MailChimp roadmap for GDPR

I have just enabled MailChimp GDPR fields for my email lists. In the MailChimp Form Builder this shows up as some explanatory text plus a set of checkboxes for different kinds of opt-in (email, direct mail etc.). The set of checkboxes appears to be implemented as a “group-like structure” called “Marketing Permissions”.

When I go into the Easy Forms plugin and try to edit my form, the newly added Marketing Permissions group does not show up in the list of “Interest Groups” available to add to the form. This is consistent with the information above that MailChimp has not made this functionality available via the API.

The post above seems to be suggesting that a way around this could be to add one’s own custom fields (labels and checkboxes) to “mimic” the standard GDPR fields that MailChimp now offers. As custom fields they would of course be available to the plugin. However I see several difficulties with this:

1. The standard MailChimp GDPR offering contains a lot of “boilerplate” text – some of which is editable – in addition to the option checkboxes. As well as the header title, the text stretches to three paragraphs (one before the checkboxes and two afterwards). I am not sure whether this quantity of text (which is in there for legal compliance) could be implemented via a custom group of checkboxes.

2. If custom fields were added, it effectively means that MailChimp’s own GDPR fields should be disabled. Otherwise you might have the possibility of the list being accessed directly via a MailChimp hosted form resulting in some subscribers opting in via the MailChimp fields, while other subscribers opt in via the custom fields. This could create chaos and make segmenting the list a nightmare.

3. Perhaps a small point, but when you come to segment your list the MailChimp GDPR “Marketing Permissions” is listed among the standard “Subscriber Data” set of fields. This is a more obvious, and “official looking”, location for this sort of data compared with a custom group.

4. Finally, in their discussion of GDPR tools MailChimp say “MailChimp will also keep a record of what each version of your form says, so you’ll always know exactly which fields were present on a form when it was submitted by a contact, and you can prove consent if the need arises.” Maybe this applies to all of the fields on the form, or is it meant to apply specifically to the MailChimp “Marketing Permissions” data? I’m not sure. If it is the latter it is another argument for sticking with the MailChimp fields.

I have to say I find it distressing that MailChimp are apparently not planning to make this functionality available via the API. This could push a lot of people away from using third party signup forms. I would be sorry to feel forced in this direction myself, but currently I’m not sure what to do…

Re storing the confirmation language in the Notes field:

I’ve just discovered (by accident) that there can be two sorts of notes. That’s to say, my list profile contains a field ‘Notes’ that I think I must have added as a custom field before becoming aware of the internal “Write a note” field. I guess you are referring to the latter, which seems to generate a series of separate date and timestamped notes.

I can see that the “internal” notes don’t seem to be searchable. That is, you can’t see them in the contacts listing nor use them to segment the list. (So I’m actually glad for my own custom notes field as it is more visible and easier to work with.)

If the “opt in” fields are stored as custom fields in the profile (therefore available for searching and segmenting) I don’t think the “invisibility” of the note should be an issue – but just pointing it out.

For info, I have currently switched to using the hosted MC signup form with GDPR enabled. I need to do this because time is pressing and I must get an email out to existing subscribers asking them to update their opt-in preferences (and allow enough time before 25 May for a reminder email if they don’t respond).

If you manage to create a workable alternative scheme I would certainly consider switching to it in future, provided that there is an easy way to copy the MC opt-in information (now already being collected) into your custom fields. But I would be concerned to look at any implications (for audit trail) of “abandoning” the MC setup…

Hi Kevin,

Re: “What you’re saying is you need a flag or some type of indicator in a MERGE field that marks a user as GDPR-confirmed user. Is that correct?”

Yes. What I currently have (via MC GDPR) is two checkboxes for
– Opted-in Email
– Opted-in Direct Mail

(We want to collect both variants of opt-in in one place so that a complete picture of the subscriber’s current contact preferences is stored. MC offer the GDPR checkbox fields as an open-ended list of options, i.e. you can delete or add different contact channels as you wish, e.g. I could have added a checkbox for Telephone except it isn’t relevant for us.)

I will need to email all existing subscribers asking them to state their preferences. MC offer an email template for this, which has a button that links to their hosted “update profile” form.

Assuming a lot of people don’t respond, I’ll then plan to send a second email as a reminder to the non-responders. To do this I need to segment the list according to opt-in responses, therefore I need something that can be used in creating a segment. Rather than a merge field, it should really be a group. (The MC set of opt-in checkboxes seems to act like a group.)

Hopefully this will be a once-off exercise, because new subscribers will have the opt-in boxes available from day one. But it is also essential that a subscriber has the ability to update their preferences later. This is not as simple as unsubscribing, because they might (for example) retain email opt-in but want to delete direct mail opt-in. So it would have to happen via the email link to the MC-hosted “update profile” form rather than unsubscribe. Therefore the opt-in preference boxes MUST be part of the subscriber profile inside MC, so as to be available for editing.

Also there is a clear need to be able to demonstrate subscriber preferences for audit purposes, and we are also obliged legally to give subscribers a copy of their data if they ask for it. I feel that if the opt-in data were held externally to MC it could make these requirements considerably more complicated…

So in answer to “Do you think that (1) storing the confirmation language as a note and (2) storing a flag like “GDPR Confirmed” in a text MERGE field would be sufficient?”:

Basically Yes, but it’s complicated if you want to give users the ability to have several different kinds of opt-in for different communication channels. This implies a group of checkboxes rather than a simple merge field, and the list owner would need to be able to customise the range of choices offered.

I guess you could decide instead to limit the plugin to collecting only “email opt-in consent”. But this is a bit problematic, because if a subscriber wants to update their preferences, they would expect to be presented in their profile with the whole range of things they might have opted into. If they can only see “email”, but say (for example) they have been receiving direct mail and want to opt out, they may begin to distrust the organisation if they can’t see and edit it.

This is “what if” speculation, and I’m not sure how important it is to allow a range of opt-in choices in different checkboxes. However this facility is already provided in the MC fields. So for any organisation employing multiple communication channels, for which consent is separately needed, the question might be “why wouldn’t we use the MC built-in GDPR fields” (instead of the plugin) if they provide this extra functionality…