6th November 2017

MailChimp changed its opt-In benefits and it proved GDPR's impact

OG Profile 2


Lauren Irwin

Gdpr Blog Main

MailChimp made changes to its Opt-In benefits and it proved the impact of GDPR.

Here’s what happened and what marketers need to know about GDPR.

Last week MailChimp made a change to its newsletter opt-in service by adding single opt-in as an option for its email lists. Previously, MailChimp’s service was always double opt-in. It asked and asked again if the customer was sure they wanted to sign up for newsletters.

Why is this a problem?

MailChimp made single opt-in the default option for all new and existing lists as of October 31st, 2017. As some of you may know, GDPR (General Data Protection Regulation) kicks in on May 25, 2018, and it’s going to have a considerable impact on data collection for all marketers within the EU (and beyond).

It means we’re going to need to be better aware of the privacy rights of individuals and the lawful grounds for processing their personal data.

You might have found that you didn’t receive an email from MailChimp advising you of the changes. But don’t worry… we’ll explain what you need to be aware of and do throughout this blog.

Let’s discuss first, for those unsure of GDPR, what it is, what it does and what it means to companies in the EU and across the globe. If you already know the ins-and-outs, scroll down to “So, What’s this about Mailchimp?”

GDPR will have significant implications on marketing. Its aim is to improve and simplify data protection for all EU citizens, residents, and businesses. It affects how businesses must explain and obtain consent from prospects and existing customers who subscribe to their email lists and if their data is stored within a CRM and other systems.

For those that are thinking “Brexit”... don’t. Even when the UK leaves the EU, GDPR will still be in affect and businesses will still have to comply to the new legislation. The GDPR affects any organisation that collects and processes the data of an EU citizen. There are few UK businesses that will never need to comply and until the UK has left the EU, all businesses will have to. That means it's going to affect businesses worldwide.

How does the GDPR affect marketing?

It will affect the way we handle and collect data. We’ll need to demonstrate how we meet the conditions of GDPR and if we, as businesses, can’t prove how we obtained consent we could be struck with fines.


Data collection now needs to be relevant for the purpose in which it was first obtained. If a campaign is implemented and data is collected for that campaign, it can only be used for that purpose. The original campaign. We can no longer use that data for other associated or similar campaigns, and the data certainly can’t be added to other lists. To use the customer’s data elsewhere, the business will have to ask for their consent. This will have an affect on many businesses and the method that they’ve grown their databases in the past.

This also means that opt-ins need to be made by the customer. Pre-ticked boxes will no longer constitute consent and customers will need to physically confirm that they wish to be contacted. It also means that forms with a CTA button won’t just cut it either. We’ll need check boxes to confirm the consent of the customer and that they’re making a deliberate choice to give the business their data.


Customers need a method to be able to access and control their data, how it’s collected, used, and the ability to be able to remove it entirely. It’s the right to be forgotten. This is one of the simpler areas of focus for marketers. This means including unsubscribe links in email marketing. However, the process should be easy and not a step-by-step to simply remove themselves from a data list. We should also ensure that customers can manage their preferences such as what sort of communications they receive.

The customer must have the ability to withdraw consent at any time.


We always have a purpose for collecting data but sometimes marketers will add in form fields to obtain more information from a customer. Under the GDPR, the reasons for collecting data will need to be expressed clearly, such as their interests. GDPR requires businesses to legally justify the personal data that is collected.

So, to make things clear.

  1. Consent has to have been given (from new and existing contacts in your database) and customers need to be able remove access to their data too.
  2. Customers need to give their consent for their data to be reused for other campaigns and communications from businesses.
  3. Businesses must be able to demonstrate how the customer has consented to the collection of their data and that means it must be recorded how and when consent was given.
  4. Under no circumstances should businesses be contacting opt-outs (unsubscribers) or those chosen to be forgotten.
  5. Businesses need purpose and to show their purpose for collecting data.

Geez… that’s a lot but don’t worry too much. Just like all good marketers we can make this into an opportunity.

Gaining consent is a good thing. This will allow businesses to better their targeting. When we’re asking customers for their data and they’re consenting to allow us to collect it, we can ask for information on what they’re interested in to give us better insight into individual interests. That means optimising segmentation and focussed communications for better ROI.

It also builds trust between customer and business by being transparent. Customers no longer have to fear what happens to their data once they’ve hit submit and are far more likely to fill in a form, if they know what the result will be.

But there’s another element we need to consider… Website Tracking

That’s right. GDPR will also affect our website tracking. We have to remember that everything that falls in line with GDPR needs to be consensual and website tracking technically isn’t.

Under the new legislation visiting a businesses website for the first time won’t qualify as consent for capturing data, even when providing information such as “by using this site, you accept cookies.”

There’s no real information on it yet but there’s a general assumption that browser settings will be treated as consent. The most recent ePrivacy Regulation suggests that in the case of cookies used for tracking, you most likely won’t have to inform your visitors about the use of cookies, if their web browser is set to signify consent or refusal.

As the GDPR states that businesses must describe and justify their purpose for collecting customer data, we should be listing the different types of cookies (and tracking such as Google Analytics, Facebook Pixels, LinkedIn Insight Tags, etc) in the Privacy Policy section on our websites, so that customers can be aware when visiting websites.

How does it affect remarketing such as Facebook Advertising?

That’s not entirely clear yet but Facebook does already have an area in your profile settings for your ad preferences. At present, these are pre-ticked and it’s unknown if these will change based on location come launch of the GDPR but a user can opt-out of what is advertised to them and on what devices.

So, what’s this about MailChimp?

Well, these are the sorts of changes we need to make ourselves aware of on the lead up to the new GDPR legislation.

MailChimp weren’t very transparent about the new default option. It seems that many were only made aware because they logged into MailChimp to receive the notification. There was no advisory email. The good news is that after complaints came from those who knew that the single opt-in option did not align with the new GDPR legislation, MailChimp has since confirmed that the double opt-in option for all those with a primary address in the EU will be default as of November 3rd, 2017.

However, for those outside of the EU that are marketing to those within it, they will need to maintain a double opt-in option. As for UK businesses, we will need to ensure that double opt-in is default come May 28th, 2018.

Still a little unsure about the impact of GDPR on your business, when you need to start or what you need to do to prepare for its impact? Get in touch.

Related Views

Interesting? There’s plenty more where that came from…

Join our Newsletter