Support » Plugin: Easy Forms for Mailchimp » MailChimp roadmap for GDPR

  • Ambyomoron


    I just finished a support call with Mailchimp, which concluded with the following statement: Changes to MailChimp to include GDPR functionality are limited to the MailChimp hosted and popup signup forms that are NOT managed in advanced mode. MailChimp does not have on its roadmap plans to make this functionality available via the API and via advanced mode editing of forms at MailChimp.

    Thus, any compliance with GDPR that requires additional labels, buttons or checkboxes on signup forms must be custom designed by the list owner. Of course, plugins like this one will be able to handle any of those custom fields.

    If anyone has different information about what MailChimp is planning to do, please share it here.

Viewing 15 replies - 1 through 15 (of 21 total)
  • I have just enabled MailChimp GDPR fields for my email lists. In the MailChimp Form Builder this shows up as some explanatory text plus a set of checkboxes for different kinds of opt-in (email, direct mail etc.). The set of checkboxes appears to be implemented as a “group-like structure” called “Marketing Permissions”.

    When I go into the Easy Forms plugin and try to edit my form, the newly added Marketing Permissions group does not show up in the list of “Interest Groups” available to add to the form. This is consistent with the information above that MailChimp has not made this functionality available via the API.

    The post above seems to be suggesting that a way around this could be to add one’s own custom fields (labels and checkboxes) to “mimic” the standard GDPR fields that MailChimp now offers. As custom fields they would of course be available to the plugin. However I see several difficulties with this:

    1. The standard MailChimp GDPR offering contains a lot of “boilerplate” text – some of which is editable – in addition to the option checkboxes. As well as the header title, the text stretches to three paragraphs (one before the checkboxes and two afterwards). I am not sure whether this quantity of text (which is in there for legal compliance) could be implemented via a custom group of checkboxes.

    2. If custom fields were added, it effectively means that MailChimp’s own GDPR fields should be disabled. Otherwise you might have the possibility of the list being accessed directly via a MailChimp hosted form resulting in some subscribers opting in via the MailChimp fields, while other subscribers opt in via the custom fields. This could create chaos and make segmenting the list a nightmare.

    3. Perhaps a small point, but when you come to segment your list the MailChimp GDPR “Marketing Permissions” is listed among the standard “Subscriber Data” set of fields. This is a more obvious, and “official looking”, location for this sort of data compared with a custom group.

    4. Finally, in their discussion of GDPR tools MailChimp say “MailChimp will also keep a record of what each version of your form says, so you’ll always know exactly which fields were present on a form when it was submitted by a contact, and you can prove consent if the need arises.” Maybe this applies to all of the fields on the form, or is it meant to apply specifically to the MailChimp “Marketing Permissions” data? I’m not sure. If it is the latter it is another argument for sticking with the MailChimp fields.

    I have to say I find it distressing that MailChimp are apparently not planning to make this functionality available via the API. This could push a lot of people away from using third party signup forms. I would be sorry to feel forced in this direction myself, but currently I’m not sure what to do…

    Plugin Contributor yikesitskevin


    Hi @mfmorris,

    Thank you for taking the time to write that up. That was a very helpful and detailed explanation.

    Perhaps this is a good place to discuss our current strategy for handling GDPR.

    We’d like to push for users to use the EU Opt-in Compliance plugin. This plugin allows you to add a checkbox w/ disclaimer language to your form. I believe all we will need to do is add a way to store the checkbox/disclaimer language w/ the rest of the signup data.

    Does that sound adequate?

    Is it necessary to allow users to create multiple checkbox + disclaimer paragraphs (currently, you can only have one)?



    The problem as I see it is the interest in having in one place all the details required to show compliance with the law. If I am audited, I need to show precisely what the subscriber agreed to, the fact that he or she did agree, and that my subsequent mailing actions comply with the wishes of the subscribers. Ideally, all that should be available in one place. MailChimp has provided such a solution, but only if you use optin forms that they host. Obviously, we users of this plugin have decided to use a different approach.

    In my view, the next best solution is to have everything (including the custom fields needed to document compliance) stored on MailChimp. It seems to me that the record of the subscriber explicitly agreeing to the conditions described in the signup form must be stored somewhere. That somewhere could be in the MailChimp list records. So, for example, you could store in each list record a copy of the text on the signup form used to explain how personal data is to be used (for example, “By clicking here you authorize us to use your personal data to send you mailings about our products”). I would also include a date field to hold the date on which the subscriber submitted the form with that agreement. By so doing, I have an explicit, auditable record demonstrating compliance with the law (at least as far as opting in is concerned).

    If we use the EU Opt-in Compliance plugin, is there a record stored anywhere of who checked what? I doubt that an auditor would accept my explanation that the record would not be in the list unless the subscriber had checked the box!

    By the way, there are two issues with your compliance plugin:
    1) allowing the check box to be pre-checked: This is absolutely not valid under GDPR
    2) Your example at where you give the text “Please check the checkbox to ensure that you comply with the EU laws”: this statement is incorrect. It is the list owner, not the subscriber, that must comply with the law.

    Plugin Contributor yikesitskevin


    I would also include a date field to hold the date on which the subscriber submitted the form with that agreement.

    MailChimp already holds the subscribe date. Why do you think we need a second GDPR-subscribed date?

    If we use the EU Opt-in Compliance plugin, is there a record stored anywhere of who checked what?

    No. This is what we would be building out. It wouldn’t be stored in WordPress – it would be mapped to a MailChimp field. The user would be required to make a field in MailChimp to hold the disclaimer/checkbox/agreement text, and then put that field (somehow) into the EU Compliance plugin. When the form is submitted, the disclaimer text will be stored in that field.

    Allowing the check box to be pre-checked

    It’s not valid to pre-check a checkbox however there is no law against having the ability to pre-check a checkbox. We will be defaulting with the checkbox unchecked. (And may include some language indicating that pre-checking is not allowed). (Edit: the reason for this is the plugin can be used in a variety ways and some current users or non-GDPR users might be adversely affected)

    Your example at where you give the text “Please check the checkbox to ensure that you comply with the EU laws”: this statement is incorrect. It is the list owner, not the subscriber, that must comply with the law.

    The language will be updated.

    • This reply was modified 2 years, 7 months ago by yikesitskevin.


    The second date would be for all those people who had hitherto subscribed but have now reconfirmed their subscription under GDPR. I would not want to lose the original subscription date.

    Plugin Contributor yikesitskevin


    YIKES GDPR Update:

    Our initial plan of storing the Checkbox Confirmation Language in a MERGE field is not feasible: Text MERGE fields have a character limit of roughly 250 characters.

    Because of this, we’ll be looking to add the checkbox confirmation language as a “note” on a subscriber’s profile. This gives us two advantages: a note can hold 1,000 characters and is automatically date & timestamped.

    If you’d like to keep an eye on these updates, check out our GitHub repo for the EU Compliance Plugin:

    Cheers all,

    Re storing the confirmation language in the Notes field:

    I’ve just discovered (by accident) that there can be two sorts of notes. That’s to say, my list profile contains a field ‘Notes’ that I think I must have added as a custom field before becoming aware of the internal “Write a note” field. I guess you are referring to the latter, which seems to generate a series of separate date and timestamped notes.

    I can see that the “internal” notes don’t seem to be searchable. That is, you can’t see them in the contacts listing nor use them to segment the list. (So I’m actually glad for my own custom notes field as it is more visible and easier to work with.)

    If the “opt in” fields are stored as custom fields in the profile (therefore available for searching and segmenting) I don’t think the “invisibility” of the note should be an issue – but just pointing it out.

    For info, I have currently switched to using the hosted MC signup form with GDPR enabled. I need to do this because time is pressing and I must get an email out to existing subscribers asking them to update their opt-in preferences (and allow enough time before 25 May for a reminder email if they don’t respond).

    If you manage to create a workable alternative scheme I would certainly consider switching to it in future, provided that there is an easy way to copy the MC opt-in information (now already being collected) into your custom fields. But I would be concerned to look at any implications (for audit trail) of “abandoning” the MC setup…

    Plugin Contributor yikesitskevin


    Hi @mfmorris,

    Thank you as always for your detailed responses.

    So our current GDPR implementation would only store the checkbox confirmation language inside MailChimp and this would be stored as an unsearchable/unsegmentable note. What you’re saying is you need a flag or some type of indicator in a MERGE field that marks a user as GDPR-confirmed user. Is that correct?

    Do you think that (1) storing the confirmation language as a note and (2) storing a flag like “GDPR Confirmed” in a text MERGE field would be sufficient?

    Let me know.

    Thank you,



    Regarding the issue of a 250 character limit to merge fields, as opposed to a 1000 char limit to notes, I observe the following:

    The language of whatever the subscriber agrees to should appear as the label to the check box. 250 chars is already a lot to read and could be very discouraging. 1000 chars seems to me to be excessive.

    Thus, if you say something like:

    By checking this box you agree that we use your personal data for sending you emails about our products and events. For complete details, see our policy at // (ver 1.0)

    doesn’t that suffice (I am asking for a common sense, not a legal, opinion)? A copy of the policy page could be saved elsewhere, for audit purposes.

    Is it really necessary to go beyond a 250 char limit? That being said, my own needs are relatively simple, but aren’t they similar to the vast majority of sites’ needs?

    But I would really, really like to have the chance to put a hyperlink in the label, as I have asked elsewhere.

    Plugin Contributor yikesitskevin


    Hi Josiah,

    One of my reasons for needing more than 250 characters is that MailChimp’s GDPR fields are over 250 characters (shown below). Also, a lot of people use this plugin and I’m sure someone out there will want more than 250 characters.

    MailChimp has three separate paragraphs for GDPR information.

    Paragraph 1 – ~190 characters

    [COMPANY NAME] will use the information you provide on this form to be in touch with you and to provide updates and marketing. Please let us know all the ways you would like to hear from us

    Paragraph 2 – ~380 characters

    You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, or by contacting us at [EMAIL]. We will treat your information with respect. For more information about our privacy practices please visit our website. By clicking below, you agree that we may process your information in accordance with these terms.

    Paragraph 3 – ~240 characters

    We use MailChimp as our marketing automation platform. By clicking below to submit this form, you acknowledge that the information you provide will be transferred to MailChimp for processing in accordance with their Privacy Policy and Terms’

    (All character counts include stripping HTML tags, which our plugin would do before sending the field to MailChimp)

    Thank you as always for your input.


    Hi Kevin,

    Re: “What you’re saying is you need a flag or some type of indicator in a MERGE field that marks a user as GDPR-confirmed user. Is that correct?”

    Yes. What I currently have (via MC GDPR) is two checkboxes for
    – Opted-in Email
    – Opted-in Direct Mail

    (We want to collect both variants of opt-in in one place so that a complete picture of the subscriber’s current contact preferences is stored. MC offer the GDPR checkbox fields as an open-ended list of options, i.e. you can delete or add different contact channels as you wish, e.g. I could have added a checkbox for Telephone except it isn’t relevant for us.)

    I will need to email all existing subscribers asking them to state their preferences. MC offer an email template for this, which has a button that links to their hosted “update profile” form.

    Assuming a lot of people don’t respond, I’ll then plan to send a second email as a reminder to the non-responders. To do this I need to segment the list according to opt-in responses, therefore I need something that can be used in creating a segment. Rather than a merge field, it should really be a group. (The MC set of opt-in checkboxes seems to act like a group.)

    Hopefully this will be a once-off exercise, because new subscribers will have the opt-in boxes available from day one. But it is also essential that a subscriber has the ability to update their preferences later. This is not as simple as unsubscribing, because they might (for example) retain email opt-in but want to delete direct mail opt-in. So it would have to happen via the email link to the MC-hosted “update profile” form rather than unsubscribe. Therefore the opt-in preference boxes MUST be part of the subscriber profile inside MC, so as to be available for editing.

    Also there is a clear need to be able to demonstrate subscriber preferences for audit purposes, and we are also obliged legally to give subscribers a copy of their data if they ask for it. I feel that if the opt-in data were held externally to MC it could make these requirements considerably more complicated…

    So in answer to “Do you think that (1) storing the confirmation language as a note and (2) storing a flag like “GDPR Confirmed” in a text MERGE field would be sufficient?”:

    Basically Yes, but it’s complicated if you want to give users the ability to have several different kinds of opt-in for different communication channels. This implies a group of checkboxes rather than a simple merge field, and the list owner would need to be able to customise the range of choices offered.

    I guess you could decide instead to limit the plugin to collecting only “email opt-in consent”. But this is a bit problematic, because if a subscriber wants to update their preferences, they would expect to be presented in their profile with the whole range of things they might have opted into. If they can only see “email”, but say (for example) they have been receiving direct mail and want to opt out, they may begin to distrust the organisation if they can’t see and edit it.

    This is “what if” speculation, and I’m not sure how important it is to allow a range of opt-in choices in different checkboxes. However this facility is already provided in the MC fields. So for any organisation employing multiple communication channels, for which consent is separately needed, the question might be “why wouldn’t we use the MC built-in GDPR fields” (instead of the plugin) if they provide this extra functionality…

    It would be great if the Yikes form builder allowed us to also insert text (HTML) blocks. I’d like to place a block explaining what the user agrees to before the checkboxes for email and such. And obviously, it would be helpful to be able to have links in those text blocks to refer to MailChimp terms, etc. and to make it a bit more prominent than the current field descriptions.

    While this is certainly not a one-size-fits-all solution for GDPR, it would be flexible enough to comply with the most basic requirements.

    Plugin Contributor yikesitskevin


    Hi @wiltschek,

    Good idea. Turning the form description field from a textarea to a real editor (WYSIWYG) will definitely be helpful.

    That would definitely help. I’m already always turning of labels and using the description as a label. So instead of


    I can do

    Please enter your name:

    Having more control over the description would be great in any case.

    Plugin Contributor yikesitskevin


    @wiltschek Are you referring to field descriptions or the form’s description? It’d be difficult to make field description’s into rich text fields. The form description (shown at the top of a form) is what I was referring to.

    If you’re looking at add HTML to your field descriptions, you can do this with a filter. For example:

    add_filter( 'yikes-mailchimp-FNAME-description', 'yikes_mailchimp_html_FNAME_field_description', 10, 2 );
    function yikes_mailchimp_html_FNAME_field_description( $description, $form_id ) {
    	return '<p><i>HTML description</i></p>';
Viewing 15 replies - 1 through 15 (of 21 total)
  • The topic ‘MailChimp roadmap for GDPR’ is closed to new replies.