Like all marketers – and Tom Cruise in Mission: Impossible – we’re keenly aware of a ticking clock right now. Yes, the GDPR countdown clock is ticking increasingly loudly. One thing we’ve been struggling with until today was our Mailchimp list. Our monthly newsletter, Spark, goes out to about 2,000 friends, family and clients past and present, and whilst GDPR doesn’t materially change much of what is already in PECR or previous data protection regulations, it’s a good opportunity to have a spring clean of contact lists.
NB. Mailchimp has just (17.4.18) published its own templates for this, which can be found here (https://kb.mailchimp.com/accounts/management/collect-consent-with-gdpr-forms) - in our opinion, it's not perfect, but neither is the solution that we detail below. We'll leave it up to you (and our helpful commenters) to work out the best way for you.
But there’s no straightforward way of doing this. Our first idea was to use an opt-in confirmation or re-subscribe form, but more often than not, this gives an error message because you’re sending a message to an existing subscriber. Similarly, there are ‘reconfirm’ forms, but they’re a bit tricky to find and may not exist in all subscriptions.
After a few minutes on chat with Mailchimp support, we found a way of doing it with groups. Here’s how:
- Under ‘Lists’, select your list
- Under ‘Manage contacts’ select ‘Groups’
- Under ‘Groups’ select ‘create group’ and enter the description as something like ‘I would like to stay subscribed to this newsletter’ and enter ‘Yes / No’ in the dropdown boxes
- Create your next campaign, and at the top of the newsletter, ask people to click on a link to stay subscribed. Hyperlink this text, and when you select ‘Web Address’ paste this text *|UPDATE_PROFILE|* into the box
- This will create a link in the newsletter where people can update their profile in a web page created by Mailchimp. You can see it if you go to the main ‘Lists’ page, and on the dropdown arrow next to ‘Stats’ select ‘Signup forms’ and ‘General forms’. This should show you the profile update form, where you can select or deselect any fields – but don’t remove the options that you added in the previous steps
- Once the newsletter has gone out, you can see where people have clicked in the ‘Lists’, ‘Manage Contacts’, ‘Groups’ option
- Don’t throw the baby out with the bathwater – give people four or five newsletter iterations before you start manually unsubscribing them
This process will give you a list of people who have actively consented – and re-opted in – to be contacted by you, without having to unsubscribe, then re-contact, everyone, confusing them in the process.
In fairness, this process should be easier, but Mailchimp is based in the US and might not be quite as up to speed with this as it should be. We’ll keep you updated on any changes as we see them within the platform, but until then, this is probably the easiest way of doing it.
This is a great idea when there isn’t another way to reconfirm on MailChimp except by following MailChimp’s advice and removing our whole list and then emailing them all using another email client e.g. Outlook, asking them to resubscribe. The only thing with your way is will it be GDPR compliant? List owners could simply add people to this new group without the person having to do it via the profile update form. So anyone that has selected ‘Yes’ in the drop down: ‘I would like to stay subscribed to this newsletter’ does not mean they did this themselves, so does not prove they have opted in to stay subscribed. What do you think? Hopefully MailChimp will catch up with the new regulations coming about and create an easy way for us to get subscribers to reconfirm!
Thanks Steph – you’re totally right, it’s not flawless. Our line of thinking was that given that Mailchimp will often capture meta-data like location or timestamping when you download subscriber details in an excel document, and this data, above and beyond their presence on a ticklist, would help to show that the data was real and valid. I don’t think that the ICO is looking for a long, protracted fight over GDPR – as long as you can show that you’re approaching this in the right way, doing your due diligence and have the right mindset, then you’re doing ok.
Dear Christian, thanks for this article, really helpful.
One thing with Mailchimp I’m struggling with is that MailChimp won’t let me delete people from an existing newsletter list where they have elected to Unsubscribe already. I know this is designed to stop me continuing to send a newsletter without gaining a new consent. But under GDPR that means I still hold their data as unsubscribers even though for example, I can no longer send them a Newsletter. Surely the situation should be that I should be able to completely delete this personal data otherwise surely I’m in breach of GDPR as data controller by holding this data? or am I missing something? Your thoughts are welcome!
It’s an excellent point Paul and something we’ve raised directly with Mailchimp. You’re not doing anything wrong (yet!) – it’s not possible to remove cleaned or unsubscribed addresses from mailchimp, but you do still technically hold their data – so you would (in theory) be in violation of GDPR. The platform simply doesn’t allow it, and I think previously, Mailchimp’s philosophy was to avoid you re-subscribing people, or allow you to correct hard bounced emails. But that doesn’t help with GDPR.
If we get a response from the Mailchimp team, I’ll let you know.
MailChimp’s legal team were relatively quick off the mark. It was quite a long response, but there’s a few points just worth pulling out:
– Anyone can request that MailChimp discloses or deletes information about them
– They confirmed that ‘cleaned’ email addresses cannot be deleted (without deleting the list) but they are in the process of developing ‘GDPR-friendly’ tools
– But – and this is where the legalese got complicated – MailChimp believes that there may be situations where an individual requests their data to be erased, and MailChimp complies. But because MailChimp also needs to retain a record of deleting that data, ‘very limited information’ would be retained (‘such as their email address’). We’re not lawyers, but this sounds evasive to us.
Happy to forward you the full correspondence if you like – thanks for your interest!
I guess we’ll have to wait and see with these tools that being promised but I think Mailchimp retaining any records at all breaches GDPR. It’s easy enough to demonstrate that no records exist, which for me takes precedence over keeping a record of a deletion. I think they will breach Privacy Safe if they keep anything at all and it leaves their users like me at risk of non compliance. Perhaps its time to look for alternative providers or inform the ICO?
It’s definitely a ‘wait and see’ job – and I’m sure that they have their lawyers all over it … but like you, I can definitely see a risk there.
Thanks for this information. It is really useful and I think I will use it to make my list GDPR compliant.
Is there any way to autocomplete the e-mail address and name fields? That way the recipient would only have to choose whether or not they wish to continue receiving e-mails from us. I’m trying to make it as simple as possible for people to opt in!
You can, but you have to be fairly comfortable with HTML. There’s already a help page there, so I won’t try to talk you through the mechanics of auto-form fill and merging, but here it is: https://blog.mailchimp.com/how-to-pre-fill-items-on-your-mailchimp-hosted-form/
How does your advice fit with the experience of Honda and Flybe who received massive fines for asking for reconfirmation:
Hi Stephen, thanks for your note. There are three things to note here:
1. Clearly, this will all change when GDPR comes into force – this is pre-GDPR advice
2. We’re not lawyers; we’ve consulted with lawyers, but none of this advice should be considered the ‘legal hard line’. Always consult your own legal teams about GDPR.
3. Both FlyBe and Honda were unable to show that those people had *ever* consented to receive mail. We’re working on the assumption here that because these people are on your mailchimp list, they have consented to receive information from you, so pre-GDPR, you will want to have some way of reconsenting rather than completely deleting your email marketing database, like Wetherspoons did!
Hi Great article & I’m amazed that Mailchimp aren’t offering some easy functionality and email templates to aid their customers. Even if they cost £50 or a nominal fee, as a brand, I’d expect them to be doing more to help their members.
I tried your suggestion, successfully created a new group within my list with the 2 options, however, they don’t seem to have a drop down in groups, so not sure how the next point of setting the URL link in an email to
doesn’t seem to work…. can you advise?
Thanks for the thought – I’ve just clarified a point in the text because it was a bit ambiguous. When you hit ‘groups’ you then need to create a group, entering ‘Would you like to stay subscribed to this newsletter?’ as the title, with ‘yes’ and ‘no’ as the options.
It might seem a bit weird, but all you need to do then is to write something like ‘For GDPR purposes, we need all existing subscribers to confirm that they wish to stay subscribed to this newsletter. Please click here to confirm your preferences.’
You should hyperlink the last section (with ‘create web link’) to *|UPDATE_PROFILE|* – it seems strange, but Mailchimp will recognise this as a kind of hyperlink. If in doubt, create a new list with your own email address as the only subscriber, create a test campaign and try it out to check it works.
If it doesn’t work, drop me a line directly on christian [ dot] sharp [at] fireflycomms.com and we can talk through it.
Hi. I think I followed your instructions to a tee but I now can’t find the results who ticked “No” and “yes” in their responses to my Opt In/out of info. Where do I find this?
Hi Jane – if you go into the list in Mailchimp, it should either be along the top of the contact information box, or visible in ‘manage contacts -> groups’
Thank you so much Christian! This article has been far more helpful than being on a chat for 1 hour with a Mailchimp rep!
No problem – glad it’s been helpful 🙂
Yes all helpful, though the drop down ‘yes and no’ is not visible when the page comes up, nor are the arrows so looks confusing. So you are left wondering what to do.
It is getting close, I must admit, I am unimpressed with MailChimp!
So, plan B. I have created a new list, with a new sign up link to send to all my old subscribers, with 1 opt in step.
Hopefully that will work!
I think we’re going to see a lot of that – the ‘new list’ option faces the same problem as our solution here (that subscribers may well miss the email) so do allow plenty of time. Also, remember to enable the double-opt in so that you’ve got cast-iron proof of consent!
Thanks for the article – it’s very helpful.
If you’re sending out reminders in several successive newsletters, it’s possible to use conditional merge tag blocks in the newsletter to make sure that people who’ve already reconfirmed don’t get shown the reminder again and again. Here’s some sample text, using the group name from your example:
*|INTERESTED:I would like to stay subscribed to this newsletter:Yes|*
Thanks for confirming that you want to stay on our mailing list.
Important! Please confirm that you want to stay on our mailing list.
We’re having a spring clean to prepare for new data protection laws coming in in May. Please spare a few of seconds to confirm that you would like to keep getting emails on us!
Follow this link to confirm that you want to stay on the list.
(with the “Follow this link” line being a hyperlink to *|UPDATE_PROFILE|*)
This shows a thankyou message to people who’ve already answered “Yes”, and the full reminder to everyone else. It does assume that anyone who’s answered “No” has already been removed from the list, of course!
I’ve shown the mergefields on separate lines for clarity. In reality you’d put them all on the same line to avoid extra blank lines in the newsletter.
It’s also worth mentioning that it may not be necessary to get ALL subscribers to reconfirm. If you have a web sign-up form that already happens to be GDPR-compliant and people have been using it to sign up to your mailing list, there’s no real need to get those subscribers to reconfirm. In fact, for those who only subscribed recently, it would be irritating for them. They will be marked in the list as “Source: Hosted Signup Form”. Mailchimp stores the date and time both of the initial sign-up and the confirmation, so you have an audit trail.
You do, of course, need to check that your current sign-up form is compliant – and that it was in the past when those people used it to subscribe.
Superb, thanks Andy!
You’re welcome. 🙂 Sorry about the typos in the text; I think I got all the merge tags correct though.
I’ve just noticed a minor drawback of your technique:
If you’re using the default Mailchimp Signup form to collect NEW subscribers, the group options (“I would like to stay subscribed to this newsletter Yes|No”) will automatically be added to the Signup form as well as the Update Profile form. That looks a bit odd to a new subscriber. “Of course I want to stay subscribed! Do you think I changed my mind halfway through the form?”
In a paid-for Mailchimp account I guess that can be fixed using advanced form customisation, but in a free account I can’t see any way round it other than to use embedded HTML forms instead.
You’re absolutely right – we’d approached this specifically because the topic had come up at one of our events and in press (Wetherspoons deleting its entire database rather than re-consenting), and until Mailchimp releases specific GDPR tools, it’ll remain a ‘vinegar and brown paper’ workaround rather than a foolproof plan!
Thanks Steph – the point on clicks is really well made; that would be a solid way of showing consent
Recital 171 of the GDPR Directive states that processing that has already been completed or is underway should be brought into regulation within the period of 2 years. Meaning existing subscription lists have 2 years to be reconfirmed with the required recording of complicit consent. (showing the form at point of signing did indeed conform )
No need to panic with existing subscription lists, only with getting your current forms and new subscriptions.
Hope that helps.
I’m am a little bit confused about this – I don’t think this gives a proof of consent from your subscribers that complies with GDPR… Basically, as an email marketer, you need to have an IP address from which user subscribed and TIME when he subscribed, also form from which he subscribed saved… This proof gets saved in your list… (CONFIRM_IP and CONFIRM_TIME fields for Mailchimp). I was hoping that this method would get these fields filled but no – I tested this and fields stay the same as before (your systems IP or blank). Or am I missing something? I think there is a reason why Mailchimp suggests to delete your list and resend them the reconfirm email through different means than MailChimp.
Sorry for cringy English.
Hi Uldis, no worries – but you don’t need an IP address or the time. What you need is ‘clear and unambiguous consent’ – but what that looks like is left up to you. If you want to read more about it, the ICO has a page which is both quite helpful and quite broad here: https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/
This looks like a great approach but I’ve hit a snag when implementing. The group fields are not ‘required’ (Mailchimp apparently sees these as an added option for interests, and people should be allowed to have none). Aren’t we in danger of missing loads of customers who just don’t answer the question?
If anyone know how to make the field required that would be ideal!
I would really like to know this too please? The ‘yes/no’ field being completed by the subscriber is key to make this work.
Thanks both – this has been an interesting one, and there’s two things to note here.
Firstly, for some reason, Mailchimp doesn’t allow dropdown menu boxes to be ‘required’ fields. However, it does allow text boxes to be required fields – so if you want to force your subscribers to say something, you can update your fields in this way. However … this won’t make segmentation the easiest task, because it’s not a dropdown – you may get people saying “YES” rather than “Yes” for example – or “bananas” because it’s an unrestricted field.
Secondly, Mailchimp has just released its GDPR tools – you can see them here: https://kb.mailchimp.com/accounts/management/collect-consent-with-gdpr-forms
Some parts of it are useful – the ‘template legal text’ is a bit of a time-saver – but there is a healthy list of caveats about the whole process (including the GDPR forms not being compliant with certain kinds of forms, like embedded forms). Similarly, Mailchimp’s guidance right at the end (about not repermissioning after May 25th) is – in our view – in conflict with Recital 171 of GDPR, which states that ‘Processing already under way on the date of application of this Regulation should be brought into conformity with this Regulation within the period of two years after which this Regulation enters into force’.
However, they are probably just being super careful!
Thanks so much – this looks to be just what we need. I have added the column to our list – great – but when I add the hyperlink to the newsletter *|UPDATE_PROFILE|* and try to follow it, I get the 404 message. Am I doing something wrong here? Many thanks
Hi Jane – apologies for the late response, you fell into our spam box! A few things to check when you’re inserting the hyperlink – are you doing it as if you’d hyperlink a ‘normal’ website? For example, do you just highlight the text, click on the link button, then select ‘web address’ and then paste *|UPDATE_PROFILE|* in there? Mailchimp should do the rest. Also – where does the 404 take you? Does it take you to a mailchimp-specific 404?
This is *such* a useful thread, which I’m going to follow.
Thanks to the author, Christian and all the contributors.
When you think this is just a tiny snapshot of what a myriad of SME marketers are going through (largely on their own), I expect to see a peek of holiday bookings on the 26th of May!
Good luck, everyone.
Ha! Couldn’t agree more Claire – we all deserve a long sit in the sunshine for all this blood, sweat and tears…
One other point as well – I think that if anything, it highlights how difficult GDPR is to navigate as a piece of regulation. It all seems relatively cut and dried, but navigating the difference between legitimate interest, explicit and unambiguous consent, not to mention re-permissioning, the technical requirements of ‘personal data’ is hugely ‘messy’ and subject to significant interpretation. In our opinion, it’s going to take a few years to get a real understanding of the ‘proper’ interpretation of the regulation itself – and in the UK, this will (presumably) be based on precedent, so it’ll take a few court cases!
There’s already a template for this: https://kb.mailchimp.com/accounts/management/collect-consent-with-gdpr-forms
Thanks – we’d written this last year, well ahead of Mailchimp’s own tools (which came out this week) – and neither is a perfect fix, in our opinion. I’ll update the article to avoid any further confusion though.
Hi CJ – have you followed this process through? When I go to step 5, the supposedly pre-populated GDPR Alert forms were blank.. Maybe I’m fat-fingered? TedHJ
I think the issue may lie with Segments. at Step 5 You have to create Segments of your list that match the ‘Marketing Permissions’ tick boxes. However, its a ‘catch 22’ as you can’t create segments that meet the criteria – you get the error message – “Goose egg – No contacts match your selection”. I have now tried this on 2 separate accounts..
That does sound odd – to do some hygiene checks: when you go to lists and form builder, does the new marketing permissions page come up? Is your list marked with ‘GDPR’ from the first step?
Hi Ted – just to help CJ answer, which (5) do you mean from this page? Looks like there are four fives to choose from!
Hi Christian / CJ – yes it’s step 5 of the “Segment Your List By Marketing Permissions” section. Thanks for asking me to clarify 🙂 Ted – PS please give my best regards to Claire
Hopefully other commenters have some thoughts on this too, but our take – (and Claire says hello by the way!) is that the segment definitely will be blank if you’ve not re-permissioned because you’ve not sent out a re-consent mail yet!
I think that Mailchimp have put the ‘segmentation’ section there to cover their behinds – they can’t be seen to advocate sending a mailer to an unconsented list – but really the ‘collect consent’ section should be first to fill the segment (until May, of course)
Hi Christian – I just found your site today as I’m trying to work through reconfirming our MailChimp list and I confess I am struggling. We are a small company with limited IT skills and this is falling to me. I have spent several hours trying to follow your advice and have opted for a sample list to test the functionality first, but the [UPDATE_PROFILE] link just doens’t work – have tried several times and I get a ‘corrupted content error’. I really don’t know what to do. Could you advise please?
Hi Sara, don’t worry – a test on a sample list is always a good way to start! I’ve got a list and campaign with just me on it for exactly that purpose. If you create a campaign for your sample list, try just hyperlinking one of the words – it doesn’t matter which one. When the hyperlink option comes up, choose web address and paste in *|UPDATE_PROFILE|*
You don’t need to paste anything else, just everything including and between the two stars. Then save and send a test mailer to yourself. When you click on the link, it should take you to the right page – does that work? If not, drop me a note on email@example.com and we can pick things up from there.
Hi Christian! Thank you for your article.
Could you tell me, please, does it make sense if I (as administrator) can manually edit profile info and change NO for YES? From the side of those who will check it (hope, they won’t, but..)
Hi Alyona. I’ve just checked and – rather alarmingly – you can. That’s another reason why I think Mailchimp’s GDPR tools aren’t perfect – although this also applies to the ‘update profile’ route suggested above. I would suggest that you carry out education / training for people who have access to your mailchimp platform so that they understand the importance of not changing this! That’s one of the reasons why a lot of adtech data will be held by the IAB EU – it’s a neutral third party that can control access and modification.
Hate to say it, but the regs came into force on 24 May 2016 (and was approved by the EU on 14 April 2016), it’s enforceable from 25th May 2018 (i.e you can get fined). The two years thing in recital 171, refers to 2 years from 24 May 2016. Hope that helps.
That’s an excellent point – just checked and you’re quite right, thanks Billy. Just goes to show – check with your lawyers, folks!
Thank you so much for your article. I had do this and sent it to my lists, but they aren’t answer all of them. So I need to separate my lists with the accepted and with those that not accept. How I can do this?
Because now, how is possible to send only to those who had confirmed?
Waiting for your supportive answer.
Hi Efsevia – firstly, please do understand that ‘legitimate interest’ is also a valid basis for contacting people under GDPR, so as long as you’re not spamming people and have carried out a legitimate interest analysis, you’re probably ok. But if you do want to segment your lists, Mailchimp has lots of resources – start with this page and see how you get on.