Mailchimp Website Tracking and Data Protection – What Belongs in Your Privacy Policy

If a website operator uses Mailchimp Website Tracking, it typically processes pseudonymous cookie IDs, website behaviour data and – after a click on a link in a Mailchimp email or a newsletter sign-up – also identifying recipient data. This page explains what data Mailchimp Website Tracking processes according to the provider's publicly available information, which purposes and legal bases are typically applicable, and how the tool can be appropriately reflected in a privacy policy.

A. Purpose and Functionality of Mailchimp Website Tracking

Mailchimp Website Tracking (also referred to by the provider as "Site Tracking") is an optional tracking function within the Mailchimp email marketing platform. When Site Tracking is enabled, a JavaScript snippet (typically as part of a Mailchimp sign-up form or a "connected sites" script) is embedded on the website operator's site to log visitor behaviour.

If a visitor was previously directed to the website via a link from a Mailchimp campaign or signed up via a Mailchimp form, Mailchimp can assign the visitor to a recipient profile based on a cookie ID. This enables tracking of which pages a recipient viewed, which products were called up, and which conversion events were triggered. This page concerns the tracking function only; pure newsletter sending via Mailchimp is a separate processing activity and is not within the scope of this article.

B. Mandatory Disclosures in the Privacy Policy when Using Mailchimp Website Tracking

The GDPR requires the privacy policy to set out tool-specific minimum content in addition to general information about the website operator, the rights of data subjects and the supervisory authority. For the use of Mailchimp Website Tracking this includes in particular:

• the purposes of the processing (Art. 13 para. 1 lit. c GDPR),
• the legal bases for the processing (Art. 13 para. 1 lit. c GDPR),
• where based on legitimate interests, the specific interests pursued (Art. 13 para. 1 lit. d GDPR),
• the recipients or categories of recipients (Art. 13 para. 1 lit. e GDPR),
• whether data is transferred to an insecure third country (Art. 13 para. 1 lit. f GDPR),
• the storage duration or the criteria used to determine it (Art. 13 para. 2 lit. a GDPR),
• where data is not collected directly, additionally the categories of personal data (Art. 14 para. 1 lit. d GDPR).

It is not necessary to describe Mailchimp Website Tracking with its own boilerplate text in the privacy policy, even though that practice is widespread. The "one boilerplate per tool" approach has become poor practice: it leads to long, redundant texts, makes the privacy policy hard to maintain and tends to run counter to the transparency requirement of Art. 12 para. 1 GDPR. A topic-oriented approach is more appropriate – describing processing across topics (tracking, newsletter, etc.) and naming the specific service providers used – including Mailchimp – only in an annex of recipients. This is exactly the methodology that the matterius generator follows.

C. Provider of Mailchimp Website Tracking

According to the publicly available information from the provider, the contracting party for German website operators is Intuit Inc. or its corporate subsidiary that operates Mailchimp: The Rocket Science Group, LLC d/b/a Mailchimp, 675 Ponce de Leon Ave NE, Suite 5000, Atlanta, GA 30308, USA. Which group entity is the contracting party in any individual case must be checked by the website operator on the basis of the contract documents.

According to the publicly available information, both Intuit Inc. and The Rocket Science Group, LLC are certified under the EU-US Data Privacy Framework (DPF); the status can be verified at https://www.dataprivacyframework.gov/s/participant-search. The provider also stipulates EU Standard Contractual Clauses.

Mailchimp's privacy policy is available at https://www.intuit.com/privacy/statement/ and https://mailchimp.com/legal/privacy/. The Data Processing Addendum is provided at https://mailchimp.com/legal/data-processing-addendum/.

D. Data Processing by Mailchimp Website Tracking – Step by Step

E. Data Collected by Mailchimp Website Tracking

In connection with Mailchimp Website Tracking, the data processed according to the provider's publicly available information typically includes a pseudonymous cookie ID, the IP address, timestamps, URLs visited, referrers, user-agent, click and scroll events, conversion events (e.g. purchases, sign-ups) and – after identification – the data stored in the recipient profile (e.g. email address, name, salutation).

The data can be classified into the following standardised data categories:

• Web server log data: IP address, timestamp, URL, referrer, user-agent, status code of the server response.
• Click paths: pages visited, clicks on links and buttons, calls to Mailchimp forms, clicks in Mailchimp campaign emails.
• Device data: device type and operating system, where derivable from the user-agent.
• Browser information: browser name and version.
• Coarse location data: location derived from the IP address at city or municipality level.
• User profiles: segment assignments, engagement values, tag assignments per recipient.
• Conversion events: defined purchases, sign-ups, visits to thank-you pages or product detail pages.
• Interaction data: time spent, scrolling, clicks and entries within the website, opens and clicks in Mailchimp campaigns.

F. Purposes when Using Mailchimp Website Tracking

Website operators typically use Mailchimp Website Tracking to measure email campaign performance beyond email opens, to segment recipient lists based on website behaviour, to trigger automated mailings (e.g. abandoned cart) and to personalise campaign content.

These purposes can be classified into the following standardised purpose categories:

• Provision of functionality: technical provision of the tracking snippet and the associated recipient identification.
• Security and abuse prevention: bot and spam defence, detection of anomalous tracking patterns.
• General product improvement: evaluation of aggregated conversion rates and campaign metrics.
• General marketing: reach and campaign analysis.
• User profile creation: segmentation and tag assignment per recipient based on website behaviour.
• User-individual product improvement: personalisation of content and recommendations.
• User-individual marketing: trigger-based and personalised mailings (e.g. abandoned-cart emails).
• Legal defence: documentation of sign-ups and consents, where logged via Mailchimp.

G. Legal Bases when Using Mailchimp Website Tracking

In a first step, Mailchimp Website Tracking must be assigned to a tool category: it is mainly a tool from the Tracking (Marketing) category, complemented by functions in the Newsletter category.

In a second step, the following legal bases typically come into consideration:

• For the setting and reading of the tracking cookie and linking with recipient profiles: consent under § 25 para. 1 TDDDG and marketing consent under Art. 6 para. 1 lit. a GDPR.
• For trigger-based and personalised follow-up mailings: typically consent under Art. 6 para. 1 lit. a GDPR in conjunction with § 7 para. 2 no. 3 UWG; in an existing-customer context, supplemented by § 7 para. 3 UWG together with the legitimate interest in advertising.
• For the storage of sign-up and consent records: legal obligation under Art. 6 para. 1 lit. c GDPR in conjunction with § 7 para. 2 no. 2 UWG and legitimate interest in legal defence.

Which legal basis is specifically applicable depends on the configuration of the use (consent banner, existing-customer relationship, type of triggered mailings) and must be examined by the website operator on a case-by-case basis.

H. Particularities and Notes on Mailchimp Website Tracking

• DPA: Mailchimp provides a Data Processing Addendum at https://mailchimp.com/legal/data-processing-addendum/; concluding it is generally mandatory when used by website operators in Germany.
• Connected Sites: Mailchimp offers a "Connected Sites" function to establish a link between the website and the Mailchimp account. A central tracking snippet is delivered, the use of which must be configured particularly carefully with respect to consent management.
• Cookie lifetime: The cookie lifetime can be up to two years depending on the configuration; reducing it should generally be considered.
• Third-country transfer / DPF: Data processing also takes place in the USA. According to the publicly available information, both Intuit Inc. and The Rocket Science Group, LLC are certified under the EU-US Data Privacy Framework; EU Standard Contractual Clauses are used as additional safeguards.
• Subprocessors: A list of subprocessors is provided via the Mailchimp website and the DPA.
• Opt-out: Recipients can withdraw their newsletter subscription via the unsubscribe link in every campaign; the setting of the tracking cookie must be controlled via the website operator's consent management.
• Source note: The information is based on the provider's publicly available publications and does not replace a case-by-case assessment.

I. Frequently Asked Questions on Mailchimp Website Tracking and Data Protection

J. Conclusion on Mailchimp Website Tracking

When using Mailchimp Website Tracking, website operators process visitors' behavioural data and – upon identification – recipient profiles for the purposes of newsletter personalisation, campaign performance measurement and trigger-based mailings. The contracting party is the US group entity, which is certified under the EU-US Data Privacy Framework according to the publicly available information. Key obligations are concluding a data processing agreement, robust integration with consent management and an appropriate cookie lifetime.

For the website operator, it is generally not advisable to include a dedicated boilerplate text for Mailchimp Website Tracking in the privacy policy. This makes the privacy policy long, unwieldy and hard to maintain and runs counter to the transparency requirement of Art. 12 para. 1 GDPR. A structured, topic-oriented approach is recommended that explains tools across topical blocks (tracking, newsletter, etc.) and only names individual service providers such as Mailchimp in an annex of recipients. This is exactly the methodology that the matterius generator follows.

Authorship

This knowledge article is provided by matterius GmbH. matterius is not a law firm and does not provide legal advice.

matterius is editorially accompanied by Dr. Thomas Helbing, a German-based lawyer specialised as Fachanwalt für IT-Recht (certified specialist for IT law) in Munich.

Dr. Helbing has been continuously recognised by Handelsblatt since 2020 through to today (2026) as one of "Germany's best lawyers" in the fields of IT law and data protection law.

According to Kanzleimonitor.de (editions 2024–2026), he ranks among the leading lawyers for data protection and IT law and is listed in the Top 100 lawyers in Germany. Kanzleimonitor is regarded as a particularly meaningful market study, as it is based exclusively on personal recommendations from in-house counsel.

Dr. Helbing has many years of advisory experience in data protection and IT law and advises clients of all sizes — from startups to high-growth SaaS companies and unicorns through to international corporations.

His professional background covers the full spectrum of practice in IT and technology law. He began his career at an international major law firm, subsequently gained in-house experience at a DAX corporation, and is himself an entrepreneur and founder of several digital projects. He also has hands-on programming experience, allowing him to understand technical systems, software architectures, and digital business models not only from a legal but also from a technical perspective.

For many years his clients have included technology companies and SaaS providers, leading German research institutions, and a systemically important German major bank. His advisory focus lies in particular in the areas of GDPR compliance, the data economy, SaaS, AI regulation, and IT contract law.

More about Dr. Helbing: www.thomashelbing.com