GDPR
Email Marketing

Is Mailchimp GDPR Compliant? Settings, Consent Forms & DPA Guide

Mailchimp (now part of Intuit) can be GDPR compliant when properly configured with GDPR-specific features enabled. Mailchimp provides built-in GDPR fields for signup forms, consent tracking, data processing agreements, and tools for handling data subject requests. However, as a US-based service, international data transfer considerations apply.

Conditional — Mailchimp can be compliant with configuration

Mailchimp is GDPR compliant when you enable GDPR fields in signup forms, implement double opt-in, configure the data processing addendum, and properly handle consent and data subject requests. As a US-based processor, it relies on EU-US Data Privacy Framework for international transfers.

Compliance Assessment

AspectStatus
Consent Collection

Mailchimp provides GDPR-compliant signup forms with granular consent checkboxes. Must be enabled in audience settings — not enabled by default.

With Configuration
Double Opt-In

Double opt-in (confirmation email) is available and recommended for GDPR. Must be configured per audience — single opt-in is the default.

With Configuration
Data Processing Agreement

Mailchimp provides a Data Processing Addendum (DPA) that satisfies GDPR Article 28 requirements for data processors.

Yes
Data Subject Rights

Mailchimp provides tools for data export, deletion, and managing unsubscribes to support GDPR data subject rights (access, erasure, portability).

Yes
Data Encryption

Mailchimp encrypts data in transit (TLS) and at rest. SOC 2 Type II certified infrastructure.

Yes
International Data Transfers

Mailchimp is US-based and relies on EU-US Data Privacy Framework and Standard Contractual Clauses for EU data transfers.

Partial
Consent Records

Mailchimp tracks consent timestamps, IP addresses, and consent method for each subscriber to demonstrate compliance.

Yes
Unsubscribe Management

Required unsubscribe links in all emails with automatic list management. Supports preference centers for granular consent.

Yes
Data Retention

Mailchimp retains data until you delete it. You must implement your own data retention policies and regularly purge inactive subscribers.

With Configuration
Third-Party Integrations

Mailchimp integrations (CRM, e-commerce) transfer data to third parties. Each integration must be assessed for GDPR compliance.

Partial

How to Make Mailchimp GDPR Compliant

1

Enable GDPR fields in your Mailchimp audience settings to add consent checkboxes to signup forms.

2

Configure double opt-in for all audiences to ensure valid consent collection.

3

Review and accept Mailchimp's Data Processing Addendum in your account settings.

4

Update your privacy policy to list Mailchimp as a data processor with details on what data is shared.

5

Set up data retention practices — regularly audit and remove subscribers who have not engaged or whose consent has expired.

6

Configure the subscriber preference center to allow granular consent management.

Limitations

  • US-based data processing — relies on EU-US Data Privacy Framework which could face future legal challenges.
  • GDPR fields are not enabled by default — many users miss this critical configuration step.
  • Single opt-in is the default, which may not satisfy GDPR consent requirements in all EU member states.
  • Mailchimp retains data indefinitely unless you actively delete it — no automatic retention period enforcement.
  • Email tracking (opens, clicks) involves personal data processing that must be disclosed in your privacy policy.

Alternative Tools & Related Assessments

HIPAA

HIPAA-Compliant Email Providers

Email

GDPR

Google Analytics

Web Analytics

GDPR

HubSpot

Marketing & CRM

Related Resources

gdpr privacy policygdpr data processinggdpr consent formsgdpr data retentiongdpr consentgdpr data processorgdpr personal datagdpr dpa

Frequently Asked Questions

Is Mailchimp GDPR compliant?

Mailchimp can be GDPR compliant when you enable GDPR fields in signup forms, use double opt-in, accept the Data Processing Addendum, and properly handle data subject requests. The tool provides built-in GDPR features but they must be activated.

How do I enable GDPR in Mailchimp?

Go to Audience > Settings > GDPR fields and marketing permissions. Enable GDPR fields to add consent checkboxes to your signup forms. Also enable double opt-in under Audience > Settings > Audience name and defaults.

Does Mailchimp have a DPA?

Yes. Mailchimp provides a Data Processing Addendum compliant with GDPR Article 28. It is incorporated into the terms of service and covers Mailchimp's role as a data processor.

Do I need double opt-in with Mailchimp for GDPR?

Double opt-in is strongly recommended for GDPR compliance as it provides clear evidence of consent. Some EU countries (like Germany) effectively require it. Enable it in your Mailchimp audience settings.

Can I use Mailchimp to email EU subscribers?

Yes, when properly configured with GDPR fields, consent collection, and double opt-in. Ensure your privacy policy discloses Mailchimp as a processor and that you have a valid legal basis for each contact.

How do I handle GDPR data deletion requests in Mailchimp?

Use Mailchimp's subscriber management tools to permanently delete a contact. Go to the contact profile and use the Delete action. This removes their data from your audience.

Is Mailchimp safe for EU data?

Mailchimp relies on the EU-US Data Privacy Framework and Standard Contractual Clauses for international data transfers. This is currently accepted but the legal basis could evolve. EU-hosted alternatives like Sendinblue exist if you prefer EU data residency.

All Tool AssessmentsGDPR OverviewRequirements GuidesCompliance Glossary

Generate GDPR policies for your stack

PoliWriter creates all the GDPR policies you need, customized to tools like Mailchimp and your specific configuration. AI-powered, audit-ready, hours not months.

Get Started Free