Spoiler (without the drama):

In practice, Mailchimp can still be workable, but legally watertight is hard in 2026 as long as you’re using a US-based platform, even if you do everything “right” with SCCs, the DPF, and documentation.

What do we have in store for you?

• The core issue: Mailchimp is a US company
• What has Mailchimp done to be GDPR compliant?
• What does the Dutch Data Protection Authority (AP) say?
• The tracking pixel problem
• What are the risks if you use Mailchimp?
• What can you do to reduce the risk?
• Conclusion: Is Mailchimp still GDPR-proof in 2026?

The core issue: Mailchimp is a US company

Mailchimp is owned by Intuit, a US company. That means personal data from your newsletter subscribers may be stored and processed on servers in the United States, and that’s where the GDPR headache starts.

And yes: people search for this topic as “Mailchimp GDPR” or “Is Mailchimp GDPR compliant?” because this is exactly where compliance and email marketing collide.

Why is that a problem?

The GDPR (General Data Protection Regulation) sets strict rules for transferring personal data to countries outside the European Economic Area (EEA). The US has different privacy laws than the EU, and US legislation such as FISA 702 and the Cloud Act gives US authorities broad powers to access non‑US citizens’ data, even if that data is stored on European servers, as long as the company is US-based.

In July 2020, the Court of Justice of the European Union struck down the Privacy Shield, the mechanism that enabled data transfers to the US. This happened in the well-known Schrems II ruling (Case C‑311/18) [Source: CJEU Schrems II Ruling]. The reason? FISA 702 and the Cloud Act give US authorities too much power, meaning EU citizens don’t have adequate protection.

By 2026, the situation has become even more fragile. In December 2025, NOYB (Max Schrems’ privacy organisation) warned that the current Data Privacy Framework (the successor to Privacy Shield) is under serious pressure. In December 2025, the US Supreme Court heard Trump v. Slaughter, a case questioning the independence of the Federal Trade Commission (FTC). The FTC is a key part of the enforcement and oversight mechanisms the European Commission relied on when approving the Data Privacy Framework. Legal experts broadly expect the conservative Supreme Court to rule in June or July 2026 that the FTC is not independent enough undermining a fundamental pillar of the framework [Source: NOYB, December 2025].

What has Mailchimp done to be GDPR compliant?

Mailchimp has taken several steps aimed at GDPR compliance:

1. Standard Contractual Clauses (SCCs)

Mailchimp uses Standard Contractual Clauses (SCCs): a European Commission-approved contractual mechanism for transferring data to countries outside the EU. These clauses contractually require the recipient to meet EU privacy standards.

But: SCCs alone aren’t enough. After Schrems II, organisations must carry out a Transfer Impact Assessment (TIA) to assess whether the laws in the destination country (in this case, the US) undermine the protection SCCs are supposed to provide. The Dutch DPA (Autoriteit Persoonsgegevens) and the European Data Protection Board (EDPB) are crystal clear: if you transfer EU personal data to the US, you need additional safeguards on top of SCCs [Source: EDPB Recommendations 01/2020].

Practical translation: a TIA isn’t a tick-box exercise. It’s your documented reasoning for why you believe the transfer is acceptable, including any extra measures (encryption, data minimisation, limiting tracking, etc.).

2. Data Privacy Framework (DPF)

In 2023, the Data Privacy Framework was introduced as the successor to Privacy Shield. Mailchimp has joined this framework, which in theory provides a legal basis for data transfers to the US [Source: Data Privacy Framework List].

But: the Data Privacy Framework remains under ongoing legal pressure. While the framework survived its first legal challenge in September 2025 (when the EU General Court rejected the case brought by French MP Philippe Latombe), the story didn’t end there. On 29 October 2025, Latombe announced he would appeal to the Court of Justice of the European Union (CJEU), the EU’s highest court. This means the framework may be reviewed again in 2026–2027 by the same court that invalidated Privacy Shield in 2020 [Source: Euractiv, October 2025].

In addition, Max Schrems, the privacy activist behind Schrems II, has repeatedly stated that the Data Privacy Framework has the same underlying issues as Privacy Shield. While Schrems suggested in March 2025 he might not need to bring a new case himself (because others already are), the likelihood of the framework being challenged, and potentially struck down, remains real.

And as mentioned earlier, Trump v. Slaughter adds a new risk: if the Supreme Court rules in 2026 that the FTC isn’t independent enough, the Data Privacy Framework could lose one of its key legal foundations. That could trigger a rapid collapse, even before the CJEU reaches a final decision.

3. Sub-processors

Mailchimp works with multiple sub-processors worldwide. These sub-processors can access your data for specific purposes (such as hosting, analytics, or customer support). Mailchimp publishes a sub-processor list, but not all of these parties are European [Source: Mailchimp Subprocessors].

The risk: every sub-processor operating in the US (or another non‑EU country) adds another layer of transfer risk. As the controller, you’re responsible for the entire processing chain.

What does the Dutch Data Protection Authority (AP) say?

The Dutch Data Protection Authority (Autoriteit Persoonsgegevens) has become increasingly critical in recent years about the use of US cloud platforms and services.

In 2026, the AP also has more resources to enforce compliance. In September 2025, it was reported that the AP would receive a €53.5 million budget for 2026, an increase of more than €4 million compared to 2025. While the AP notes that, adjusted for inflation and new responsibilities (such as enforcing the AI Act), this effectively amounts to a real-terms budget decrease, the increase still signals that data protection remains a priority for the Dutch government [Source: Tweakers, September 2025].

The AP can impose fines of up to 4% of global annual turnover or €20 million (whichever is higher). And enforcement is happening: according to the GDPR Enforcement Tracker, EU regulators had imposed a total of €6.79 billion in GDPR fines by January 2026, across 2,731 enforcement actions. The Netherlands ranks fourth in the EU with €353 million in fines across 32 cases. The most common infringements leading to fines are: insufficient legal basis for processing (€3.01 billion), non-compliance with general processing principles (€2.52 billion), and inadequate technical and organisational security measures (€928 million) [Source: GDPR Enforcement Tracker, January 2026].

In the post‑Schrems II era, we’ve seen multiple collective actions and complaints against organisations transferring data to the US without adequate safeguards. NOYB, for example, has filed hundreds of complaints against websites using Google Analytics leading to regulator decisions in several EU countries.

The tracking pixel problem

Besides the question of transfers to the US, there’s another GDPR issue with Mailchimp: tracking pixels.

What are tracking pixels?

Mailchimp typically inserts invisible tracking pixels into your emails. These pixels record:

• Whether an email was opened
• When it was opened
• On which device
• Where the recipient was located (via IP address)

This data is sent to Mailchimp and processed, often without the recipient giving explicit consent.

Why is that a problem?

The ePrivacy Directive (the “cookie law”) is very clear: you need prior consent to place tracking technology. That also applies to tracking pixels in emails.

In June 2025, the French regulator CNIL launched a public consultation on draft guidance that may become even stricter. CNIL proposes that organisations should request double consent for email tracking: one consent for receiving marketing emails (Article 13 ePrivacy Directive) and a separate, explicit consent for tracking pixels (Article 5(3) ePrivacy Directive). Even more notably, CNIL proposes that if users withdraw consent, tracking pixels must be disabled immediately server-side, even in emails already sent. This would effectively turn withdrawal of consent into a form of erasure right. The consultation closed on 24 July 2025, and final guidance is expected in 2026 [Source: Hogan Lovells, June 2025].

The Dutch AP has warned and fined multiple organisations for tracking without consent. While enforcement has so far focused mainly on website tracking (cookies), the legal logic is the same for email tracking.

The Mailchimp issue: Mailchimp enables tracking pixels by default. Many users don’t even realise it’s happening, let alone ask recipients for consent. And even if you disable tracking in Mailchimp, Mailchimp may still collect certain metadata.

Tip (low friction): if you temporarily switch tracking off, you can still send emails as normal, you just lose some reporting. For many organisations, that’s an acceptable trade-off while the legal position around tracking and international transfers remains so fluid.

What are the risks if you use Mailchimp?

If you use Mailchimp without additional safeguards, you face several risks:

1. A fine from the AP

The AP may fine you if it turns out you:

• transfer personal data to the US without adequate safeguards
• use tracking pixels without consent
• don’t have a proper data processing agreement
• haven’t carried out a Transfer Impact Assessment

With €6.79 billion in GDPR fines across the EU by January 2026, and the Netherlands ranking fourth with €353 million in fines, it’s clear that regulators are actively enforcing. The risk of fines is real, particularly now that the AP has increased funding for 2026.

2. Compensation claims from individuals

Under the GDPR, individuals (your subscribers) have the right to claim compensation if their personal data is processed unlawfully. In the post‑Schrems II era, collective actions have been brought against organisations transferring data to the US, think of the large-scale complaints against Google Analytics users.

3. Reputational damage

A data breach or GDPR violation can seriously damage your reputation. Customers and partners expect you to handle personal data responsibly.

4. Legal uncertainty

The Data Privacy Framework remains under legal pressure. Philippe Latombe’s appeal to the CJEU, plus the Trump v. Slaughter case at the US Supreme Court, could undermine the framework in 2026. If the framework is invalidated (as happened with Safe Harbor in 2015 and Privacy Shield in 2020), you’ll face the same question again: can I still use Mailchimp?

What can you do to reduce the risk?

If you want to keep using Mailchimp, there are steps you can take to reduce (but not eliminate) GDPR risk:

1. Carry out a Transfer Impact Assessment (TIA)

Assess whether the transfer to the US has sufficient safeguards. Document your findings. The EDPB has published guidance on this [Source: EDPB Recommendations 01/2020].

2. Disable tracking pixels

Switch tracking off in Mailchimp, or ask for explicit consent before enabling tracking. Note: if CNIL’s guidance becomes final in 2026 and other EU countries follow suit, you may need double consent and server-side mechanisms to disable tracking when consent is withdrawn.

3. Minimise data collection

Only collect the personal data you genuinely need. The less data you transfer to the US, the lower the risk.

4. Sign a data processing agreement

Make sure you’ve signed a Data Processing Addendum (DPA) with Mailchimp. Mailchimp provides this [Source: Mailchimp DPA].

5. Inform your recipients

Be transparent in your privacy notice that you use Mailchimp and that data may be transferred to the US.

6. Consider European alternatives

There are now various European email marketing platforms that keep data within the EU, such as:

• Maileon (Germany, and the Netherlands)
• Brevo (France)
• Laposta (Netherlands)
• Flexmail (Belgium)

These platforms offer similar functionality without the legal risk of transatlantic data transfers.

If you’re mainly looking for a solution that combines scalable marketing automation with EU data storage and a clear privacy approach, it makes sense to take a look at Maileon as a European alternative too.

Conclusion: Is Mailchimp still GDPR-proof in 2026?

The honest answer: Mailchimp is not legally watertight GDPR-proof in 2026.

Even though Mailchimp has taken steps (SCCs, Data Privacy Framework, DPA), significant risks remain:

• The Data Privacy Framework is under ongoing legal pressure, with a CJEU appeal underway and the Trump v. Slaughter case potentially undermining a key pillar in 2026.
• US law (FISA 702, Cloud Act) gives authorities broad access to data.
• Tracking pixels require explicit consent and CNIL may introduce even stricter requirements in 2026, such as double consent and server-side disable mechanisms.
• The AP has a 2026 budget of €53.5 million, and EU regulators have already imposed €6.79 billion in GDPR fines by January 2026 enforcement is a real risk.

Our advice:

• If you use Mailchimp, implement at least the measures above (TIA, tracking off, DPA, transparency).

• Seriously consider switching to a European alternative. It removes the transatlantic transfer risk entirely.
• Keep an eye on legal developments. With an expected Supreme Court decision in June/July 2026 and the CJEU appeal underway, things can change quickly.

The reality: as long as Mailchimp remains a US company, and US surveillance law doesn’t fundamentally change, there will be a legal grey area. And in a grey area, you carry risk, risk you need to weigh consciously.

Want maximum certainty? Choose a European platform. Want to keep Mailchimp? Take the right measures and document your decisions properly.

The choice is yours – just make it an informed one.