extra confirmation step that verifies each email address. This confirmation provides additional evidence of consent.
How can I see who signed up using double opt-in?
Export your audience and review the
CONFIRM_TIME fields in your exported CSV file.
OPTIN_TIME The time a contact accessed your signup form, if they used it to sign up.
CONFIRM_TIME The date and time the contact clicked the link in the opt-in confirmation email. If the values of the
CONFIRM_TIME fields are different, it is likely the contact signed up using double opt-in.
If you’ve combined multiple audiences using the built-in combine audiences tool, the
OPTIN_TIME field won't be included in your exported file. You won’t be able to verify the opt-in status of contacts.
Imports and exports
Can I import contacts who have given consent outside of Mailchimp?
Yes. If you have GDPR forms enabled for an audience, the forms provide LGPD-friendly consent. You can use those forms to import contacts who have given LGPD-friendly consent for marketing permissions.
For more information, check out Format Guidelines for Your Import File
Can I view marketing permissions in an audience export?
Yes. Since the LGPD’s requirements are similar to the GDPR’s requirements, you can export a GDPR-enabled audience to view marketing permissions. In the exported file, one CSV file header will match the GDPR form field label in your segments. This field will display each marketing permission the contact has opted-in to.
How do I fully delete a contact's data?
Choose the Remove contact option from the Actions menu on the profile page, then choose Permanently delete. To delete more than one contact at the same time, navigate to the Data Management Tool page and choose Permanently Delete. This action permanently removes all of a contact’s personal information and anonymizes their data in your reports. After you delete a contact, you won’t be able to add them back to your audience. For step-by-step instructions on this process, read Delete Contacts.
If one of your contacts asks us to remove their data from every account in Mailchimp, we'll notify you with an email. After you receive the email, you'll have 30 days to delete the contact from every audience they're in, as well as any connected integrations.
Can I translate fields in Mailchimp's signup forms?
Can I use GDPR fields with Mailchimp Subscribe?
No. GDPR fields are not compatible with form integrations or Mailchimp Subscribe.
Can I make the Options field on GDPR forms required?
Yes. When you edit the fields on your GDPR-friendly form, check the box next to Require at least one option. If this is enabled for your form, at least one marketing permission checkbox must be selected before a contact can subscribe. Because the LGPD’s requirements are similar to the GDPR’s requirements, this strategy also works for the LGPD.
Are LGPD-compatible tools available in the API?
Yes. We've added
marketing_permissions as a field with a boolean value, so you can enable GDPR fields and sync contact marketing permissions using the API. Because the LGPD’s requirements are similar to the GDPR’s requirements, this strategy also works for the LGPD. To learn more about managing your audience with the Mailchimp Marketing API, check out our API documentation.
To comply with requests to fully delete data, you can also permanently delete contacts using the API. After a contact is permanently deleted, they cannot be re-imported.
What if I transfer data from a site or e-commerce store to my Mailchimp account?
You are responsible for determining whether other third-party applications, including integrations and e-commerce stores, meet LGPD requirements.
If you rely on consent to process subscribers' personal data, double check whether the consent that you previously obtained meets the LGPD's standards. For example, check third-party integrations to be sure they don't automatically add people to your Mailchimp audience without an opt-in checkbox that clearly states how you'll use that person's data. You should also review the terms associated with any Mailchimp add-ons or third-party integrations you use.
Do I need to sign Mailchimp’s Data Processing Agreement?
What’s the penalty if I don’t comply with the LGPD?
Chapter 8 of the full text of the LGPD (English translation) discusses remedies, liability, and penalties.
Where are Mailchimp’s servers?
Our servers are located in the United States. Mailchimp is committed to the protection of personal data around the world and ensures such protection through the use of standard contractual clauses and other safeguards as laid out in its Data Protection Agreement. Because Mailchimp’s Data Processing Agreement contains the necessary language in order to confirm an adequate level of protection, we can lawfully receive Brazilian data.