Pitfall 1: Missing or Vague Processor Disclosure
The Mistake: Privacy policies mention "email marketing" or "third parties" generically without naming Mailchimp or specifying what data Mailchimp actually receives (IP addresses, engagement tracking, signup source). Under GDPR Article 13(1)(e) and CCPA Section 1798.100, you must disclose the *specific* processor and data categories.
Why It Happens: Founders treat the privacy policy as boilerplate and don't map which data fields Mailchimp collects. Mailchimp's form-builder obscures that it captures IP at signup.
Consequence: GDPR enforcement (fines up to €20M or 4% of global revenue) for lack of transparency; CCPA penalties ($2,500–$7,500 per violation) if California residents cannot understand what you're collecting.
Pitfall 2: No Data Processing Agreement (DPA)
The Mistake: Using Mailchimp without a signed Data Processing Addendum (DPA) or relying on Mailchimp's standard terms without confirming SCC coverage for non-US transfers.
Why It Happens: Small teams assume Mailchimp's Terms of Service are sufficient or don't realize a DPA is legally mandatory under GDPR Article 28(3). Mailchimp provides a DPA, but it must be executed and kept current.
Consequence: GDPR non-compliance flagged immediately in audits. Regulators view missing DPAs as a critical gap, even if data handling is otherwise lawful.
Pitfall 3: No Consent Mechanism or Conflating Consent Categories
The Mistake: Adding Mailchimp's signup form without implementing separate, granular consent for email marketing. Some operators assume consent for one email (e.g., account verification) covers marketing emails.
Why It Happens: Mailchimp integrates signup forms that can be embedded without consent checks. GDPR Article 7 requires consent to be freely given, specific, informed, and unambiguous — sending marketing email without explicit opt-in violates this.
Consequence: CASL violations in Canada (penalties $1M+ for systematic failures); GDPR enforcement; user complaints and unsubscribes that harm deliverability.
