MailChimp responds to GDPR concerns with new sign-up changes

1 Nov 2017

MailChimp responds to recent concerns around a new change to the subscription sign-up process. Image: Roop_Dey/Shutterstock

MailChimp receives some criticism after changing a key sign-up feature.

On 24 October, MailChimp service users received an email stating that the company would be changing a default behaviour in how people subscribed.

MailChimp decided to change subscription settings by default to single opt-in, after touting the benefits of double opt-in for many years.

On 25 October, designer and responsible innovation advocate Per Axbom wrote a Medium post about the dangers of MailChimp’s new policy.

Single v double

Single opt-in means that a person only needs to enter an email address and click subscribe to join a MailChimp list; whereas with double opt-in, there was a further step taken to ensure the person really wanted to subscribe, namely a confirmation email sent to the address entered.

The email from MailChimp that users received last week read: “Starting October 31, single opt-in will become the default setting for all MailChimp hosted, embedded and pop-up sign-up forms. This change will impact all MailChimp users, so here’s everything you need to know:

“All MailChimp sign-up forms – including all of your existing forms – will shift from double opt-in to single opt-in. This change will occur automatically; you don’t need to make any manual adjustments within your account.

“The overall sign-up process will change; when single opt-in is enabled, the opt-in confirmation emails and the sign-up ‘thank you’ page will not be sent or displayed.

“If you wish to keep your existing forms as double opt-in, you will need to set your preferences here before October 31.”

A change of heart?

Cybersecurity expert Graham Cluley explained that MailChimp had previously extolled the virtues of double opt-in, citing benefits that had appeared on the MailChimp website: “Protection against spambots, email scams and fake subscribers, which could increase your monthly benefit rates.

“Assurance of valid email addresses, confirmation that your subscribed contacts want to hear from you and an archived record of the subscriber’s consent.

“Higher campaign open rates, and lower bounce and unsubscribe rates.”

GDPR concerns

The concept of consent as referred to above is crucial here, as double opt-in is a necessity to prove consent was obtained from the email address owner under upcoming EU GDPR regulations. As Cluley wrote, it is “expressly required in Germany”.

MailChimp responded to the legal implications around single opt-in and GDPR in a blogpost on 30 October, saying that it made one key change: “If your primary contact address is in the EU, your existing forms will remain double opt-in.”

According to the blogpost, existing forms for customers with primary addresses outside the EU will still have switched to single opt-in on 31 October, but MailChimp suggests that businesses should still use double opt-in if they are going to be subject to GDPR.

MailChimp added: “We made this decision after receiving a lot of feedback from EU customers who told us that single opt-in does not align with their business needs in light of the upcoming GDPR and other local requirements.

“We heard you, and we’re sorry that we caused confusion. Customers located in the EU will receive an email from us today to let them know how we’ve changed the plan.”

This still doesn’t exactly solve the GDPR issues as compliance with the regulation applies to the subscriber’s location rather than the MailChimp account holder’s. So, if an account-holder’s primary address is in the US but it has email addresses from Ireland, it is still subject to rules set out under GDPR.

Although users can manually change their lists back to double-opt in, there could still be people who decide to remain with single opt-in, as well as a risk of more spam emails circulating around the internet.

MailChimp cited people leaving the opt-in process half-finished and a general change in email marketing norms as the reasoning behind the change.

GDPR awareness differs widely

Paul Conroy, CTO at Square1, told “Mailchimp’s communication of this change has left a lot to be desired. For years, they’ve been advocating the benefits of the double opt-in setting in terms of delivery rates and list quality. Changing this setting for new accounts is one thing, but they’ve also tried to grandfather it in on existing accounts.

“Doing this without a clear and upfront explanation for the reasons behind the change has led to a lot of confusion from users in regard to the company’s rationale. What’s been particularly interesting to see is the subsequent quick change in policy based on strong user feedback from within the EU, much centred around user privacy.

“This suggests that while US-based companies may not yet be too aware of the impact the looming GDPR is going to have on their businesses, there’s a significant number of companies in the EU already viewing any changes to their systems through the prism of the new ‘privacy by design’ regulation.”

Ellen Tannam was a journalist with Silicon Republic, covering all manner of business and tech subjects