ActiveCampaign Forum

GDPR - General Data Protection Regulation compliance


Hello, I am interested in this issue too. Any help would be aappreciated. Regards. Thanks.


Yes, we are facing this as well. Can anyone at AC provide an update on this?



Hi, As much as this is a serious issue (GDPR) please don’t panic. There is a lot of scaremongering going on, which is not needed.
That said, it’s disappointing that we don’t yet have a response to this post from AC.


I posted this query a month ago but we have still not received any reply on how AC will enable us to comply with GDPR. We are now only a month away from this legislation coming into law in Europe and there are potentially very significant fines for any organisations which have not taken steps to comply - up to 4% of the global annual revenue for any organisation found to be non-compliant.

Some of the specific questions I need to know answers for are:

  1. Are there any plans for a European Active Campaign data centre so that the data does not go outside of the European Economic Area ? If not what protection is provided for personal data of EU/UK citizens held in a US data centre?

  2. Is there any automated retention functionality planned to assist in removing records which are no longer needed, or is this down to us to implement automations to do this?

  3. The legislation supports the ability to forget an individual on request. How will this be supported? Is it simply be deletion of the record associated with an email address or will there be a way to mark an ‘individual’ as forgotten? Also does any deletion apply to backups/archives ?

  4. Is any encryption functionality planned for enabling the protection of sensitive personal data?

  5. I assume that the preferences requirements will be achieved through the opt-in functionality associated with lists? Will there be any further help here ? It would be useful to have an article explaining how to use various features to comply.

The charity I work for is still trying to ensure we are compliant before the legislation comes into law in a month’s time and we haven’t yet gone live with our Active Campaign database. At the moment I am uncertain whether it is safe to do so until these questions are answered.

I would be grateful if some answers could be posted.


Happy to see I am not alone as I’ve asked a number of times and even had posts not approved to show up on the facebook group. I"m flogged off with being directed to the page with very little information on it. I"m giving this a week before we move to another company that takes this seriously.


I was able to get quick answers from live chat and via support ticket.

Here is the general info found at:

Data Processing
The GDPR specifies a variety of requirements surrounding the processing of personal data. This section will explore some of the data processing requirements and provide links to relevant sections of the text of the GDPR.

Controller and Processors
A Controller is the organization that determines how personal data will be used. A Processor is the organization that processes personal data on behalf and on the instructions of the Controller. The specific responsibilities of each party are laid out in Articles 24-43.

In most cases, ActiveCampaign is a Processor and users of ActiveCampaign are Controllers. Note that it is possible for a single organization to be both a Processor and Controller.

Data processing agreements
Article 28 states that Controller must have clearly documented contracts with Processors that define the scope of processing. These contracts must be “in writing, including in electronic form.” Requirements for processing contracts can be found in the remainder of Article 28.

Data protection officers
According to Article 37, many organizations will be required to appoint a data protection officer. The specific responsibilities of a data protection officer are covered in Article 39. In general, the data protection officer is responsible for compliance with the GDPR.

Transfer of personal data to third countries or international organizations
Articles 44-50 of the GDPR cover the specific requirements for transferring personal data to third parties or international organizations. The GDPR does not require that personal data of EU citizens remain exclusively in the EU, but it does have some requirements for such transfers.

In terms of hosting data in EU servers and/or data transfers from the EU to the U.S. under GDPR, we expect that you will be able to continue to rely on our EU-U.S. PRIVACY SHIELD certification in order to transfer any lawfully obtained personal data to ActiveCampaign using our Services.

You can find more details on our Privacy Shield Certification at


There is a form for each template where you can select which fields users can update and edit and or delete their information. It is already in AC. Using custom fields, we are setting up forms that users have to click to accept our gdpr compliant privacy policy which states exactly how their information will be used in plain language (4 different languages) visit for more specific info on gdpr compliant privacy policies.

This check box on each form along with the double-opt in feature fulfils all GDPR requirements for consent. The last thing one needs to do is sign an DPA (Data Processing Addendum) contract with AC to meet the requirements of Article 28 of the GDPR.

So here are the steps:

  1. Get GDPR compliant privacy policy
  2. create a custom checkbox field that is used on all forms that asks the user they need to check the box to agree to the privacy policy (make sure there is a link that goes to your privacy policy) and the box CANNOT be pre-checked.
  3. make sure all your forms are set for double-opt-in, meaning that an email is sent to the subscribers email address with a button that needs to be clicked to confirm their email (this is all standard in AC and just requires turning on the feature)
  4. request a DPA from AC using the support email or your Customer Success Associate, sign it.

That’s it. Your forms and AC account are now GDPR compliant. If you are in the EU or part of the EEA, then there are additional steps you need to take and you will need to do further research. What I have states just applies to AC. I am not a lawyer and none of this should be taken as legal advice. Its just my opinion based on my research into the subject.

Not sure why AC does not seem to be that active on these boards. Maybe someone in the forum should submit an idea to create a new position at AC to monitor and be active in the community board.

Hope that is helpful. Shout out if there are any questions. No promises, but I will reply if I am able. Cheers.


That’s great and really helpful goetheanum, thank you.

However one issue that really needs addressing is recording consent - and Active Campaign have given no indication on how this will be achieved.

There really are currently 21 working days until GDPR is ‘active’. I’m frustrated at the lack of communication.
I too was directed to their GDPR update page, which really does tell the reader very little.


Hi Maria Paviour Company,

You are welcome. I hope it helps. I agree AC should be much more proactive here. I have also looked at Mailchimps solution and there is documentation on how to setup checkboxes for consent, etc. but it too seems lacking.

What I have done is create 2 checkboxes custom fields:

I agree to my personal data being stored and used to receive the newsletter as stated in your Privacy Policy
I agree to receive information and commercial offers.

I then created another custom field called User Consent Date.
I setup a new automation called User Consent with a trigger of any form being submitted. It checks to see if the check box is checked or not. If it is, it automatically puts in the date in the User Consent Date field.

This way, I know exactly which date a user gave consent.

Hope that helps. I am not waiting for AC on this because as you pointed out, we are only 21 days away from GDPR take effect.

All the best,


And here is a great overview of building up gdpr compliant subscription forms.


Oo good thinking, thanks Jesse!
That’s a great idea. I’ll put in into practice, as we absolutely require something, and it feels very last minute for implementation as it is.
And thanks for the subscription form link.
Best of luck,


Hi everyone! Wanted to hop in on this thread to let you know about our latest podcast all about GDPR. Our Director of Education interviews two attorneys to help explain GDPR and give tips to help you have the right conversations with your legal counsel. Listen in here or read the transcript!


@jdeschane - do you know what AC is putting in place for us with regards to site tracking with GDPR as far as consent and then opting out?

[Edit] Found this article on site tracking with GDPR.:


Hi @followyourlight, looks like you found our help doc around Site Tracking and GDPR. I think you’ll find all the information you need on that page. Happy Monday!


Received an email from AC today regarding GDPR, including a clear(er) roadmap:


Hi guys, have you read the latest update from AC team regarding consents:

Am I the only one finding it a bit strange that they suggest storing all consents with date of consent given using the “notify” function in automation. Meaning we’ll have to store the notification emails? …this is very messy. Don’t you think?

Is there any other AC user here that has a large number of forms on their website. for example forms for contact, for webinar signups, for video downloads, etc etc… Have you figured out any useful tips how to store consents and manage subscriptions?


Hey guys, I hope this is the place for general inquiries, if not, I will erase it at once. my client owns a website with all the information about online casinos, he mainly wants to present the opportunity without taking any risks and tries to provide enough information for everyone who wants to play in order not to become addicted. Therefore, I think there would be a real interests from our visitors in newsletter, but I know about new GDPR policy and that is the part, where I am still lost. However, I would still like to try it, do you know about anything that would go against general rules when it comes to casinos? I understand it´s sensitive topic, so rules might be a little more strict. I understand if you need to check the website first. I, personally, don´t like to answer these questions without even taking a look on the project/website. I will be happy for every answer. Thanks!


GDPR when it relates to casinos is a whole different world as their is normally other regulations sitting on top of the already tough compliance requirements of GDPR. For example in the UK it has become mandatorty to meet GDPR requirements plus abide by the publishing and communications standards of the Gambling Commission. As regulation spreads across the world so will the need to be on top of both GDPR and country specific regulations


Hi! I want to make a good website for Russia. How should I translate the rules for users in the form of a collection of contacts?


A website can easily know about your interest through cookies, they will just track and target your interest to enhance the experience on their site. Generate cookie policy tailored specifically for your website and business in minutes with our easy to use wizard to comply with GDPR and EU cookie law.
GDPR Cookie notice