Jan 28, 2013

A Look at MailChimp’s Privacy Policy

Today is Data Privacy Day. I don’t think anyone gets work off for the holiday, but as MailChimp’s general counsel and privacy officer, it’s still pretty exciting to me. Since Data Privacy Day’s main purpose is to educate people about—you guessed it—data privacy, I thought I’d share a little bit about how MailChimp’s privacy policy works.

MailChimp is serious about security, and we keep track of every way data can be moved or exposed. Our privacy policy lays out the narrow ways we collect, use, and disclose user data. User data is most commonly used or disclosed in the course of doing things you told us to do, like asking for customer support, turning on Social Profiles, or using other features that involve third-party providers. Any time we consider adding a feature that may use or disclose user data, we look at any possible way we can limit the disclosure. If a service provider is involved, then we make sure our contracts with that third party clearly spell out our data-protection requirements.

The second most common reason we may use or disclose data is to detect and prevent abuse. But today I want to talk about one of the far less common reasons we might disclose data—to meet legal requirements. You may have noticed this figure in our annual report:

Screen Shot 2013-01-28 at 9.30.17 AM

That’s the number of third-party subpoenas we received last year. Third-party subpoenas are court-approved demands for information from an entity that’s not part of the lawsuit. Basically, two parties have a dispute, and they contact us because one of the parties used MailChimp at some point, and that use is relevant to the dispute. The most common disputes we see are related to list ownership and misuse, defamation, or trademark infringement. In 2010 we received only one request for user data. That number tripled in 2011, when we received a whopping three requests. And as you saw in the annual report, that number has gone up to 13 this year! While it’s a large increase, 13 subpoenas really aren’t that many, considering we have more than two million users. Legal requests relate to a very tiny portion of our users.

So what do we do when get a request for a user’s data? Here’s how it generally works: someone wants user data because of a dispute and contacts us (most likely via email), requesting we give them the name, email, IP address, and any other data associated with an account. When we receive these types of requests, we respectfully tell them “no way” and cite our privacy policy, which explains why we can’t release that information. Many people drop out at this point, but some come back with a subpoena. Now, nine times out of 10, that subpoena will be from the state where the litigation or dispute is going on, which isn’t where our office is located. If we receive an out-of-state subpoena, we again decline to comply. As it says in our privacy policy, we only respond to valid subpoenas, which for us have to be from the state of Georgia. If a court in Georgia issues the subpoena, we’ll consider complying with it. But compliance isn’t automatic—sometimes we get requests for data that we can’t produce, or the subpoena may be too broad in its request. If either of those apply, we’ll file an objection, and the party has to either amend their request or file an order to compel us to produce the documents.

We don’t produce any user data that’s subject to the Electronic Communications Privacy Act. ECPA prohibits a service provider from divulging the contents of a communication while it’s in electronic storage. So if a subpoena asks for email campaigns, we can’t comply. But there’s an exception (there’s almost always an exception with laws!): If someone who sent or received the campaign in question consents, then the prohibition can be overcome. ECPA also has stricter controls for the disclosure of information to the government, which Google recently discussed.

So there’s a bit of transparency about how our privacy policy works in action. Happy Data Privacy Day!