MailChimp, Marketing & GDPR

mailchimp and GDPR instaThere’s been a lot of talk about Mailchimp’s decision to make single opt-in the default on 31st October. Here are 10 things you need to know about marketing with MailChimp and GDPR.


Mailchimp have decided to those of us based in the EU remain on single opt-in so we can more easily be GDPR compliant.  Here’s their announcement.

However even if you are not based in the EU if you are selling to people in the EU, the directive applies to you.
  1. The GDPR does not mention the word double opt-in. What it asks for is an audit trail of ‘granular’ consent. Double opt-in is one easy way to provide this – since it means no-one else could have added the individual to your list. It has a downside and that is that your lists are smaller since many people forget the confirmation bit and don’t get that far.
  2. I have always gone for double opt-in lists for sales and marketing. They are smaller. The upside is my open rates are between 25% and 60% depending on the list.
  3. I sometimes use single opt-in for the automation that onboard customers who have already paid me and give them the service they asked for. I may consider it for webinars as it is important everyone gets the link to join.
  4. MailChimp prioritise whose newsletters go out using an algorithm that includes open rate, so having a low open rate can get your mailings delays (and even categorised as spam).
  5. MailChimp charges by users (in a range) so a low opening list can mean you are paying for subscribers who never see your marketing messages
  6. Consent under GDPR is ‘granular’ so if you are signing up someone to a list you need to be clear at the point of sign up:

    • What they will get as a result of signing up – ie information, sales and marketing – be specific
    • Where the data will be held, how long for and for what purpose
    • You can link to a data privacy policy = but it should be in plain ordinary English and not hide behind jargon.
    • Negative boxes (opt out if you don’t want) are gone. Whether that is for data sharing, being phoned or anything else.
    • You may need more than one box if you go for clarity – ie can we email you, can we call you…
  7. MailChimp allows you to create forms so that when people sign up for the first time to a list, they can see all of this, and then do the double opt-in. This can make GDPR compliance easier see here for information on how to set this up.
  8. MailChimp is neither compliant nor non-compliant for GDPR. It is you who need to be GDPR compliant in terms of how you use the data available.
  9. MailChimp data is held in the USA. They have a data privacy shield. As long as your data privacy policy makes it clear data is going to the USA this is OK for ordinary data.  See here for more information . If you collect information about health, politics or sexual orientation or political views – let us know as this may need extra protocols. If you subscribe, you will get more information about this in our webinar trainings and masterclasses.
  10. You get an unsubscribe link on each email – make sure it is visible for people to see so they can unsubscribe.
If you want your existing lists to remain double opt-in and to be your default to be you need to get in there by 31st October. If you have lost the notification email, just log into your MailChimp account – it appears as a notification there.


Mailchimp user levels

While you are there – take the opportunity to check user access.  See here for levels of access and how to change them  If you have other users then:
a. delete old users that no longer need access to your account
b. review user access levels. Set them to Manager, or below since those levels cannot export your data.
c. if you need to grant temporary higher level access to someone, make sure you turn it back down again when the job is done AND make sure MailChimp lets you know if any data is downloaded (MailChimp can do that).
d. Set up double authentication logins for all users (you get a discount on your MailChimp subscription for this too!).  See here for more information on how to set that up.
Don’t panic. Stay informed. Stay happy.
If you have any more questions, asks me in the comments.
Annabel Kaye

Drop us a comment

This Post Has 12 Comments

  1. Vatsala Shukla

    Thanks for the clarifications, Annabel. When I received the Mailchimp notification, I immediately logged in and saved my preference for existing lists to be double opt-ins and consider the single optin prospectively because the notification was at short notice and the entire process has to be thought through, especially if one has different lists and automations for various interests.

    Will GDPR be stricter about people being added on to mailing lists without their consent? I’ve seen it happen where a new connection on LinkedIn or Facebook adds the person and then the deluge of emails starts.

    Thanks in advance.

    1. Annabel Kaye

      The rules on email marketing are quite strict now. The problem is they are rarely enforced and for big organisations, the existing fines are not much of a disincentive. GDPR offers a minimum 4% of turnover or E20m fine – so that may make people wake up a bit. The initial enforcement regime will be – according to the Information Commissioner – one of advice, but in the long run, this really should have an effect.

      I suspect that like the Telephone Preference Service this will leave us with spam from overseas organisations who are hard to fine – despite the fact the EU is claiming extra jurisdictional powers on this (which is the power to enforce this outside the EU). But getting rid of EU/UK originated unwanted emails would be a fabulous start.

      My policy is to warn people this is not on and to unsubscribe, but if they ignore me or persist to report them. A lot will depend on how people respond to unsolicited emails. At the moment we tend to dump them in the spam folder and ignore them or unsubscribe. Whilst MailChimp do penalise lists with lots of emails going into spam in terms of slower delivery, etc, I am always amazed that people are willing to pay Mailchimp to send me emails I never open or read.

      I fail to see how this is effective marketing. Perhaps like the phishers and the spammers they are working on the basis that a 0.1% success rate is enough. My double opted-in lists have a 30-60% open rate depending on what I am emailing about – which is more effective. Even then I don’t bury anyone in emails – I get complaints I don’t send enough!

  2. Ryan Biddulph

    Helpful read Annabel. I am a MailChimp guy who always uses the double opt in. This pretty much ensures people on my list want to be on my list. The good old double check is fabulous for boosting open rates, clicks, sales, traffic, all that good stuff.


  3. Dawn Robinson

    Hi Annabel,
    I am a photographer with a small business (just me). I have around 900 people on my MailChimp lists. Some have signed up but most have been added over the years by me, usually customers or potential customers that have emailed me. Will I have to basically ask everyone to sign up again, will GDPR mean that I can no longer use my existing list?

    1. Annabel Kaye

      Hi Dawn,
      That is quite a question. You need to distinguish between customers and sales prospects since under the current email rules (PECR) you can email customers about related products using a ‘soft optin’ which means you can email them as long as they can unsubscribe.

      For prospects it is likely your existing consents will not be specific enough. But I would start with looking at the people who don’t open your emails (if you are a mailchimp user you can create a segment easily enough based on people who have not opened within the last x period). The right period will depend on how often you mail your list. I look at people who have not opened for 3 or 6 newsletters.

      I’d start by getting rid of those who bounced because the email is out of date (mailchimp has a hard bounce feature – check it in help), and then look at the soft bounces. I would ‘clean’ the list for out of date emails before I tried to get consent.

      If customers added themselves and you can ‘evidence’ that and you are sending only what they signed up and there is an unsubscribe button and they are opening I would not panic. I would be more concerned about the non-openers. If you added customers I would not panic. It is the non-customers I would worry about – particularly the non-openers.

      Whilst I do know that double opt-in and consent is viewed as best practice, I think you need to approach this with tact and some business sense as well.

  4. Vicki

    Hi Annabel,

    I am looking to start using Mailchimp for B2B marketing campaigns. I have been warned that I won’t be able to rely on legitimate interest for my marketing list because Mailchimp is a U.S. ESP and governed by CAN-SPAM?!

    I have noticed that when importing into Mailchimp, they specifically ask whether the contact has subscribed. The majority of ours haven’t because of it being B2B, legitimate interest?

    Thank you!

    1. Annabel Kaye

      Hi Vicki,
      You are on the right track but for a possibly inaccurate reason. Whilst Mailchimp is based in the USA the law that applies to you in the UK is the UK Data Protection Act, soon to be updated by the General Data Protection Regulations (GDPR). Our UK equivalent of the CAN-SPAM is PECR (Personal Electronic Communications Regulations). You can find a lot about them here. Having sorted out your purpose under GDPR you still need consent where PECR requires it. B2B purpose does not mean that PECR does not apply. You have to tick both boxes not one or the other. Business addresses can be personal data. Please check the link I have given you.

      Mailchimp requires you in their terms of business to confirm you have consent. This is part of the contract you have with them when you become a customer. In my opinion they are going to get a lot hotter about this since after May 25th when GDPR comes fully into force, they as the data processor (processing your email newsletter send out) could be liable to a massive fine if they are not acting lawfully.

      At the moment the potential fines are entirely your risk (and they are lower). Whilst I don’t think everyone should run about thinking they must be terrified of being fined, I do think there will be few mainstream email platforms willing to handle dodgy lists once their own finances are on the line.

  5. Andrew

    When I sign up for a newsletter, the organisation behind it is my data controller and the email marketing platform should only be a data processor and do what they are told by the controller. Where as Mailchimp becomes a data controller and then does whatever it wants with my data. My data controller has totally lost control of my personal data, surely this is the opposite of data protection?

    1. Annabel Kaye

      If you are a customer of Mailchimp they are the data controller and you are the data subject. The data they hold on you as a customer they hold as a data controller. When you create mailing lists for your business, you are the data controller and mailchimp is acting as your data processor. They are not acting as your data controller (or co-controller) since it is you who is deciding what information to collect.

      It is possible for organisations to have more than one role, just as you may be a son, brother, husband, father at the same time. It all depends on what role you are playing at the time.

      Hope this clarifies this for you.

  6. Andrew

    I just signed up for your GDPR updates, you say you don’t share my data, then the first thing I noticed is that my data has gone to the US, to a third party, do they share my data? Thanks

    1. Annabel Kaye

      Hi Andrew,

      In order to send you an email we use an email platform – in this particular case Active Campaign. They are contracted with us (and all their clients) for data confidentiality etc and they do not share your data with anyone else. If you have a look at our data privacy policy you will see we say that like most small businesses our platforms are mostly based in the states (Mailchimp is too) and as far as I am aware there is on major email system based in the UK or EU at the moment. I will be happy to switch when there is one – assuming our own UK status is clarified by then.

      We don’t share our lists with anyone else and we only use the list you signed up to to send you updates on GDPR. You will have noticed by now, they are not prolific.

Leave a Reply

Bestselling Contracts and Support for a Range of Industries

The perfect business contract protects more than just your boundaries. The perfect business contract protects your clients in relation to things like Copyright, IP, GDPR, scope-creep and all the other things that eat away at your profitability.

Check out our contract shop and GDPR support today and start earning what you should in your business.