Why Mailchimp Users Need a Privacy Policy
Mailchimp is one of the most popular email marketing platforms, used by millions of businesses to manage subscriber lists, send campaigns, and track engagement. Every time a subscriber joins your list, Mailchimp collects personal data on your behalf. This makes you the data controller, and you are legally required to disclose what data is collected and how it is used.
Three separate requirements mandate a privacy policy for Mailchimp users:
Mailchimp's Terms of Use: Mailchimp requires all users to maintain a privacy policy that discloses the use of their platform
GDPR (EU subscribers): You must disclose the legal basis for processing, data retention, and subscriber rights
CAN-SPAM Act (US): Requires a physical address, clear unsubscribe mechanism, and honest subject lines
Can I just link to Mailchimp's privacy policy instead of writing my own?
No. Mailchimp's privacy policy covers how they handle data as a company. As the data controller, you need your own policy explaining what data you collect from subscribers, why you collect it, and how you use Mailchimp to process it. Linking to Mailchimp's policy does not fulfill your legal obligation.
What Mailchimp Collects From Your Subscribers
Every data point Mailchimp gathers on your behalf must be disclosed in your privacy policy.
| Data Type | When Collected | Purpose |
|---|---|---|
| Subscriber email | Signup | Deliver email campaigns |
| Name (first/last) | Signup form | Personalize emails |
| IP address | Form submission | Record consent proof, geolocation |
| Open tracking | Email opens | Measure engagement rates |
| Click tracking | Link clicks | Track content performance |
| Location (approximate) | Email opens | Geographic segmentation |
| Device and browser | Email opens | Optimize email rendering |
| Purchase history | E-commerce sync | Product recommendations, segmentation |
| Tags | Manual or automated | Audience organization |
| Segments | Rule-based filtering | Targeted campaign delivery |
Mailchimp Features and Their Data Implications
Each Mailchimp feature you use creates additional privacy disclosure requirements.
| Feature | Data Collected | Disclosure Required |
|---|---|---|
| Email Campaigns | Opens, clicks, bounces, unsubscribes | Tracking methods, data retention |
| Automations | Trigger events, behavioral data, timestamps | Automated decision-making, profiling |
| Landing Pages | Form submissions, page views, conversions | Cookie usage, data collection forms |
| Signup Forms | Email, name, consent records, IP address | Consent mechanism, data storage |
| Customer Journey | Multi-step behavioral tracking | Profiling, automated processing |
| Audience Dashboard | Demographics, engagement scores, predicted data | Data analysis, profiling practices |
| Transactional Email | Order details, shipping info, purchase data | E-commerce data processing |
| Websites | Page views, visitor tracking, form data | Website cookies, analytics tracking |
If you use Mailchimp's newsletter features, landing pages, or website builder, each feature adds distinct data collection points that require separate disclosures in your privacy policy.
GDPR Consent Forms in Mailchimp
Mailchimp provides built-in GDPR consent fields that you can enable on your signup forms. These fields allow subscribers to explicitly opt in to different types of communication. Your privacy policy must explain how these consent mechanisms work.
Enable GDPR fields: Activate GDPR-compliant consent checkboxes in your audience settings to let subscribers choose their communication preferences
Document consent collection: Your privacy policy must describe what consent is collected, when it is collected, and how subscribers can withdraw consent
Record-keeping: Mailchimp automatically logs consent timestamps and IP addresses, providing proof of consent for regulatory inquiries
Right to withdraw: Subscribers must be able to withdraw consent as easily as they gave it, and your policy must explain the withdrawal process
What if I only have US subscribers? Do I still need GDPR fields?
If you can guarantee that no EU residents will ever subscribe to your list, GDPR technically does not apply. However, in practice, it is very difficult to prevent EU residents from signing up. Enabling GDPR fields is a best practice regardless of your primary audience location.
CAN-SPAM Compliance With Mailchimp
The CAN-SPAM Act applies to all commercial emails sent to US recipients. Mailchimp helps with compliance, but your privacy policy must still document these practices.
Physical mailing address: Mailchimp requires you to add a physical address to every email. Your privacy policy should reference this address
Unsubscribe mechanism: Every Mailchimp email includes an unsubscribe link. You must honor opt-out requests within 10 business days
Accurate header information: Your 'From' name, reply-to address, and subject lines must be truthful and not misleading
Commercial content identification: If your email is primarily an advertisement, it must be clearly identified as such
Mailchimp's Data Processing Addendum
Mailchimp offers a Data Processing Addendum (DPA) that formalizes the relationship between you (the data controller) and Mailchimp (the data processor). This document is essential for GDPR compliance and should be referenced in your privacy policy.
Automatic inclusion: Mailchimp's DPA is automatically included in their Standard Terms of Use for all accounts
Sub-processors: The DPA lists Mailchimp's sub-processors (AWS, Google Cloud, etc.) and commits to notifying you of changes
International transfers: The DPA includes Standard Contractual Clauses (SCCs) for transferring data outside the EU/EEA
Security measures: Mailchimp commits to technical and organizational security measures including encryption, access controls, and regular audits
Your privacy policy should mention that Mailchimp processes subscriber data under a DPA and that appropriate safeguards are in place for international data transfers. For more on GDPR requirements, see our GDPR privacy policy template.
Intuit Acquisition: What Changed for Privacy
Intuit acquired Mailchimp in November 2021 for approximately $12 billion. This acquisition has privacy implications that Mailchimp users should address in their privacy policies.
Expanded data ecosystem: Subscriber data may now be subject to Intuit's broader privacy framework, which also covers TurboTax, QuickBooks, and Credit Karma
Updated entity name: Mailchimp is now officially 'The Rocket Science Group LLC d/b/a Mailchimp, an Intuit company.' Your policy should reference the current entity
Cross-product data sharing: Intuit's privacy statement allows data sharing across their product family for purposes like product improvement and personalization
Updated DPA: The Data Processing Addendum has been updated to reflect Intuit's corporate structure and sub-processor list
Common Mistakes in Mailchimp Privacy Policies
Not disclosing email tracking
Many Mailchimp users fail to mention that open tracking and click tracking collect personal data like IP addresses and device information. This is a GDPR violation.
Missing Mailchimp as a third-party processor
Your privacy policy must name Mailchimp (Intuit) as a third-party data processor. Simply saying 'email marketing service' is insufficient under GDPR.
No mention of international data transfers
Mailchimp stores data on US servers. If you have EU subscribers, you must disclose this cross-border transfer and reference the legal mechanisms (SCCs) that authorize it.
Ignoring landing page and website data
If you use Mailchimp's landing pages or website builder, these collect additional data (cookies, page views) that require separate disclosure beyond email-related data.
Outdated entity references
Policies that reference 'The Rocket Science Group' without mentioning Intuit are outdated. After the 2021 acquisition, your policy should reflect the current corporate structure.
Wondering what happens if your privacy policy is missing or incomplete? See our guide on what happens without a privacy policy.
How to Write a Privacy Policy for Mailchimp
Follow these six steps to create a compliant privacy policy for your Mailchimp email marketing.
Audit your Mailchimp data collection
List every type of data Mailchimp collects on your behalf: subscriber emails, names, IP addresses, open tracking, click tracking, location data, and purchase history. Check your audience fields and merge tags for custom data points.
Document all Mailchimp features you use
Identify which features you actively use: email campaigns, automations, landing pages, signup forms, customer journeys, audience dashboard, transactional email, or websites. Each feature has different data implications.
Disclose tracking and analytics
Explain that Mailchimp tracks email opens, link clicks, subscriber location, device type, and engagement metrics. Specify how this data is used for campaign optimization and whether subscribers can opt out of tracking.
Add GDPR consent mechanisms
If you have EU subscribers, enable Mailchimp GDPR consent fields in your signup forms and document consent collection in your privacy policy. Include details on how subscribers can withdraw consent at any time.
Include CAN-SPAM compliance details
Document your unsubscribe process, physical mailing address, and how you honor opt-out requests within the required 10-business-day window. Reference the automatic unsubscribe links Mailchimp includes in every email.
Reference Mailchimp as a data processor
Name Intuit Mailchimp as a third-party data processor, link to their privacy policy, and reference the Data Processing Addendum (DPA) for legal basis. Note that data is stored on US servers with appropriate safeguards.
For a comparison with other email marketing platforms, see our guide on privacy policy for HubSpot. If you run a small business, our small business privacy policy guide covers additional requirements.
Frequently Asked Questions
Do I need a privacy policy if I use Mailchimp?
Yes. Mailchimp's Terms of Use require all users to have a privacy policy. Additionally, laws like GDPR and CAN-SPAM require you to disclose how you collect, use, and store subscriber data. Without a privacy policy, Mailchimp can suspend your account.
What data does Mailchimp collect from my subscribers?
Mailchimp collects subscriber email addresses, names, IP addresses at signup, email open tracking data, click tracking data, approximate location, device and browser information, purchase history (if connected), and any custom tags or segments you create.
Does Mailchimp comply with GDPR?
Mailchimp offers GDPR-compliant features including consent checkboxes for signup forms, a Data Processing Addendum (DPA), data export and deletion tools, and lawful basis tracking. However, you as the data controller are responsible for implementing these features correctly and disclosing them in your privacy policy.
How do I enable GDPR fields in Mailchimp?
In Mailchimp, go to your audience settings and enable GDPR fields. This adds consent checkboxes to your signup forms that let subscribers opt in to specific types of communication. You must document this consent mechanism in your privacy policy.
Is Mailchimp a data processor or data controller?
Mailchimp acts as a data processor on your behalf. You are the data controller responsible for determining how and why subscriber data is processed. Mailchimp provides a Data Processing Addendum (DPA) that formalizes this relationship under GDPR.
What changed after Intuit acquired Mailchimp?
After Intuit acquired Mailchimp in 2021, the privacy landscape expanded. Subscriber data may now be subject to Intuit's broader privacy practices. Your privacy policy should reference Intuit Mailchimp and note that data may be shared within the Intuit family of companies for product improvement and analytics.
Can I use Mailchimp without tracking email opens?
Yes. Mailchimp allows you to disable open tracking and click tracking for individual campaigns. However, if you keep tracking enabled (the default), you must disclose this in your privacy policy as it involves collecting personal data like IP addresses and device information.
Related Resources
Privacy Policy for Websites
Website compliance guide
Privacy Policy for Collecting Emails
Email collection disclosure requirements
Privacy Policy for Newsletters
Newsletter-specific compliance guide
Privacy Policy for HubSpot
HubSpot email marketing comparison
Privacy Policy for Small Business
Small business compliance essentials
GDPR Privacy Policy Template
EU compliance guide and template structure
What Happens Without a Privacy Policy
Risks and consequences of non-compliance
Policy Generator
Create your compliant privacy policy