25 February 2026 · Last reviewed 18 February 2026

How to Audit Your Mailchimp List for PECR Compliance

Mailchimp will tell you who subscribed, when they subscribed, and whether they confirmed via double opt-in. What it will not tell you is whether any of that satisfies PECR.

The ICO does not ask "did this person click a subscribe button?" It asks "can you prove this person gave specific, informed consent to receive marketing from your organisation?" Those are different questions, and Mailchimp's data only answers the first one.

This guide walks through how to audit your Mailchimp list against PECR requirements, step by step. If you are unclear on where PECR and GDPR diverge on consent, read PECR vs GDPR for marketing consent first.

What Mailchimp actually records

When you export a Mailchimp audience, you get these fields per contact:

  • OPTIN_TIME — timestamp when the subscriber confirmed or was added
  • CONFIRM_TIME — timestamp of double opt-in confirmation, if applicable
  • OPTIN_IP and CONFIRM_IP — IP addresses at signup and confirmation
  • Source — a general label: "Signup Form," "Import," "API," or "Admin"
  • LEID and EUID — internal Mailchimp identifiers
  • Tags, groups, and Member Rating

For contacts added via embedded forms, Mailchimp also records the signup form ID, which you can trace back to a specific form in your account.

What Mailchimp does not record

This is where the PECR gap opens up. Mailchimp has no record of:

  • The consent wording shown to the subscriber. Your signup form said something next to that subscribe button. Mailchimp does not store the text. If you changed the wording six months ago, the previous version is gone.
  • Whether PECR conditions were met. A pre-ticked checkbox and a properly worded unticked checkbox produce the same record in Mailchimp. It does not distinguish between PECR-valid consent and a simple email collection.
  • Soft opt-in documentation. If you added existing customers under the PECR soft opt-in exemption, Mailchimp cannot record the underlying sale, the similar-products justification, or whether an opt-out was offered at collection.
  • Marketing category specificity. The subscriber agreed to receive... what? "Updates"? "Promotions"? Mailchimp records that they subscribed, not the scope of what they consented to.
  • Third-party consent provenance. If you imported contacts from a purchased list, Mailchimp records the source as "Import." It cannot tell the ICO what consent wording those contacts originally saw.

Step-by-step: auditing your Mailchimp list

Step 1: Export your full subscriber list

In Mailchimp, go to Audience > All contacts > Export Audience. Download the CSV with every field, including OPTIN_TIME, OPTIN_IP, CONFIRM_TIME, and Source.

Open it in a spreadsheet and sort by the Source column — this is your starting point for categorising contacts.

Step 2: Categorise contacts by source

Group your subscribers into buckets based on how they were added:

  • Signup Form — people who subscribed via a Mailchimp-hosted or embedded form
  • Import — contacts uploaded manually from a CSV, often from a previous platform migration, event list, or purchased data
  • API — contacts added programmatically, typically from your website, CRM, or e-commerce platform
  • Admin — contacts added manually by someone on your team
  • Pop-up Form — contacts who subscribed via a Mailchimp pop-up

Each category carries different consent risks. Imports are the highest risk — the consent trail is almost certainly incomplete. Admin-added contacts are a close second.

Step 3: Identify your consent evidence for each category

For each source category, ask: what evidence do we have that these contacts gave PECR-valid consent?

Signup Form contacts: Find the form they used (via the form ID if available) and determine what wording was displayed when they subscribed. If you have changed your form wording since, you need the historical version — not today's.

Import contacts: Where did this data come from? A previous ESP migration, a purchased list, an event signup sheet? Do you have the original consent records from that source?

API contacts: Trace back to the integration. If contacts flow from your e-commerce checkout, the consent mechanism lives there, not in Mailchimp. Do you have dated screenshots of the checkout form?

Admin contacts: Who added them and why? Was consent obtained offline? Is there any record?

Step 4: Flag consent gaps

Create a new column in your spreadsheet: Consent Status. Mark each contact or source category as one of:

  • Documented — you have evidence of PECR-valid consent: the wording they saw, the date, the mechanism, and that it was freely given via an unticked opt-in
  • Soft opt-in — you are relying on the soft opt-in exemption and can document all four conditions: a sale or negotiation, similar products, opt-out offered at collection, and opt-out in every message
  • Gap — you cannot produce the evidence the ICO would require
  • Unknown — you do not have enough information to determine consent status

Be honest. "We probably had a form" is a gap. "They're a customer so it's fine" is a gap unless you can prove all four soft opt-in conditions. The ICO does not accept assumptions.

Step 5: Document what is missing

For every contact or category marked as Gap or Unknown, record specifically what is missing. No consent wording on file? Pre-ticked box in the original form? Imported contacts with zero provenance? Soft opt-in claimed but no evidence of opt-out at collection? Write it down.

This documentation tells you what to fix. It also helps if the ICO investigates — a self-audit showing you identified and addressed gaps demonstrates good faith, which influences how penalties are calibrated. The pattern behind ICO fines shows that inability to produce any records at all triggers the largest penalties.

Step 6: Remediate

For contacts with consent gaps, you have three options:

  • Re-permission: Send a campaign asking contacts to actively re-confirm their consent with PECR-compliant wording. Anyone who does not respond gets suppressed.
  • Segment and restrict: Move contacts with undocumented consent into a separate segment and stop mailing them until consent is established.
  • Remove: For imported contacts with no consent trail — particularly purchased list data — suppress them entirely.

Re-permissioning campaigns typically lose 60-80% of a list. That is painful, but contacts who do not re-confirm were never properly consented. Mailing them is the risk, not losing them.

Make it recurring

A one-off audit fixes today's gaps. But forms change, new contacts arrive through different channels, and team members add people manually. Run this audit quarterly at minimum. The PECR compliance checklist covers the full set of ongoing requirements beyond your subscriber list, and the PECR compliance checker gives you a quick self-assessment in about five minutes.

The gap this exposes

The core problem is structural: Mailchimp stores subscription events, not consent evidence. It was built for email delivery, not regulatory compliance. Matching each subscriber to the specific consent wording they saw, under the conditions PECR requires, falls entirely on you — and spreadsheets do not scale.

This is the problem ConsentTrail is being built to address. It connects to your ESP and documents the full PECR consent chain — wording versions, collection sources, soft opt-in evidence — so the next time you need to prove compliance, the records are already there. It is coming soon; you can join the waitlist to get notified at launch.

In the meantime, the spreadsheet audit above is the best thing you can do today. The businesses that get fined are not the ones with imperfect systems — they are the ones with no system at all.