GDPR Compliance

I’m currently working through a list of plugins that we use, trying to establish the following.

1. What cookie files (inc. local storage etc) containing personal data are being set by the plugin?
2. Do any settings need to be changed within the plugin, to make it GDPR Compliant?
3. Are we adding all the relevant information in relation to the plugin, to our websites privacy policy?

I’ve found this very useful article that you’ve written…
https://kb.mc4wp.com/gdpr-compliance/

It’s my understanding that…

Cookies

Mailchimp for WordPress plugin doesn’t set any cookie files (inc. local storage etc) containing personal data, unless you are using the Premium Feature of E-Commerce integration. Details provided here… https://kb.mc4wp.com/cookie-overview/

I’m slightly concerned by the section that says “Make sure your Cookie Statement describes any cookies or tracking technologies you might use.
If you’re not sure, Mailchimp’s Cookie Statement includes a section called Cookies served through the Services that describes technology you (or your website) might use, depending on the features you use through Mailchimp.”
This has been taken from https://mailchimp.com/help/gdpr-faq/
It points you towards… https://mailchimp.com/legal/cookies/
I’m assuming these cookies generally only effect use of the MailChimp website.
They would only effect my website, if I embedded one of their forms into my website and because I’m not doing this and using the Mailchimp for WordPress plugin instead, I just need to follow your guidelines on Cookie information.

Settings

Always ask for explicit consent to transfer data to MailChimp, by using the recommended options under “MailChimp for WordPress > Integrations” and not pre-checking any of the sign up checkboxes.

Although it’s not essential, it’s highly recommended that you enable double opt-in so you have additional evidence of consent.

Inform users that data is being transferred to MailChimp, as detailed on this page… https://kb.mc4wp.com/gdpr-compliance/

Privacy Policy

There’s no information that needs to be included in our websites privacy policy, in relation to the Mailchimp for WordPress plugin, apart from a one liner saying “We use Mailchimp to store information.”

I’ve come to this conclusion, based on no Privacy Information provided in the article provided by yourselves, but a line within the article from MailChimp that says “Update your website’s privacy statement or policy to state you use Mailchimp to store information.” https://mailchimp.com/help/gdpr-faq/

Additional Information

From the article you’ve provided, I’ve also learned that we should be signing a Data Processing Agreement with MailChimp.
A sample can be found here… https://eep.io/assets/yzco4xsimv0y/3nCyJIzUaQg6MOqgSimCMC/f195ea5f9a7ee2e876d06bb10778b857/2018_12_19_MC_SAMPLE_DPA.pdf
More details on how you can sign a DPA with MailChimp can be found here… https://mailchimp.com/help/gdpr-faq/

The MailChimp GDPR page at https://mailchimp.com/help/gdpr-faq/ also provides useful information on how to prove consent.
It recommends two-factor authentication on your MailChimp account.
It explains how to get consent from existing contacts, despite the new regulations already being in place.

Please, could you let me know if it appears I’ve missed anything important?