How Mailchimp’s Data Privacy Concerns Impact Marketers (And What They’re Doing About It)
Being the world’s largest email marketing platform has made it a ripe target for hackers and a major concern for privacy advocates. With access to troves of private information neatly formatted for the maximum accessibility of its customers, data privacy for Mailchimp isn’t just critical to its business – it is its business.
With the brand bleeding market share after a slew of high-profile data breaches since 2022, Mailchimp has made a renewed effort to shore up security and privacy standards before users migrate to different platforms.
The State of Play – Why Are There MailChimp Privacy Concerns?
Mailchimp’s security team has issued three security disclosures since 2022. In April of that year, it confirmed a data breach that impacted 319 customers. Four months later, it confirmed another breach that compromised another 216 accounts.
Five hundred-odd accounts may not seem like much, but Mailchimp’s customers are uniquely valuable – and vulnerable – targets for hackers. One of the accounts impacted in the August 2022 incident was WooCommerce, which supports over 5 million online stores via its WordPress plugin.
When one breach provides access to millions, it’s a problem.
Mailchimp Goes on Defensive
The top brass at Mailchimp seems to be committed to improving privacy and security and has consistently taken steps that show progress.
Joining the EU-US Privacy Shield
Mailchimp was an early adopter of the EU-US Data Privacy Shield framework, committing to annual privacy and security validation since 2016. Even after the Privacy Shield was invalidated in 2020, Mailchimp continues to meet the same certification standards. It also signed on to allow all European users to transfer their data overseas in compliance with the General Data Protection Regulation (GDPR) through a Data Processing Addendum included in its terms of use.
Mailchimp’s February Domain Verification Move
Until February 2024, Mailchimp recommended domain verification – but didn’t require it. This allowed non-verified users to send emails from any account, including free email accounts like Gmail and Hotmail, contributing to increased spam and prolific list abuse levels.
MailChimp now requires domain verification for users sending over 5,000 emails. This is a big step toward reducing phishing attempts and discouraging bad actors (and marketers).
Intuit Remains Committed to Improving Security
When Intuit, the parent company of QuickBooks and TurboTax, acquired Mailchimp in late 2021, the deal made headlines and raised eyebrows. It seemed like a tangential move for Inuit, a primarily financial software company built on accounting and taxes, not marketing. Market insiders noted that more than 50% of small businesses fail within the first five years, which impacts Intuit’s core business. In effect, Intuit bought a tool to help customers improve their sales and then used reams of anonymized data to target new customers for its tax and accounting products.
To its credit, Intuit has a stellar security rating and the resources to maintain top-notch security across its various businesses and brands.
Email Marketing Privacy Best Practices
No matter what email marketing platform you choose, privacy is an active, on-going part of the process. There are regional privacy standards that push email marketers to follow best practices for specific audiences or segments. Companies with email subscribers in the EU are required to follow GDPR standards, but with third-party cookies on the way out and consumers well aware of their privacy rights, many brands have decided to adopt GDPR as their baseline for privacy.
Follow the four principles of the GDRP with your Mailchimp account or any email platform you use.
- The Right to Erasure – Also known as the Right to be Forgotten, choose a platform that allows users to delete all of the data associated with their name or contact information.
- The Right to Access – Allow users to ask how their data is being used, where it is stored, and provide a personalized data report free of charge.
- The Right to Notification – Alert users of a breach within 72 hours of discovery – if Mailchimp sends you a notification, alert your subscribers as well.
- The Right to Portability – When users request their data, it must be exported in an accessible format. Mailchimp relies on a .csv (who doesn’t?).
Data Is Valuable. Privacy Makes It Possible.
Like all digital data troves, Mailchimp is a rich target for malpractice, but it owes its customers robust security measures and nimble privacy protection. Mailchimp has a mixed but mostly positive track record, but recent issues have caused trouble. Its market share slipped 6% in 2023 to 66.7%, nearly 20 points below the brand’s zenith high of 80%. The decline isn’t all down to privacy concerns – there are now over 175 email marketing platforms in the market – it just has to play at least a role in marketers’ decision-making process.