Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
GDPR information is not displayed in embedded form (e.g. signup). GDPR will enter into force in EU on May 25. Associated information (i.e. explicit approval of subscriber) must be be requested and logged by May, 25, latest.
Functionality is implemented (recently) in MailChimp, but not available in Drupal Module.
Comment | File | Size | Author |
---|---|---|---|
#46 | interdiff-2968016-75x-37-39.txt | 826 bytes | samuel.mortenson |
#39 | 2968016-75x-39.patch | 10.32 KB | drumm |
| |||
#37 | 2968016-75x-37.patch | 10.31 KB | samuel.mortenson |
| |||
#37 | 2968016-81x-37.patch | 15.12 KB | samuel.mortenson |
|
Comments
Comment #2
matthiasm11 CreditAttribution: matthiasm11 at Randstad Digital commentedDoes the MailChimp API expose those new GDPR fields? The changelog (https://developer.mailchimp.com/documentation/mailchimp/guides/changelog) contains no recent changes.
Once it does, I guess the mailchimp library (https://github.com/thinkshout/mailchimp-api-php) should be updated too.
Comment #3
authentictech CreditAttribution: authentictech as a volunteer commentedI tweeted this issue to Mailchimp via Twitter. Hopefully they will be abe to give us an answer.
https://twitter.com/AuthenticTech/status/992386585302831104
Comment #4
authentictech CreditAttribution: authentictech as a volunteer commentedI found this KB article which suggests that the API does not expose these fields (and perhaps won't in future).
Perhaps the only solution must be to create our own equivalent GDPR fields in Mailchimp and use those instead.
Comment #5
Greg BoggsWe are working with MailChimp on this feature and we will be adding it to signup blocks as soon as the feature is available in the API.
Adding GDPR to your fields yourself won't set the GDPR permission flags in MailChimp. So, if complying with GDPR is a top priority, you might have to switch to the MailChimp JavaScript until we have a patch available for you.
Comment #6
Drupal Centric CreditAttribution: Drupal Centric commentedHi Greg, any further info from MailChimp on this? Thanks.
Comment #7
Anonymous (not verified) CreditAttribution: Anonymous at Netuxo Ltd (RIP) commentedI'd also encourage some further info. 25 May is Friday next week, so people (including us) are really waiting for a GDPR compliant version. If no patch or new release is available by 25 May, we would need to disable the signup forms provided by this module and implement a temporary solution.
Comment #8
mshaver CreditAttribution: mshaver commentedUnfortunately we are waiting for MailChimp to add their GDPR fields to the API and from what we've been told, this will happen when they have also added specific "delete" and "export" capabilities for users on their platform. You can read more about MailChimps GDPR guidance here:
https://blog.mailchimp.com/gdpr-forms-and-more-tools/
https://blog.mailchimp.com/gdpr-tools-from-mailchimp/
https://kb.mailchimp.com/accounts/management/gdpr-faq
https://kb.mailchimp.com/accounts/management/collect-consent-with-gdpr-f...
You will see in the GDPR FAQ section that enabling "double opt-in" could be a form of consent, since that requires an active action from the user and the date and time is recorded in MailChimp. It does not provide the flexibility to consent to specific usage, but is still a step in the right direction. This could be an interim solution prior to the GDPR fields being available in the API.
Comment #9
firewaller CreditAttribution: firewaller commentedI've reached out to Mailchimp regarding API access to the GDPR fields now that 5/25 is passed. In the meantime, I'm looking into adding a custom GDPR merge tag that will use the same opt-in functionality. I'll update here when I hear back.
Comment #10
Mikael Berger CreditAttribution: Mikael Berger as a volunteer commentedThanks for contributing with this module. In case it helps, here goes an example of implementing GDPR consent in other form types:
GDPR Compliance module
Comment #11
firewaller CreditAttribution: firewaller commentedFYI Mailchimp hasn't gotten back to me.
According to Mailchimp's docs: "GDPR fields are not compatible with embedded forms, form integrations, or MailChimp Subscribe" and "GDPR forms are only compatible with certain styles of pop-up forms". This means that advanced customization and integration (API) is not available with these GDPR fields (yet). Mailchimp has announced that they are working on this, but there is no telling when or whether this will happen.
In the interim, I'd suggests to use Mailchimp's Group functionality to manage marketing permissions (merge tags don't allow checkboxes). Which is fully supported throughout Mailchimp, uses a very similar approach UX/UI-wise for both admins and customers, will be simple and flexible to develop with, and should be easily migrated to the GDPR fields when API support is improved by Mailchimp.
Full disclosure, a primary benefit of using GDPR fields that will be lost is "MailChimp will also keep a record of what each version of your form says, so you’ll always know exactly which fields were present on a form when it was submitted by a contact, and you can prove consent if the need arises".
---
Anyway, here is how to achieve the suggested alternative:
Create an Interest Group Category in the Mailchimp list (List -> Manage Contacts -> Groups) called "Marketing Permissions", within that select "checkboxes" and add the following Groups "Email", "Direct mail", and "Customized online advertising". Then expose these interests in the form either via Mailchimp UI, Drupal Mailchimp signup form admin settings, or custom API integration.
In Mailchimp's form editor or a custom module (depending on your approach), you can perform a form alter to add additional legal text to the field (copied from Mailchimp's default GDPR fields):
Then use the group as a segment filter the same way you would use the GDPR field filter!
Comment #12
Peacog CreditAttribution: Peacog as a volunteer commentedMailchimp have introduced a marketing_permissions parameter to the API that lets you enable GDPR fields and sync contact marketing permissions. See Are GDPR tools available in the API. You can set a member's marketing permissions with the Add and Update list member methods. The only way to retrieve the marketing_permission_id is with the Member Get method. Ideally it would be possible to get the ids with the List Get method but currently the API doesn't provide it. There are a couple of ways you can use the new field to synchronise consent given through an embedded form with the GDPR fields on Mailchimp. You can add a dummy/default member to the list and read it to get the marketing_permissions_ids for the list. Or you can read the member info before updating an existing member, or for new members you can update immediately after adding.
I've made a start on a 7.x patch that uses the second option for Signup Forms. It might also be of use as a starting point for an 8.x patch. The patch adds a GDPR Settings section to the form config that lets you add a GDPR consent checkbox to the signup form. It needs more work and testing. I am using mailchimp_signup only, so I have not tested with mailchimp_lists or mailchimp_automations. Also it takes the blunt approach of syncing the GDPR consent to all marketing permissions fields for the list. Ideally there would be a checkbox for each marketing permission field if there are more than one. Right now the only way to do that would be to add a default member to the list and read it when building the signup form configuration form.
Comment #13
gmem CreditAttribution: gmem as a volunteer and at Acro Commerce commentedSlightly tweaked the patch to remove the else statement.
Comment #14
Anonymous (not verified) CreditAttribution: Anonymous at Netuxo Ltd (RIP) commentedSo, if we wanted to port this patch to the Drupal 8 version of mailchimp, we would first need to modify MailchimpSignupForm.php to allow for the GDPR fields (possibly under $form['subscription_settings'] and add ['gdpr']), and then figure out a way to get the marketing permissions from Mailchimp and pass them back.
Any hints?
Comment #15
Anonymous (not verified) CreditAttribution: Anonymous at Netuxo Ltd (RIP) commentedThis is a first attempt to port the patch provided by gmem to Drupal-8. I only tested it for a signup form that only has one list in it.
When there are no interest groups, the GDPR checkbox is displayed above the rest of the form, which is not actually what I want, so that needs fixing.
Comment #16
Anonymous (not verified) CreditAttribution: Anonymous at Netuxo Ltd (RIP) commentedSorry, the first D8 patch was missing changes to one file. Re-uploading fixed patch now.
Comment #17
Anonymous (not verified) CreditAttribution: Anonymous at Netuxo Ltd (RIP) commentedImproved patch. The earlier patch was missing some changes to the file mailchimp_signup.schema.yml, which meant I was not able to translate this part of the configuration, which I noticed trying to do so on a multilingual website.
The new patch includes the changes to mailchimp_signup.schema.yml.
Comment #18
Anonymous (not verified) CreditAttribution: Anonymous at Netuxo Ltd (RIP) commentedComment #19
firewaller CreditAttribution: firewaller commented#13 didn't apply for me. I re-rolled #12 with some minor adjustments, namely re-ordering mailchimp_subscribe() parameters to prevent conflicts with other modules/patches.
Comment #21
firewaller CreditAttribution: firewaller commentedAttached is an updated patch of #19 with a minor fix for the gdpr_consent checkbox default value.
Comment #22
Anonymous (not verified) CreditAttribution: Anonymous at Netuxo Ltd (RIP) commentedRerolled the patch against mailchimp-8.x-1.8
Comment #23
firewaller CreditAttribution: firewaller commentedComment #25
Anonymous (not verified) CreditAttribution: Anonymous at Netuxo Ltd (RIP) commentedUpdated patch so that it hopefully won't fail testing.
Comment #26
TommyChrisI think there are errors in your patch:
and
Comment #27
roborn CreditAttribution: roborn at Frontkom commentedI confirm the issues mentioned on #26, plus the use of D7's watchdog.
Here's a patch with fixes for those issues.
Comment #28
roborn CreditAttribution: roborn at Frontkom commentedComment #29
TommyChrisRerolled #27 to be compatible for the latest -dev.
Comment #30
lizzjoyTagging because Drupal.org has this module for email subscription signups. Without GDPR fields, we use an automation workflow of emails to remind people to return to the subscription form in order to opt-in to permissions for GDPR. And people don't take that follow-up action, so these fields would really help us.
Comment #31
carstenG CreditAttribution: carstenG at FFW commentedI have updated the patch.
There was a bug in settings of vars in mailchimp_subscribe()... and the foreach loop mailchimp_subscribe_process() should be closed earlier.
Comment #32
carstenG CreditAttribution: carstenG at FFW commentedI also noticed with the adding of gdpr I get the confirm emails for double opt-in twice.
Because in code we actually subscribe the email twice. First time without gdpr (becasue we dont know the id's) and second time with the gdpr fields.
Comment #33
samuel.mortensonComment #34
samuel.mortensonThis looks really good so far, thanks for the contributions everyone. Is anyone using this in production or testing it on their site?
I'd prefer if a community member who is using this and knows it's working for them mark the issue as "Reviewed & tested by the community".
Comment #35
samuel.mortensonAlso wanted to note that we'll commit this to 8.x-1.x first then I can roll and review a backport.
Comment #36
samuel.mortensonThis should be a textfield, it's used as the checkbox label.
The default value for consent should always be FALSE.
I re-reviewed #31 and found some issues. I'll fix and re-upload a patch.
Comment #37
samuel.mortensonHere are new patches for D7 and D8. I'd still like the community to review each again before commit. No interdiff because both were re-rolls.
Also, if you upload a new patch please include an interdiff if possible, it makes the issue much easier to review. Thanks!
Comment #38
drummThe initial functionality looks good. I think this should come with a warning to only enable the checkbox if the email has already been validated by its owner in some way. Double opt-in emails do not seem to be sending, but that could be an issue with our configuration. For www.drupal.org, I’ll form alter this away unless the person is logged in and has confirmed their account email. Maybe even a permission to give GDPR consent?
This is probably a followup, but where this will be really useful for us is in the mailchimp_lists module. The subscription field on users is the most visible for us, and most people have confirmed their email address in Drupal.
Comment #39
drummI did spot one issue with the 7.x patch - in the last chunk, the form value should be used, no the list configuration.
Comment #40
drummThe bit of code for that is https://git.drupalcode.org/project/drupalorg/commit/9402c45
Comment #41
samuel.mortenson@drumm I think it makes to do form alters like this on a per-site basis, as far as I know for people that want this feature, GDPR consent is required even for anonymous users who haven't validated their email yet.
Comment #42
drummDuring one of the more-critical core security releases, myself and a few others got subscribed to a few thousand email lists that didn’t have any double opt-in. I think I’m still getting mail from that. Unfortunately for the list owners, the tool I have is reporting spam, it is likely hurting their reputation with GMail/Mailchimp/etc.
Lists that are too easy to join will have more subscribers, and will get abused too.
Comment #43
samuel.mortenson@drumm That's more about double opt in having a bug than the changes in this issue (GDPR support), right?
Comment #44
drummTrue, there are situations where all the opt-ins are safe to do at once, but don’t have to put any more warnings/etc in to get this issue closed out.
Comment #45
drummAnd Drupal.org is running #39, with no issues that I’m aware of.
Comment #46
samuel.mortensonHere's the interdiff from the last two D7 patches, will roll a D8 patch soon and likely commit.
Comment #49
samuel.mortensonThanks for contributing all! No backport to 7.x-4.x as that branch is not receiving any feature development.
Comment #50
rherreror CreditAttribution: rherreror commentedMaybe im a little confused, but I'm trying this new functionality in a custom type of content using 'Mailchimp subscription' field type, and all works ok but the gdpr field doesnt show in the form.
If I try to create a signup directly from mailchimp plugin then it is working fine.
It's the first case a functionality still not implemented? (or even not going to, or even not the case in this thread...)
Thanks,
Comment #51
drummThis just covers the
mailchimp_signup
module, which makes blocks for signup forms, and getting the underlying APIs working. As noted in #38:Comment #52
drummFollowup issue for that: #3086506: Add GDPR checkbox for opt-in consent, for mailchimp_lists
Comment #53
rherreror CreditAttribution: rherreror commentedThank you very much for the directions.
Comment #55
Lincoln-Batsirayi CreditAttribution: Lincoln-Batsirayi commentedI'm trying to use the patch at #37 but I'm getting a
Could not apply patch! Skipping. The error was: Cannot apply patch https://www.drupal.org/files/issues/2019-09-16/2968016-81x-37.patch
error. I'm using the "1.x-dev" version of the module and on Drupal 8.8.5. Although oddly enough, even though composer gives me the could not apply error, the patch is still applied but the module is no longer git ignored and i can see the changes the patch has made... does anyone know what may be going on?