Add GDPR checkbox for opt-in consent

Does the MailChimp API expose those new GDPR fields? The changelog (https://developer.mailchimp.com/documentation/mailchimp/guides/changelog) contains no recent changes.

Once it does, I guess the mailchimp library (https://github.com/thinkshout/mailchimp-api-php) should be updated too.

I tweeted this issue to Mailchimp via Twitter. Hopefully they will be abe to give us an answer.

https://twitter.com/AuthenticTech/status/992386585302831104

I found this KB article which suggests that the API does not expose these fields (and perhaps won't in future).

GDPR fields are not compatible with embedded forms, form integrations, or MailChimp Subscribe.

Perhaps the only solution must be to create our own equivalent GDPR fields in Mailchimp and use those instead.

We are working with MailChimp on this feature and we will be adding it to signup blocks as soon as the feature is available in the API.

Adding GDPR to your fields yourself won't set the GDPR permission flags in MailChimp. So, if complying with GDPR is a top priority, you might have to switch to the MailChimp JavaScript until we have a patch available for you.

Hi Greg, any further info from MailChimp on this? Thanks.

Unfortunately we are waiting for MailChimp to add their GDPR fields to the API and from what we've been told, this will happen when they have also added specific "delete" and "export" capabilities for users on their platform. You can read more about MailChimps GDPR guidance here:

https://blog.mailchimp.com/gdpr-forms-and-more-tools/
https://blog.mailchimp.com/gdpr-tools-from-mailchimp/
https://kb.mailchimp.com/accounts/management/gdpr-faq
https://kb.mailchimp.com/accounts/management/collect-consent-with-gdpr-f...

You will see in the GDPR FAQ section that enabling "double opt-in" could be a form of consent, since that requires an active action from the user and the date and time is recorded in MailChimp. It does not provide the flexibility to consent to specific usage, but is still a step in the right direction. This could be an interim solution prior to the GDPR fields being available in the API.

I've reached out to Mailchimp regarding API access to the GDPR fields now that 5/25 is passed. In the meantime, I'm looking into adding a custom GDPR merge tag that will use the same opt-in functionality. I'll update here when I hear back.

Thanks for contributing with this module. In case it helps, here goes an example of implementing GDPR consent in other form types:

GDPR Compliance module

FYI Mailchimp hasn't gotten back to me.

According to Mailchimp's docs: "GDPR fields are not compatible with embedded forms, form integrations, or MailChimp Subscribe" and "GDPR forms are only compatible with certain styles of pop-up forms". This means that advanced customization and integration (API) is not available with these GDPR fields (yet). Mailchimp has announced that they are working on this, but there is no telling when or whether this will happen.

In the interim, I'd suggests to use Mailchimp's Group functionality to manage marketing permissions (merge tags don't allow checkboxes). Which is fully supported throughout Mailchimp, uses a very similar approach UX/UI-wise for both admins and customers, will be simple and flexible to develop with, and should be easily migrated to the GDPR fields when API support is improved by Mailchimp.

Full disclosure, a primary benefit of using GDPR fields that will be lost is "MailChimp will also keep a record of what each version of your form says, so you’ll always know exactly which fields were present on a form when it was submitted by a contact, and you can prove consent if the need arises".

---

Anyway, here is how to achieve the suggested alternative:

Create an Interest Group Category in the Mailchimp list (List -> Manage Contacts -> Groups) called "Marketing Permissions", within that select "checkboxes" and add the following Groups "Email", "Direct mail", and "Customized online advertising". Then expose these interests in the form either via Mailchimp UI, Drupal Mailchimp signup form admin settings, or custom API integration.

In Mailchimp's form editor or a custom module (depending on your approach), you can perform a form alter to add additional legal text to the field (copied from Mailchimp's default GDPR fields):

<p id="gdpr-description">[COMPANY NAME] will use the information you provide on this form to be in touch with you and to provide updates and marketing. Please let us know all the ways you would like to hear from us:</p>

<p id="gdpr-legal">You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, or by contacting us at [COMPANY EMAIL]. We will treat your information with respect. For more information about our privacy practices please visit our website. By clicking below, you agree that we may process your information in accordance with these terms.</p>

<div class="gdpr-footer"><a href="https://www.mailchimp.com/gdpr" target="_blank"><img src="https://cdn-images.mailchimp.com/icons/mailchimp-gdpr.svg" alt="GDPR"></a><p>We use MailChimp as our marketing automation platform. By clicking below to submit this form, you acknowledge that the information you provide will be transferred to MailChimp for processing in accordance with their <a href="https://mailchimp.com/legal/privacy/" target="_blank">Privacy Policy</a> and <a href="https://mailchimp.com/legal/terms/" target="_blank">Terms</a>.</p></div>

Then use the group as a segment filter the same way you would use the GDPR field filter!

Mailchimp have introduced a marketing_permissions parameter to the API that lets you enable GDPR fields and sync contact marketing permissions. See Are GDPR tools available in the API. You can set a member's marketing permissions with the Add and Update list member methods. The only way to retrieve the marketing_permission_id is with the Member Get method. Ideally it would be possible to get the ids with the List Get method but currently the API doesn't provide it. There are a couple of ways you can use the new field to synchronise consent given through an embedded form with the GDPR fields on Mailchimp. You can add a dummy/default member to the list and read it to get the marketing_permissions_ids for the list. Or you can read the member info before updating an existing member, or for new members you can update immediately after adding.

I've made a start on a 7.x patch that uses the second option for Signup Forms. It might also be of use as a starting point for an 8.x patch. The patch adds a GDPR Settings section to the form config that lets you add a GDPR consent checkbox to the signup form. It needs more work and testing. I am using mailchimp_signup only, so I have not tested with mailchimp_lists or mailchimp_automations. Also it takes the blunt approach of syncing the GDPR consent to all marketing permissions fields for the list. Ideally there would be a checkbox for each marketing permission field if there are more than one. Right now the only way to do that would be to add a default member to the list and read it when building the signup form configuration form.

Slightly tweaked the patch to remove the else statement.

#13 didn't apply for me. I re-rolled #12 with some minor adjustments, namely re-ordering mailchimp_subscribe() parameters to prevent conflicts with other modules/patches.

Attached is an updated patch of #19 with a minor fix for the gdpr_consent checkbox default value.

I think there are errors in your patch:

-        'gdpr_consent' => isset($mailchimp_lists['gdpr_consent']) ? $mailchimp_lists['gdpr_checkbox_label'] : NULL,
+        'gdpr_consent' => isset($mailchimp_lists['gdpr_consent']) ? 'Y' : NULL,

and

-      $result = mailchimp_subscribe($list_id, $email, $mergevars, $interests, $this->signup->settings['doublein'], $this->signup->settings['gdpr_consent']);
+      $result = mailchimp_subscribe($list_id, $email, $mergevars, $interests, $this->signup->settings['doublein'], 'html', null, $list_choices['gdpr_consent']);

I confirm the issues mentioned on #26, plus the use of D7's watchdog.

Here's a patch with fixes for those issues.

Rerolled #27 to be compatible for the latest -dev.

Tagging because Drupal.org has this module for email subscription signups. Without GDPR fields, we use an automation workflow of emails to remind people to return to the subscription form in order to opt-in to permissions for GDPR. And people don't take that follow-up action, so these fields would really help us.

I have updated the patch.
There was a bug in settings of vars in mailchimp_subscribe()... and the foreach loop mailchimp_subscribe_process() should be closed earlier.

I also noticed with the adding of gdpr I get the confirm emails for double opt-in twice.
Because in code we actually subscribe the email twice. First time without gdpr (becasue we dont know the id's) and second time with the gdpr fields.

This looks really good so far, thanks for the contributions everyone. Is anyone using this in production or testing it on their site?

I'd prefer if a community member who is using this and knows it's working for them mark the issue as "Reviewed & tested by the community".

Also wanted to note that we'll commit this to 8.x-1.x first then I can roll and review a backport.

1. +++ b/modules/mailchimp_signup/src/Form/MailchimpSignupForm.php
   @@ -277,6 +277,42 @@ class MailchimpSignupForm extends EntityForm {
   +      '#type' => 'textarea',
   

   This should be a textfield, it's used as the checkbox label.

2. +++ b/modules/mailchimp_signup/src/Form/MailchimpSignupPageForm.php
   @@ -154,6 +154,16 @@ class MailchimpSignupPageForm extends FormBase {
   +               '#default_value' => isset($this->signup->settings['gdpr_checkbox_label']) ? $this->signup->settings['gdpr_checkbox_label'] : NULL,
   
   @@ -186,6 +196,16 @@ class MailchimpSignupPageForm extends FormBase {
   +           '#default_value' => isset($this->signup->settings['gdpr_checkbox_label']) ? $this->signup->settings['gdpr_checkbox_label'] : NULL,
   

   The default value for consent should always be FALSE.

I re-reviewed #31 and found some issues. I'll fix and re-upload a patch.

Here are new patches for D7 and D8. I'd still like the community to review each again before commit. No interdiff because both were re-rolls.

Also, if you upload a new patch please include an interdiff if possible, it makes the issue much easier to review. Thanks!

The initial functionality looks good. I think this should come with a warning to only enable the checkbox if the email has already been validated by its owner in some way. Double opt-in emails do not seem to be sending, but that could be an issue with our configuration. For www.drupal.org, I’ll form alter this away unless the person is logged in and has confirmed their account email. Maybe even a permission to give GDPR consent?

This is probably a followup, but where this will be really useful for us is in the mailchimp_lists module. The subscription field on users is the most visible for us, and most people have confirmed their email address in Drupal.

I did spot one issue with the 7.x patch - in the last chunk, the form value should be used, no the list configuration.

For www.drupal.org, I’ll form alter this away unless the person is logged in and has confirmed their account email.

The bit of code for that is https://git.drupalcode.org/project/drupalorg/commit/9402c45

@drumm I think it makes to do form alters like this on a per-site basis, as far as I know for people that want this feature, GDPR consent is required even for anonymous users who haven't validated their email yet.

During one of the more-critical core security releases, myself and a few others got subscribed to a few thousand email lists that didn’t have any double opt-in. I think I’m still getting mail from that. Unfortunately for the list owners, the tool I have is reporting spam, it is likely hurting their reputation with GMail/Mailchimp/etc.

Lists that are too easy to join will have more subscribers, and will get abused too.

@drumm That's more about double opt in having a bug than the changes in this issue (GDPR support), right?

True, there are situations where all the opt-ins are safe to do at once, but don’t have to put any more warnings/etc in to get this issue closed out.

And Drupal.org is running #39, with no issues that I’m aware of.

Here's the interdiff from the last two D7 patches, will roll a D8 patch soon and likely commit.

Thanks for contributing all! No backport to 7.x-4.x as that branch is not receiving any feature development.

Maybe im a little confused, but I'm trying this new functionality in a custom type of content using 'Mailchimp subscription' field type, and all works ok but the gdpr field doesnt show in the form.

If I try to create a signup directly from mailchimp plugin then it is working fine.

It's the first case a functionality still not implemented? (or even not going to, or even not the case in this thread...)

Thanks,

This just covers the mailchimp_signup module, which makes blocks for signup forms, and getting the underlying APIs working. As noted in #38:

This is probably a followup, but where this will be really useful for us is in the mailchimp_lists module. The subscription field on users is the most visible for us, and most people have confirmed their email address in Drupal.

Followup issue for that: #3086506: Add GDPR checkbox for opt-in consent, for mailchimp_lists

Thank you very much for the directions.

I'm trying to use the patch at #37 but I'm getting a Could not apply patch! Skipping. The error was: Cannot apply patch https://www.drupal.org/files/issues/2019-09-16/2968016-81x-37.patch error. I'm using the "1.x-dev" version of the module and on Drupal 8.8.5. Although oddly enough, even though composer gives me the could not apply error, the patch is still applied but the module is no longer git ignored and i can see the changes the patch has made... does anyone know what may be going on?