Does your website use third-party services? Get GDPR compliant in minutes.
Try FlowConsentFree plan · 10-min setup
Mailchimp (owned by Intuit) is a US-based email marketing platform used by millions of small businesses and creators. For European audiences, the key GDPR requirement is valid opt-in consent for email marketing — pre-ticked boxes, implied consent, and purchased lists are not compliant. All subscriber data is processed in the US requiring SCCs. Mailchimp provides built-in GDPR features including consent checkboxes, double opt-in, and unsubscribe management to help operators stay compliant.
Mailchimp is an email marketing and automation platform owned by Intuit. It is one of the most widely used email marketing tools globally, particularly popular with small businesses, creators, and non-profits. Mailchimp provides list management, email campaign creation, marketing automation, audience segmentation, landing pages, and basic CRM features. It integrates with hundreds of e-commerce, CMS, and business platforms.
Under GDPR, sending marketing emails to EU contacts requires valid consent: freely given, specific, informed, and unambiguous. This means using an unchecked opt-in box, never using pre-ticked checkboxes, not bundling marketing consent with terms of service, and retaining evidence of consent (who, when, how). Mailchimp provides tools to help: GDPR-compliant signup forms, double opt-in, consent timestamp recording, and granular subscription management.
Mailchimp email tracking pixels (open tracking) and click tracking constitute personal data processing. Open tracking works by embedding a 1x1 pixel image in each email — when loaded, it registers an open event linked to the subscriber. This is widely considered personal data processing under GDPR. Disclose email tracking in your privacy policy. Consider whether open tracking is necessary; many privacy-conscious senders disable it.
Get GDPR compliant in 10 minutes
Free plan available · No credit card required
All Mailchimp subscriber data is processed in the US. Sign the Mailchimp Data Processing Agreement (available via Mailchimp account settings under Extras) which includes SCCs for EU-US data transfers. Disclose Mailchimp as an email processor in your privacy policy.
Sign the Mailchimp DPA. Enable double opt-in for all EU lists. Use GDPR-compliant signup forms with explicit unchecked consent checkboxes. Record and retain consent evidence. Never add contacts without consent. Honour unsubscribe and erasure requests promptly. Disclose Mailchimp and email tracking in your privacy policy. Purge inactive subscribers periodically to maintain data minimisation.
Websites using Mailchimp must obtain user consent under GDPR regulations.
DPIA considerations
A DPIA is generally not required for standard Mailchimp email marketing. It may become relevant for large-scale audience profiling, automated segmentation combining multiple data sources, or for email programmes targeting vulnerable populations.
Sample consent text
Yes, I would like to receive marketing emails from [Brand]. I understand I can unsubscribe at any time using the link in any email. My data will be processed in accordance with the privacy policy.
Third-party domains contacted
mailchimp.comlist-manage.commailchimpapp.netCookies placed
| Name | Type | Duration | Purpose |
|---|---|---|---|
| _mc_user | persistent | 1 year | Mailchimp user identifier for tracking email campaign engagement and subscriber analytics |
Mailchimp places tracking cookies for advertising — comply with GDPR using FlowConsent.
Yes. Marketing emails to EU contacts require valid GDPR consent: unchecked opt-in, specific purpose, documented timestamp. Mailchimp provides GDPR-compliant forms with double opt-in.
Double opt-in sends a confirmation email subscribers must click to verify. Enable it for all EU lists via Mailchimp's List Settings.
In limited B2B scenarios, legitimate interest may apply. This requires a documented LIA and a clear opt-out in every email. For consumer marketing, consent is always required.
Yes. All subscriber data is processed in the US. Sign the Mailchimp DPA via Account Settings which includes SCCs.
Yes. Open and click tracking links engagement to subscriber profiles. Disclose this in your privacy policy.
Permanently delete the contact in Mailchimp. Respond within 30 days and document all actions.
Only if those contacts have valid documented consent. Never import contacts who have not specifically opted in to your marketing.
Brevo (France), Mailjet (France), and CleverReach (Germany) provide EU data residency with simpler GDPR transfer compliance.