3 crucial reasons why MailChimp may not be your best choice under the GDPR compliance regime

Den Howlett Profile picture for user gonzodaddy May 15, 2018
MailChimp's approach to GDPR is both inflexible and constrained to the point of making me concerned they can provide the tools to keep customers compliant. Here's why.

If you're a small or medium-sized business (that's about 94% of all business) then the chances are you have stumbled across MailChimp as an email marketing service provider. They claim to be the world's largest email marketing provider.

I've used them for many years, largely because I liked the fact they were insistent on using double opt-in as a way of protecting against spam. Campaign creation has been mostly OK, even if the WYSIWYG editor isn't with some missing functionality. But like most systems, you learn the workarounds. GDPR changed all that. Now I am seriously considering moving on.

I suppose the warning signs should have been there when MailChimp announced that double opt-in was being dropped, only to hastily reverse course once they saw the backlash from EU customers.

The way MailChimp handles GDPR compliance for existing list members is clunky at best and exposes flaws in how they appear to handle data that I believe are serious enough for me to have doubts as to whether they are GDPR compliant as data processors.

Exhibit 1 - deleting unsubscribed members

MailChimp takes the view that an unsubscribed member is not necessarily one that should be deleted because they might be subscribed on multiple lists and/or for multiple purposes. That's fine as far as it goes. But when, as I pointed out in a previous article, the only reason they are on a list is to receive email then a delete should be easily possible. It isn't. And it's confusing.

It is possible to create a segment of unsubscribed members and then bulk delete them in groups of 100. But after the page telling you those members have been queued for deletion has refreshed, the list number remains the same and I see the same names I saw the first time around.

To make matters more 'interesting' Zapier tells me that these members have been unsubscribed while the MailChimp dashboard says: "Finished: deleting 100 members." Since Zapier is only collecting data that MailChimp exposes then I have to ask - what's happening here when the members were segmented for the condition 'unsibscribed' in the first place?

And just to cap it all, I can not only still see the members that have ostensibly been deleted, I can still see their data. Goodbye 'right to be forgotten'?

UPDATE: MailChimp knows this is an issue and plans to release improved deletion tools. If they don't arrive by May 25th then you will have to be certain that your people are not doing anything they shouldn't with this data.

Exhibit 2 - you do GDPR our way or no way

Again, as I said in an earlier piece, we want to keep double opt-in as a way of demonstrating best practice. We're aware that some email systems are aggressive about treating email subscription confirmations as spam but a check on Neverbounce showed me that our lists are 'clean' in the sense that less than 1% of all emails sent do not bounce.

We want to combine double opt-in with the checkbox GDPR statement as a way of both setting out our approach while at the same time having that all-important GDPR opt-in confirmation on the subscriber's record. Is that possible? Nope.

This doesn't make sense to us. New members should know what they are signing up for and the inclusion of a field that does not adequately explain the ways in which we are holding data for inclusion on a sign-up form yet asking the person to check the box misses the mark. It is both an ugly UX issue and, in our opinion, positioned at the wrong point in the process.

That's tough because we use a third party to create the sign-up form, largely because the ones MailChimp provides are...crap. There are numerous suppliers of this kind and I suspect that each one of them has largely been ignored because as far as I can tell, there is no obvious way to include the embedded GDPR compliance field on a third party form.

However, the MailChimp member record does show what the member did to sign up in the sense of using a form or some other method but doesn't include the double opt-in as a field on their member record.

UPDATE: MailChimp came back suggesting that we use a custom merge field for the purpose but warn that we are taking the risk on compliance. We are on the hoo as data controllers anyway so nothing new there.

Exhibit 3 - updating preferences is an illusion

We created a form that uses the embedded field that allows folk to update preferences. Creating this form was a PITA because you have to hide a bunch of fields from the main sign-up form in order to make it work.  I can see why this was done.

It harks back to a time when people might have wanted to change email address, location or any other information for that matter.

We only want to use it for GDPR compliance so the only field I want to show is the email address and the checkbox, along with some explanation as to what's going on.

That means anyone wanting to change other data is out of luck - the fields are hidden.

This is a clusterf&*k of epic proportions because there is only ONE update preferences form available.

UPDATE: There's no answer that makes sense in a GDPR situation because of a (mostly) hidden feature. I"ll post separately on this.

My take

At this point in the process, I have a clutch of open tickets with MailChimp around these topics. I have advised them that they need to look at whether what they are doing provides us with the best opportunity to remain compliant in an environment where the lack of flexibility in handling an embedded field is crimping our ability to get this sh*t done.

My sense is that for all the many pages of splurge on GDPR and the walkthroughs available, that development has been handled as an add-on with no real attempt to understand how this might impact existing - and legitimate - processes. It's a classic 'upgrade' design error normally reserved for other companies who shall remain nameless.

Since the onus is upon us to ensure compliance I have to take a view. Have I done all that I could? Short of dumping MailChimp and going to a provider that can handle this more intelligently - yes. If we move elsewhere, will we still be compliant?

We have a fallback in the sense we are not marketing to anyone but merely providing information and have been assiduously working through the GDPR process for some time. That could change as we consider modifications to the business model.

Most people I speak with are concerned that GDPR will mean decimating their email lists. I have no doubt that at the first full cut, I will dump at least 18% of ours. A more detailed examination might mean I end up cutting as much as 60% away. We shall see. I am not in the slightest bit concerned. As I have said before, GDPR represents a great chance to clean up a list that has a degree of 'rot.' The problems come through when your email list provider doesn't make it easy for you to provide the assurances needed.

The big question though is whether any of the other providers are any better? We shall see as I start looking at a few demos and ask pointed questions.

Endnote: I will update this story with any progress made with the MailChimp support team.

UPDATE: More generally, MailChimp has provided an update on where it's at with GDPR.

A grey colored placeholder image