Mailchimp and Data Protection – What Belongs in the Privacy Policy

If a website operator uses Mailchimp, they typically process email addresses, salutation and name details, plus sign-up and interaction data for the purpose of sending newsletters and email marketing on the basis of recipient consent. The following overview shows which data processing is typically associated with Mailchimp and what needs to be included in a website's privacy notice.

A. Mailchimp – Purpose and Functionality

Mailchimp is a cloud-based platform for email marketing and marketing automation. Website operators use Mailchimp in particular to send newsletters, product announcements and automated email journeys, and to evaluate recipient interaction.

Functionally, Mailchimp bundles several building blocks: sign-up forms or embedded forms for the website, list and contact management (audiences), campaign sending, marketing automation, reporting (open and click tracking), and additional features such as landing pages, A/B testing and transactional email (via Mandrill). The focus of this page is the integration feature that a German website operator typically uses: a newsletter sign-up form on the website (embed form or pop-up) plus the dispatch of email campaigns through Mailchimp. Other building blocks such as Mailchimp website tracking, Mailchimp ads, or Mandrill transactional email are covered on separate pages.

According to publicly available information, the provider is The Rocket Science Group, LLC d/b/a Mailchimp, a subsidiary of Intuit Inc., based in the USA. For German website operators, this regularly results in a third-country transfer to the USA, which has to be assessed separately.

B. Mailchimp – Mandatory Information in the Privacy Policy

The GDPR requires the privacy policy to contain not only general information about the website operator, the rights of the data subject and the supervisory authority, but also – with regard to the use of specific tools such as Mailchimp – a series of specific mandatory items. These mandatory items serve the transparency principle of Art. 12(1) GDPR and allow data subjects to understand the processing.

Specifically, the following items must be included:

• the purposes of the processing (Art. 13(1)(c) GDPR),
• the legal bases of the processing (Art. 13(1)(c) GDPR),
• where processing is based on a balancing of interests (Art. 6(1)(f) GDPR), additionally the specific legitimate interests pursued (Art. 13(1)(d) GDPR),
• the recipients or categories of recipients of the personal data (Art. 13(1)(e) GDPR),
• whether the data is transferred to an unsafe third country outside the EU/EEA, and on what basis (Art. 13(1)(f) GDPR),
• the storage period or – if not possible – the criteria for determining the storage period (Art. 13(2)(a) GDPR),
• and – where the data is not collected directly from the data subject – additionally the categories of personal data processed (Art. 14(1)(d) GDPR).

These points are broken down for Mailchimp below.

In practice, it has become common to give every individual tool its own template clause in the privacy policy. However, this "template-per-tool" practice is not particularly fit for purpose: it leads to long, lawyer-drafted texts that repeat each other in substance, making the privacy policy hard to maintain and barely readable for users – contrary to the transparency principle. A topic-oriented approach is preferable: it describes processing operations across themes (server operation, newsletter, tracking, sales …) and merely lists the actual service providers, such as Mailchimp, in a recipient list in the appendix. This is exactly the methodology used by the matterius privacy policy generator.

C. Mailchimp Provider

According to publicly available information, the contractual partner for Mailchimp is The Rocket Science Group, LLC d/b/a Mailchimp, a subsidiary of Intuit Inc., based at 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA.

As the provider is based in the USA, this constitutes a transfer of data to a third country. Intuit Inc. (Mailchimp) is, according to information in the DPF list at https://www.dataprivacyframework.gov/s/participant-search, listed as a participant in the EU-US Data Privacy Framework (DPF) (to be verified by the website operator). In addition, Standard Contractual Clauses (SCC) may be relevant to safeguard sub-processors and supplementary transfers.

Mailchimp's privacy notice is available at https://mailchimp.com/legal/privacy/. The provider's data processing addendum is available at https://mailchimp.com/legal/data-processing-addendum/.

D. Mailchimp – Data Processing Step by Step

1. Collection: When a user submits the Mailchimp sign-up form on the website, the entries (typically email address, optionally name, salutation, fields of interest) are transmitted to Mailchimp together with the IP address and a timestamp. With every campaign sent, Mailchimp additionally collects send and delivery information.
2. Storage: Data is stored in Mailchimp's cloud infrastructure, primarily in the USA according to provider information. Sub-processors may be involved.
3. Use: Mailchimp executes the newsletter dispatch on behalf of the website operator, documents bounces and unsubscribes and records – if enabled – open and click events.
4. Disclosure: Disclosure occurs to sub-processors (e.g. hosting infrastructure, tracking components). The provider publishes a list of sub-processors (see DPA).
5. Deletion: The website operator can remove recipients from audiences at any time or delete entire lists. Storage limitation beyond the lifetime of the consent must be configured.

E. Which Data Does Mailchimp Process?

In the context of newsletter dispatch via Mailchimp, the following personal data is typically processed: email address, salutation, first and last name, optionally further fields collected by the website (e.g. industry, interests), the IP address at the time of registration, timestamps of sign-up and confirmation in the double opt-in process, send time of the individual emails, delivery status (soft/hard bounce), open and click events, and unsubscribes.

This data falls into the following standardised data categories:

• Web server log data: in particular the IP address and technical metadata when calling the sign-up form and when retrieving embedded tracking pixels and click links in sent emails.
• Click paths: clicks on links in the emails sent by Mailchimp, each with date and time.
• Device data: information about the device opening the email, e.g. device type and operating system.
• Browser information: browser or email client used to open the email.
• Coarse location data: coarse location of the recipient at city or municipal level, derived from the IP address.
• User account data: data identifying the recipient in the audience, in particular email address as the key identifier and any user ID.
• User profiles: interests, segment assignments and derived metrics (e.g. engagement score) determined by the website operator for a recipient.
• Conversion events: with active e-commerce or tracking modules, e.g. clicks on a call-to-action or opening a specific newsletter.
• Interaction data: opening an email, clicking individual links or buttons.
• Technical telemetry data: technical send and delivery metadata, bounce codes, loading times of tracking pixels.

F. Mailchimp – Purposes of Use

The website operator typically uses Mailchimp to inform subscribed recipients about its own content, products and offers, to document sign-up and consent, to ensure delivery quality and – where tracking is enabled – to measure the effectiveness of individual campaigns.

The purposes typically pursued with Mailchimp can be classified into the following standardised purpose categories:

• Provision of functionality: providing newsletter and email functionality, including sign-up form, double opt-in procedure, dispatch of the requested emails as well as error detection and correction in the dispatch process.
• Security and abuse prevention: spam and bot prevention on the sign-up form, detection and prevention of list abuse (e.g. third-party sign-ups).
• General product improvement: aggregated evaluation of open and click rates to improve newsletter content and frequency in line with demand.
• General marketing: success measurement of campaigns, reach analysis and overall assessment of the email channel.
• User profile creation: assignment to segments or target groups based on interests, click and open behaviour.
• User-individual marketing: tailoring newsletter content to the individual interests and behaviour of the recipient, e.g. via segmentation and automation.
• Legal enforcement: assertion, exercise or defence of legal claims, in particular proof of recipient consent (sign-up IP, timestamp, double opt-in) vis-à-vis supervisory authorities, competitors or courts.
• Compliance: compliance with statutory requirements regarding consent records and advertising emails (Art. 7 GDPR, Sec. 7 UWG).

G. Legal Bases for Mailchimp

For the use case covered here, Mailchimp falls primarily into the tool category newsletter / email marketing.

The following legal bases typically come into consideration:

• Recipient consent (Art. 6(1)(a) GDPR in conjunction with Sec. 7(2) No. 3 UWG) for the actual newsletter dispatch and – where activated – for open and click tracking.
• Legitimate interests (Art. 6(1)(f) GDPR) in legal enforcement and compliance for storing sign-up metadata (IP, timestamp, double opt-in confirmation) as proof of consent under Art. 7(1) GDPR and Sec. 7(2) No. 2 UWG.
• Legitimate interests in advertising within the scope of Sec. 7(3) UWG for direct advertising to existing customers for own similar goods or services, where the conditions are met.

If open and click tracking is enabled, an explicit tracking consent of the recipient is typically required; if information is stored on or read from the device, Sec. 25(1) TDDDG must additionally be considered. The legal basis is to be assessed by the website operator on a case-by-case basis.

H. Mailchimp – Special Notes

• Data Processing Addendum (DPA): The provider offers a DPA (https://mailchimp.com/legal/data-processing-addendum/); concluding it is regularly mandatory, as Mailchimp processes data on behalf of the website operator.
• Third-country transfer / DPF: The provider is based in the USA. Parent company Intuit Inc. is, according to the DPF list, DPF-certified (to be verified by the website operator); supplementary Standard Contractual Clauses are possible.
• Sub-processors: Mailchimp uses sub-processors (list available via the DPA or the provider's trust centre).
• Double opt-in: Mailchimp supports double opt-in; the website operator should activate this setting in the relevant audience and adapt the confirmation email accordingly.
• Consent record: Sign-up IP, timestamp and double opt-in confirmation should be retained permanently to provide evidence of consent under Art. 7(1) GDPR and Sec. 7(2) No. 2 UWG.
• Open and click tracking: Mailchimp activates tracking by default. Anyone not wishing to use tracking should disable it per campaign – otherwise tracking consent must be obtained cleanly and described in the privacy policy.
• Opt-out: Every newsletter must contain a working unsubscribe link under Sec. 7(2) No. 4 UWG; Mailchimp automatically inserts an unsubscribe token into the emails.
• Audience hygiene: Inactive and no longer existing addresses should be removed regularly; storage should be aligned with the consent given.

The above presentation is based on publicly available provider information and supplementary publicly accessible sources. A case-by-case assessment by the website operator remains necessary.

I. Mailchimp – FAQ

J. Mailchimp – Conclusion and Call-to-Action

Mailchimp is a widely used US provider for newsletter dispatch and email marketing automation. From a data protection perspective, key topics are recipient consent, consent records via the double opt-in process, optional open and click tracking, and the third-country transfer to the USA, which is safeguarded via DPF certification and supplementary Standard Contractual Clauses. The DPA and privacy policy must cover the essential mandatory items (purposes, legal bases, recipient categories, third country, storage period).

For the website operator, it is mostly not particularly useful to include a separate template clause for every individual tool – including Mailchimp – in the privacy policy. This makes the policy long, unclear, hard to understand and difficult to maintain – contrary to the transparency principle of Art. 12(1) GDPR.

A structured, topic-oriented approach is more appropriate: data processing operations are explained across topic blocks (server operation, newsletter, tracking, sales …); specific service providers such as Mailchimp are simply listed in the recipients appendix. This is exactly the methodology of the matterius privacy policy generator.

K. Curator