Collect Consent with GDPR Forms

If your business is based in the European Union (EU), or you process the personal data of individuals in the EU, the General Data Protection Regulation (GDPR) affects you.

When relying on consent as your legal basis for processing, the GDPR says the consent you obtain must be freely given, specific, informed, and unambiguous. You also must clearly explain how you plan to use your contacts’ personal data. Mailchimp signup forms can help you stay compliant with this law. Our optional, GDPR-friendly forms include checkboxes for opt-in consent, and editable sections that explain how and why you’re using data.

In this article, you’ll learn how signup forms can help you comply with the GDPR.

Before you start

Here are some things to know before you begin this process.

• Enabling GDPR fields on your signup forms doesn’t make you compliant. It’s the first step of the process.
• You can import marketing permissions to a GDPR-enabled audience if you collect and maintain consent records for contacts outside of Mailchimp. It’s your responsibility to ensure you can demonstrate that your contacts have consented to the marketing permissions you import.
• Pop-up forms that use the Modal (center aligned) design format, and either None or Top image alignment are compatible with GDPR fields.
• Mailchimp offers tools and information as a resource, but we don’t offer legal advice. We recommend you contact your legal counsel to find out how the GDPR affects you.
• If you’re located in the EU or use Mailchimp to market to anyone in the EU, review Section 20 of our Standard Terms of Use and our Global Privacy Statement. These policies include important information about how Mailchimp treats EU data, and what you should do if you’re keeping EU data in your Mailchimp account.

How it works

Just enabling GDPR fields on your signup forms won’t make you compliant. It’s the first part of a multi-step process. To collect consent from new and existing contacts, you’ll set up your forms, create a segment, and send a consent email. Here’s how it works.

Set up your GDPR-friendly signup form

• Enable GDPR fields
  Turn on GDPR fields for the signup forms for each audience affected by the GDPR.
• Edit GDPR fields
  Mailchimp provides suggested content for GDPR fields to make it easier for you to create your GDPR-friendly forms. You might need to edit this content to fit your marketing plan, so be sure to review it carefully. If you choose to write your own descriptions, make sure you’re explicit about why you’re collecting data.

Segment your audience by marketing permissions

Segment your audience based on the marketing permissions you receive from your signup form. You don’t have to wait to collect your data to create segments. After you create and save your segments, you’ll be able to access them anytime. Give your segments descriptive names so you can find them easily.

Collect consent

Once your segments are created, you can then collect consent to send your marketing to those contacts. New contacts can sign up through the published form, but you’ll also want to reach out to your existing contacts.

• From new contacts
  After you save your changes in the form builder, that signup form will include GDPR fields on compatible published forms. New contacts that use your signup form will be able to give explicit consent to your marketing.
• From existing contacts
  You’ll also need to collect GDPR-friendly consent from the contacts you already have. Send an email to everyone in your audience that includes a link to update their settings.

Send your emails

After you've saved your consent segment and contacts have consented through a published form, use the segment to send your email only to those people.

GDPR fields

GDPR form fields include checkboxes that your contacts will use to opt-in to your marketing, and space for you to add necessary information. Mailchimp provides suggested content that you can edit to fit your marketing plan. Make sure each section accurately describes your marketing activities.

This table explains what you need to include in each field.

Which forms are compatible with GDPR fields?

After you enable GDPR form fields for your audience, these fields will be included on the hosted signup forms for your audience, embedded forms, update profile forms, and signup landing pages.

The fields will also be included on pop-up forms that use the Modal design format, and either None or Top image alignment pop-up forms.

To find the pop-up form layouts that are compatible with GDPR fields for your audience, follow these steps.

1. Click Audience, then click Signup forms.
2. Scroll to the Pop-up form tile, then click Create pop-up form.
3. Enter a form name, then click the Audience drop-down and choose the one you want to work with.
4. Click Begin. If you receive a message that your pop-up is disabled, click Edit and toggle the slider to the checkmark.
5. Click Layout, then choose a GDPR-supported pop-up form layout. They'll have a Supports GDPR label.
   

Set up your GDPR-friendly signup form

To use GDPR fields on your signup forms, enable them for each audience that collects or contains personal data from EU citizens. Then, edit them to reflect your marketing practices.

Enable and edit GDPR fields

After you enable GDPR fields for an audience, they’ll be available to view and edit. These fields will be included on most signup forms associated with that audience. These include pop-up forms, the hosted signup form, embedded forms, and signup landing pages.

To enable and edit GDPR fields for your audience, follow these steps.

1. Click Audience, then click All contacts.
2. If you have more than 1 audience, click the Audience drop-down and choose the one you want to work with.
3. Click Settings.
4. In the Form settings section, toggle the slider to the checkmark to enable GDPR fields on signup forms.
5. Click Configure GDPR settings.
6. Enter your title, description, and marketing preferences. If you want your contacts to choose an option before they subscribe, check the box for Require at least one option to be selected. Edit the legal text, if needed.
7. When you're ready, click Save GDPR settings.

You’re all set! After your forms are in use, be careful about any further edits you make. If you change a checkbox option, the consent you received before making the change won't be valid, and you’ll need to reconfirm opt-in. If you want to change your form, we suggest that you add a new option or remove an old one.

Edit GDPR fields from the form builder

After you enable GDPR fields, you can also edit them from the form builder. The changes you make in the form builder will apply to most Mailchimp signup forms, including compatible pop-up forms and landing pages.

To edit GDPR fields from the form builder, follow these steps.

1. Click Audience, then click Signup forms.
2. Scroll to the Form builder tile, then click Manage forms.
3. If you have more than 1 audience, click the Audience drop-down and choose the one you want to work with.
4. Scroll to find the the Marketing Permissions section and choose your settings.

5. On the Field settings tab, edit your GDPR fields.
   

   If you want your contacts to choose an option before they subscribe, check the box next to Require at least one option. Edit the legal text, if needed.

6. When you’re ready, click Save Fields.

Segment your audience by marketing permissions

After you’ve set up your marketing permission checkboxes, segment your audience to make sure you send your email only to the people who have given consent through your signup form.

To create and save a segment in your audience, follow these steps.

1. Click Audience, then click All contacts.
2. If you have more than 1 audience, click the Audience drop-down and choose the one you want to work with.
3. Click the Create new segment drop-down, then choose Regular segment.
4. In the first drop-down, choose your GDPR form field label. By default, it’s labeled Marketing permissions.
5. Create a separate segment for each marketing permission. You can add up to 5 conditions to create a segment that includes contacts who have opted in to multiple marketing permissions.
6. When you're satisfied with your conditions, click Preview Segment to view the contacts who match your conditions.
7. Click Save as segment.
8. In the Save as segment pop-up modal, enter a name for your segment, then click Save.

To learn how to manage segments, check out Save and Manage Segments.

Collect consent

Now that you’ve updated your forms and your segments are set up, you’re ready to collect consent from new contacts and market accordingly. But, you still need your existing contacts to opt-in to your marketing permissions. Let your contacts know they need to update their profile with a consent email.

We've created an email template to help you, or you can build your email from scratch. Send your consent email to everyone in your audience, and make sure it includes an Update Your Preferences link. Click tracking won't work with the Update Profile link or other system-generated merge tags. You'll need to use the GDPR form fields and segments to see who's updated their settings.

To collect consent from your existing contacts, follow these steps.

1. Click Create.
2. Name your email, then click Begin.
3. In the Content section, click Design Email.
4. On the Select a template page, click the Themes tab.

5. Click the drop-down, then click Subscriber Alerts.
   

6. Click the GDPR Subscriber Alert template. You'll be taken to the classic builder.

The template includes suggested content that you can edit. Preview and test your email as you normally would, and send it to your complete audience.

After you send your consent email, use your Marketing Permissions segments to communicate only with contacts who have expressly opted in to your marketing. You may find it helpful to bulk unsubscribe all contacts who haven't opted to receive any marketing from you.

Some EU authorities recommend that businesses update their consent by sending reconfirmations on a regular basis. The important thing is that you have a legal basis, such as consent or a legitimate interest, to send an email to a contact.

If you don’t think you have a proper basis under the GDPR to email a contact, you may want to refrain from sending a reconfirmation email and remove the contact from your audience. As always, we suggest you reach out to legal counsel in your area to discuss the specifics of your situation.

Form versions

When a new contact signs up to your marketing through a hosted, pop-up, or landing page signup form for your GDPR-enabled audience, we'll record the field information in a plain-text version of your form. This captures the GDPR fields your contact saw when they subscribed, so you can show that you accurately described your marketing activities. You can view this information at any time on the contact's profile page.

You can edit the opt-in preferences for your contact here, but we don't recommend it. Before you edit your contact's preferences, make sure you have their express and verifiable consent.