What I’m Doing with MailChimp and GDPR Compliance

What I’m Doing with MailChimp and GDPR Compliance

You’re probably receiving lots of privacy notifications from social media, apps, websites, the charities you follow, and others. This activity is due to a deadline of March 25, 2018, set by the GDPR.

The General Data Protection Regulation (GDPR) is an 88-page European Union (EU) regulation on data protection and privacy for all people within the European Union and the European Economic Area (EEA). Additionally, it covers the export of personal data outside the EU and EEA. U.S. entities are responding to the GDPR because it’s very possible this may become international law in the future. If you and your subscribers are not citizens of any of the member countries (see EU and EEA lists in the NOTES), I still recommend you read further (pay attention to all the details) and decide what steps you’d like to take now.

For this post, I’m looking into the GDPR for those who use MailChimp. As a disclaimer, I’m just sending you what MailChimp has on their site.

Your MailChimp Emails

MailChimp has a lot of useful links and information about GDPR  that I’m looking through. I found a checklist of theirs that could help you get started if you’d like to work on your MailChimp account now. I started working through the following checklist for JudyDouglass.com and for myself:

MailChimp features to help comply with the GDPR:

  1. Use MailChimp’s GDPR signup forms and double opt-in to collect your contacts.
  2. Ensure the language in your signup form accurately describes your marketing activities.
  3. Sign their Data Processing Agreement.
  4. Turn on two-factor authentication for added protection.
  5. Update your website’s privacy statement or policy to state you use MailChimp to store information.
  6. Make sure your Cookie Statement describes any cookies or tracking technologies you might use. If you’re not sure, MailChimp’s Cookie Statement includes a section called Cookies served through the Services that describes technology you (or your website) might use, depending on the features you use through MailChimp.

(Taken from MailChimp source: General Data Protection Regulation FAQs)


  • Here’s very thorough help from MailChimp in this 9-page document: The General Data Protection Regulation (GDPR)
  • Sample Terms and Conditions Template (just skimmed this… not mandatory and End-User License Agreement, EULA, is an option as well)
  • EU and EEA countries covered with the new GDPR might be with the EU and / or the EEA). I found these two lists from an Internet search. Most European countries are members of both. The ones in bold are unique to either the EU or the EEA.
    • The EU countries are: Austria, Belgium, Bulgaria, Croatia, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the UK.
    • The EEA countries are: Austria, Belgium, Bulgaria, Republic of Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Iceland, Ireland, Italy, Latvia, Liechtenstein, Lithuania, Luxembourg, Malta, Netherlands, Norway, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the UK.
  • Photo by Macedo_Media on PikWizard.

2 thoughts on “What I’m Doing with MailChimp and GDPR Compliance

  1. Good insights, thank you. One thing that a lot of communication is missing is to help workers in Europe, and elsewhere, understand when the GDPR applies and when it doesn’t. What is often unclear is that these rules apply to organizations (Churches, Missions, Associations, etc.) that gather data on people for specific purposes (ie. a church membership list, a camp attendee list or a mission agency mailing list). The intent is to give people control of how their personal data is used and not used. So where does an individual not for profit religious worker fit in with his weekly, monthly or quarterly newsletter to friends and family back home? Using all the opt-in, opt-out, two-factor authentication and other secure computing practices are certainly good, if not incumbent upon each of us. But is it required legally? Our agency has understood that as individual workers we do not have to ask our European newsletter recipients if they do or do not want to continue receiving our e-mails. However, we are all strongly exhorted to comply with the data protection standards set out. We don’t offer any goods or services to them. If you gather information for a church, conference, camp or mission program then you must comply. List members who reside in Europe must be clearly asked if they wish to remain on your list, knowing that you are complying to the requirements of the GDPR whether you are or are not located within Europe.


What do you think?

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.