Why you’ve been getting so many emails about changing terms & conditions

You have no doubt received a glut of emails over the past week from service providers and companies you’ve done business with. These emails are informing you of changes to their terms and conditions.

(“Who actually reads these,” you wonder. “Meeeeeeee!” shouts the digital law specialist.)

Speaking for myself, I received three in a matter of hours:


We’ve updated our Privacy Policy to reflect a number of recent changes and improvements we have made to the way we collect and use customer data. We’re using new technologies and expanding the range of newsletters, bulletins and offers available to our customers, so we have explained what these are and how you can manage your marketing preferences to suit you best.

The changes to the Privacy Policy will take effect immediately. Please click here to read the updated policy and find out more.

As we continue to improve Twitter’s products and features, we’ve also been working on improving our Terms of Service and Privacy Policy.

Our Terms of Service are now easier to read and better organized, which should help users worldwide. Our Privacy Policy has been updated to include a section on the EU-US Privacy Shield program. In addition, we’ve updated and clarified how various services have changed over time. For example, we’ve included adding additional information on non-public communications, using multiple accounts, logged out access, and our advertising services. Feel free to learn more about this in the Help Center.

Please take a moment to read our Terms of Service and Privacy Policy, and keep in mind that by using our services on or after September 30, 2016, you agree to the revisions.


We’re writing to let you know that we’ve made some changes to our Privacy Policy, and that we’ve added a Cookie Statement to our legal policies. In addition to a number of revisions to make our Policy clearer and more readable, here is an overview of some of the changes:

We added provisions in order to comply with the new EU-US Privacy Shield Framework and to make the ways we are complying more obvious. (Numerous sections, but in particular, Section 16)
We made general revisions for clarity around the information we collect, including clarifying the difference between information you voluntarily provide to us and information we collect automatically. (Section 5)
We made general revisions for clarity around how we do and do not use the information that we collect from you. (Sections 6, 9, 12)
We added a California Privacy Statement. (Section 18)
Finally, we added a Cookie Statement that explains in more detail how we use cookies and similar technologies.
We encourage you to read the entire Privacy Policy and Cookie Statement, as these documents explain what kind of information we collect and how we use the information you give us.

If you have any questions, please email legal@mailchimp.com. As always, thanks for using MailChimp.

So what’s going on here?

The main issue here is compliance with the EU-US Privacy Shield Framework.

When you use the services you’ve received these emails from, your data is sent outside the EU to the US, either for web hosting or marketing purposes. The US does not have a data protection or privacy regime like Europe does, which could make your data fair game for anything. For that reason, companies from outside Europe who do business here must certify that they have data protection procedures in place that are equal and adequate to EU data protection standards. That certification process is called Privacy Shield.

The reason you are receiving emails about it now is because Privacy Shield only started up on 1 August. It replaced a previous EU-US data protection agreement, the Safe Harbor scheme, which was invalidated last year by the European Court of Justice. (Why? Snowden.)

Privacy Shield certification, like the data protection principles behind it, is not an overnight, tick-box, automated process. It takes a few weeks to put principles and procedures in place, get systems up and running, and then enter the certification process itself. Those companies that immediately entered the Privacy Shield system are only now being certified.

Hence the emails.

And, as you can see from the Mailchimp and Twitter emails, many providers are using their Privacy Shield compliance announcements as an opportunity to tidy up other terms, conditions, and privacy policies as well.

You may find these emails annoying, but they are legally required to inform you of these changes.

Believe me, you would be more annoyed if they didn’t tell you at all.