Is Mailchimp GDPR Compliant? What It Covers and What You Must Do

Mailchimp provides a DPA, EU-US DPF certification, and GDPR consent forms, but compliance depends on how you configure it. Learn what Mailchimp covers and what you still owe.


by Billal Hossain • 1 July 2026


Mailchimp can be used in a GDPR-compliant way. It provides a Data Processing Addendum with Standard Contractual Clauses, EU-US Data Privacy Framework certification, and GDPR consent forms. But Mailchimp alone does not make you compliant. Compliance depends on how you configure it, and cookie consent for its on-site tracking is a separate duty you owe.

Is Mailchimp GDPR Compliant? The Short Answer

Mailchimp (Intuit) is a data processor. It stores and processes your contacts' data according to your instructions. You are the data controller, so you carry the legal responsibility for how that data is collected and used. Mailchimp gives you the building blocks. How you configure those tools determines whether you are compliant.

As Mailchimp's own GDPR page states: "Mailchimp acts as a data processor when you use our platform. We help you store and process data on your behalf, according to your instructions."

The practical verdict is simple. Mailchimp will not put you in non-compliance on its own, but it lets you do so if you configure it wrong. Compliance runs in two directions. The first is your email-list consent, handled inside Mailchimp. The second is your website cookie consent, handled separately for the cookies the Mailchimp form drops on your site.

Mailchimp is only one part of whether your whole tech stack is compliant. This guide covers what Mailchimp does for GDPR, what you owe as the controller, the two consent layers users conflate, and the common mistakes.

Who Is Responsible: Mailchimp (Processor) vs You (Controller)

Under GDPR, Mailchimp is a data processor and you are a data controller. The controller decides why and how personal data is collected. The processor handles data only on the controller's instructions.

This distinction matters because the controller carries the primary legal duty toward data subjects.

RoleWhoPrimary GDPR duties
Data processorMailchimp (Intuit)Process data only per your instructions, maintain security, notify you of breaches within 72 hours, bind sub-processors to the same obligations
Data controllerYou (the website/business owner)Establish a lawful basis for processing, obtain valid consent, honor data-subject requests (access, erasure, rectification), disclose processors in your privacy policy

This split is why Mailchimp provides tools and you carry the compliance duty. The gdpr.eu controller/processor definitions confirm that the controller is the entity that determines the purposes and means of the processing.

What Mailchimp Does for GDPR Compliance

Mailchimp gives controllers a set of GDPR-specific tools. These do not make you automatically compliant, but they are the legal and technical foundations your compliance is built on.

Mailchimp provides:

  • A Data Processing Addendum (DPA) with Standard Contractual Clauses, auto-incorporated into its Standard Terms of Use
  • EU-US Data Privacy Framework (DPF) certification, covering EU, UK, and Swiss transfers
  • GDPR signup forms with per-activity consent checkboxes and a consent snapshot mechanism
  • Double opt-in support for stronger consent evidence
  • Data-subject rights tools (export, delete, update, unsubscribe)
  • Security controls and breach notification to you within 72 hours

The Data Processing Addendum (DPA) and SCCs

Mailchimp's DPA automatically forms part of its Standard Terms of Use, effective September 26, 2024. You do not negotiate or sign a separate DPA. Accepting Mailchimp's Standard Terms means you have one.

The DPA embeds the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914) as a fallback transfer mechanism. Mailchimp also binds its sub-processors to equivalent data protection obligations and gives customers 30 days' notice before adding new ones.

Review and retain the DPA as part of your compliance documentation. Mailchimp's DPA Annex A explicitly lists "cookies data" and "online navigation data" as categories of personal data it processes on your behalf.

EU-US Data Privacy Framework and US Data Transfers

Mailchimp is US-based (Intuit, Inc.), so EU, UK, and Swiss personal data transfers to Mailchimp's infrastructure leave the European Economic Area. Mailchimp is certified under the EU-US Data Privacy Framework, the UK Extension to the EU-US DPF, and the Swiss-US Data Privacy Framework. Certification is verifiable at dataprivacyframework.gov.

The DPF is the 2023 adequacy mechanism established by the European Commission. It resolved the Schrems II-era uncertainty about EU-to-US transfers. The SCCs in the DPA remain as a documented fallback if the DPF were ever challenged.

GDPR Signup Forms and Consent Tracking

Mailchimp's GDPR form fields add four components to a signup form.

  • A description of what subscribers consent to
  • Per-activity consent checkboxes, unchecked by default
  • Legal text stating the lawful basis
  • A link to your privacy policy

When a contact submits a GDPR-enabled form, Mailchimp records a plain-text snapshot of the form fields at signup. This is your evidence of consent under GDPR Article 7(1), which requires controllers to demonstrate consent. You configure the field wording; Mailchimp stores the record.

Mailchimp is explicit that enabling these fields is only a first step, not a compliance guarantee. Its help page says: "Enabling GDPR fields on your signup forms doesn't make you compliant. It's the first step."

Security, Breach Notice, and Data Subject Rights

Mailchimp maintains security controls for the data it stores on your behalf. It notifies you without undue delay if a personal data breach affects your contacts. Inside the platform, you get tools that map to the core data-subject rights:

  • Export contact data (right of access)
  • Delete a contact (right of erasure)
  • Update records (right of rectification)
  • Process unsubscribes (right to object)

A SOC 2 report is available on request. Acting on data-subject requests is your duty; Mailchimp gives you the mechanism to carry it out.

What You Must Do to Use Mailchimp Compliantly

Mailchimp provides the tools. These seven duties belong to you as the controller:

  1. Accept and review the DPA. It is already incorporated into Mailchimp's Standard Terms. Retain a copy and know your obligations under it.
  2. Establish a lawful basis for marketing. For most email marketing to EU and UK contacts, that lawful basis is consent. GDPR Article 7 requires consent to be freely given, specific, informed, and unambiguous.
  3. Enable GDPR fields with unticked boxes and accurate purpose text. Pre-ticked consent checkboxes are prohibited under GDPR. Every consent checkbox must be blank by default, and the description text must accurately state what you will send.
  4. Name Mailchimp in your privacy policy. As a processor and recipient of your contacts' personal data, Mailchimp must be disclosed in your privacy policy, with how and why data is shared with it.
  5. Honor data-subject requests. Access, erasure, rectification, and objection requests from contacts must be actioned. Mailchimp's platform provides the tools; the obligation to act is yours.
  6. Keep only data you need. Data minimization and retention limits apply. Do not hold contacts whose marketing consent has lapsed without a separate lawful basis.
  7. Get cookie consent for any non-essential cookies the Mailchimp form or connected site sets on your website. This is the duty most Mailchimp users overlook. The ICO's PECR guidance requires prior consent for non-essential cookies before they are placed, not after.

Mailchimp's own help documentation is blunt about its limits:

"This article is provided as a resource, but it's not legal advice. We encourage you to speak to legal counsel."

The Two Consent Layers: Email Marketing vs Website Cookies

Using Mailchimp creates two separate consent duties. Conflating them is the most common reason Mailchimp users are partially non-compliant even when they think they have covered everything.

The first is consent to email someone. The second is cookie consent for the cookies and tracking technologies the Mailchimp form or connected site drops on your website. Different laws govern each.

LayerWhat it coversWhere you handle itGoverning law
Email marketing consentThe lawful basis to send marketing emails to a contact's inboxInside Mailchimp (GDPR forms, marketing permissions, segmentation)GDPR (and PECR for electronic marketing in the UK)
Website cookie consentConsent for the cookies and tracking technologies placed on your website by the Mailchimp signup form or connected-site SnippetA cookie consent banner on your website (a CMP)ePrivacy Directive / PECR

The rule is set out at gdpr.eu/cookies/:

"Receive users' consent before you use any cookies except strictly necessary cookies."

This applies to the cookies Mailchimp's form and tracking scripts drop on your site. It is not limited to your own analytics or advertising tools.

Mailchimp's email tracking pixels in campaign emails are a related but distinct issue. Its Cookie Statement confirms it tracks every send:

"We automatically place single pixel gifs, also known as web beacons, in every email sent by our Members."

These record IP addresses, open timestamps, and click events. Disclosure in your privacy policy is required. In B2B contexts, legitimate interests may cover the processing, but transparency is non-negotiable.

Cookie Consent for Mailchimp Embedded Forms and Tracking

Mailchimp may install a JavaScript tracking snippet on your site. It loads when you embed a Mailchimp signup form or connect your site to your Mailchimp account. The same trigger applies wherever the form lives, including Shopify and WordPress.

Mailchimp's own Cookie Statement describes the mechanism:

"When a Member chooses to set cookies, Mailchimp installs the Snippet on that Member's website to facilitate the deployment of the cookie(s) selected by that Member."

The Snippet deploys non-essential cookies for these features:

  • Google remarketing ads: installs a Google tracking pixel and a Mailchimp cookie to recognize Connected Site visitors
  • Facebook ads: installs a Facebook tracking pixel and a Mailchimp cookie via the Snippet
  • Product retargeting emails: drops a Mailchimp cookie when a user clicks a link in a retargeting email
  • Popup forms: sets a Mailchimp cookie for up to one year to prevent repeat popup displays

None of these are strictly necessary cookies. Under the ePrivacy Directive and PECR, strictly necessary cookies are exempt from consent. All others require prior consent from the visitor before the cookie is set.

Doing it right means three things on your website.

  • A cookie consent banner that blocks the Mailchimp Snippet and connected tracking scripts before the visitor consents
  • A privacy notice identifying Mailchimp as a data processor and disclosing the cookies and tracking it deploys
  • A way for visitors to withdraw consent as easily as they gave it, per both gdpr.eu and ICO requirements

This duty applies whether or not the visitor ever clicks "subscribe." The cookies load on page display, not on form submission.

Common Mailchimp GDPR Risks and Mistakes

Five compliance failures come up consistently for Mailchimp users:

  1. "Using Mailchimp makes me GDPR compliant." It does not. Mailchimp gives you the tools (DPA, GDPR forms, DPF certification), but the controller obligations are yours. Mailchimp's own help page states enabling GDPR fields is "the first step," not the finish line.
  2. "Mailchimp is banned in the EU." This is outdated and inaccurate. In 2021, the Bavarian Data Protection Authority (BayLDA) advised a specific German company to stop using Mailchimp after a complaint about a newsletter subscription. That advisory came under the Schrems II-era uncertainty about EU-to-US data transfers. Critically, the company in question had not signed a DPA with Mailchimp. Since the 2023 EU-US Data Privacy Framework adequacy decision, the transfer mechanism concern has been resolved, and Mailchimp is now certified under the DPF. Mailchimp is not banned in the EU. The same controller/processor logic applies to is Google Analytics GDPR compliant: each tool requires correct configuration, not abandonment.
  3. Pre-ticking consent checkboxes. Pre-ticked boxes are explicitly prohibited under GDPR. A contact who has not actively ticked the box has not given valid consent. Every Mailchimp GDPR form checkbox must be unchecked by default.
  4. Ignoring the Mailchimp Snippet and email tracking pixels. Many Mailchimp users configure their email-list consent correctly and never configure cookie consent for the Snippet or the email tracking pixel. This creates an ePrivacy/PECR non-compliance on their website, separate from any email-list compliance issue.
  5. Not naming Mailchimp in the privacy policy. Controllers must inform data subjects about the processors that handle their data. Mailchimp must be disclosed in your privacy policy, with the purpose and legal basis for sharing data with it. Technical implementation (whether you link to the form or embed it) does not change this obligation.

How Consently Covers the Cookie-Consent Side of Mailchimp

Consently does not manage your Mailchimp email-list consent. Your DPA, GDPR forms, and marketing permissions inside Mailchimp handle that. What Consently covers is the other half: the website cookie-consent layer that the Mailchimp embedded signup form and Snippet tracking create.

Consently's cookie consent banner collects and records visitor cookie consent for the cookies Mailchimp and your other tools deploy. The banner is fully customizable. Button labels, corner radius, colors, and fonts all adjust to match your site's design, and you can preview changes live before publishing.

The feature that matters most for a Mailchimp setup is automatic cookie scanning and auto-blocking. Consently scans your site and identifies every cookie and tracking script, including those the Mailchimp Snippet deploys. It blocks the non-essential ones until the visitor consents. You do not have to list the Mailchimp cookies manually. Consently finds them and holds them back.

When a visitor consents, Consently passes Google Consent Mode v2 and IAB TCF v2.3 signals. Your analytics and advertising tools then receive the correct consent state. Consent records are logged for audit, documenting when and how each visitor consented to cookie categories.

GDPR opt-in and CCPA opt-out templates ship with Consently, so the same banner covers EU and US visitors without a separate configuration. That covers the cookie-consent layer. For your Mailchimp list consent, keep your DPA accepted, your GDPR forms enabled with unticked boxes, and your privacy policy updated.

Try Consently free

FAQs

Is Mailchimp GDPR compliant?

Mailchimp provides GDPR tools: a DPA with SCCs, EU-US DPF certification, and GDPR consent forms. But compliance is not automatic. You, as the data controller, must configure those tools correctly, establish a lawful basis, and manage cookie consent for Mailchimp's on-site tracking separately.

Is Mailchimp banned in the EU?

No. A 2021 advisory by the Bavarian Data Protection Authority (BayLDA) told one German company to stop using Mailchimp. That company had not signed a DPA, and the Schrems II ruling raised transfer concerns at the time. Since the 2023 EU-US Data Privacy Framework adequacy decision, Mailchimp's transfer mechanism is certified. Mailchimp is not banned in the EU. Configure the DPA and GDPR settings correctly.

Do I need a DPA with Mailchimp?

Yes, and you already have one. Mailchimp's Data Processing Addendum, effective September 26, 2024, automatically forms part of its Standard Terms of Use. You do not sign a separate contract. Review the DPA, understand your obligations under it, and retain it as compliance documentation.

Do I need a cookie banner if I use a Mailchimp signup form?

Yes, if the form or Mailchimp's Connected Site Snippet sets non-essential cookies on your site. Mailchimp's Snippet deploys tracking cookies for popup forms, Google remarketing, Facebook ads, and product retargeting. The ePrivacy Directive and PECR require prior consent for those cookies. A cookie consent banner is required, plus a privacy notice identifying Mailchimp.

Does Mailchimp store data in the EU?

Mailchimp (Intuit) is US-based and transfers EU, UK, and Swiss contact data to US infrastructure. It relies on EU-US DPF certification (and SCCs as a fallback), not EU-only data storage. You can verify Mailchimp's certification at dataprivacyframework.gov.

Is double opt-in required for GDPR in Mailchimp?

Not by GDPR itself. However, double opt-in creates a stronger record of freely given, unambiguous consent because it requires the subscriber to take two active steps. Some EU member states, including Germany, Austria, and Norway, have stricter national requirements that make double opt-in the practical standard for those markets. Mailchimp supports it on all plans.

Do I have to name Mailchimp in my privacy policy?

Yes. Mailchimp processes your contacts' personal data as your processor and as a recipient of that data. GDPR requires controllers to inform data subjects about the recipients or categories of recipients of their data. Your privacy policy must identify Mailchimp, describe what data is shared with it, and state the lawful basis. How you technically implement the form (embedded or linked) does not change this obligation.

AUTHOR

Billal Hossain is a software engineer with hands-on experience building Consently from start to finish. His work gives him a practical understanding of consent management platforms, cookie consent, and how businesses can create more compliant, user-friendly websites.

Read More

Subscribe to Consently
Newsletter

Subscribe to our newsletter to stay updated with latest articles from our blog.

Built with ❤️ by the team @ Dorik.com 

GET IN TOUCH

Any questions? Feel free to chat with us or reach out to us at

For any queries:
support@consently.net

Follow us:


©2026 Dorik, Inc. All rights reserved.