Mailchimp Account Security – Be Safe Out There!
If I can just crack this safe, all the passwords will be mine I tell you… mine!
Your business burns… what happens next?
Many years ago, I remember attending a workshop on marketing.
It was a broad workshop and covered many things, but there is one thing I kept going back to again and again, and that was “what would happen if something catastrophic happened to your business?”
It burnt to the ground?
You had to take 12 months off for health related reasons?
…and if something like that DID happen… what would the most important asset you had that would help you get back on your feet?
The answer was quite simple.
The most valuable asset your business has is your “list”
No matter what happens to you or your business, the most important asset you have is your list of prospects and customers. Without this, you don’t have a business, and if something was to happen, you’d struggle to recover from the setback.
…yet despite this, I’m consistently surprised by how people manage access to their Mailchimp accounts – essentially, their list.
I’ve seen people share passwords openly. I’ve seen 10 people using the same password and login within a business. I’ve seen businesses who give outside agencies access to their data… and even though the agency has finished the work years ago, they still have access the data.
The bottom line is that you need to ensure that the only people who have access to your data at anytime are those who you specifically want to be able to access your account… and that you limit access to what those people need to do what they’re hired to do.
In a world of data protection and GDPR, managing access to your Mailchimp account is essential to protecting your business from abuse and misuse.
Never share your Mailchimp username and password
When you set up your Mailchimp account for the first time, you are the account owner and the one who is fully in control.
Your login gives you full access to everything in the account, whether it’s the audiences your business has, the emails you send, or the back office settings you have.
It’s a powerful position and has full access… and this is why you should NEVER SHARE YOUR LOG-IN WITH ANYONE ELSE.
I really can’t emphasise this enough… anyone who has access to your log in has access to everything… and thus can steal your data, contact your audience with unwanted emails… it’s like giving someone your business front door keys and saying “I trust you”… even if you’ve only met this person once or twice.
If anyone asks for your log in and password, you should avoid providing this at all costs – it just doesn’t make any sense, especially when there are several alternatives built in to your Mailchimp account by default (at every level) that allow you to manage access without the need for giving out passwords etc.
So what options are available to provide access?
How to provide access to your Mailchimp Account to internal staff
Having access to data (and sending emails) is something that you may want to delegate to another staff member, with you in overall control.
If you want to do this, then do not share your log-in details (got the message yet?). If you do, and these people leave the business, they’ll still be able to access your data (not good!)
You need to add them as a new user, and when you do, set the level of access they have to the account.
To do this, log in to your Mailchimp Account and click on your name/account name in the top right hand of the page, and then click “Account”.
This will take you to the Account settings page, where you click “Settings” and then “Users”.
You are now on the page that manages who has access to the data in your Mailchimp account.
To add a new user, click on the “Invite A User” button and a new window opens up so you can invite someone and provide them access to the account.
You can give them one of four different levels of access:
- Viewer – a viewer can only see the reports that are produced for each campaign – so ideal for Admin staff who’s responsibility is to pull together performance data on your list and campaigns (and nothing else).
- Author – the next level up is Author, and they have access to the reports, but also the ability to create campaigns, templates and automations on the account. They however, can’t send campaigns. Ideal if you’re using a designer or copywriter to create the content of your campaigns, but want to be in control of the sending.
- Manager – Has the ability to view reports and create campaigns, but also has the power to press “send”… In fact, a manager has access to most of the account, but can’t see things like billing info, add-on data, they can’t manage users and can’t export any data. For the majority of situations this access is ideal for users.
- Admin – much like you, the owner, an Admin has access to everything. In fact, the account owner is seen as an “admin” by Mailchimp.
Once you’ve selected their level and added their email address (and any message you want to add), then just click send invite and they’ll receive an email where they can click, create their own log in and password, and then have access to your data (at the level you prescribed).
…but how about adding someone who’s external to your business, like a VA or an Agency?
Using the Mailchimp Agency Set up
If you’re working with an external support company, like a Virtual Assistant (VA) or an Agency, then you could give them access as if they were a member of your team, using the above process.
I used do this with most of my client accounts (want to work with me, click here), but once I realised that there was an alternative with a key benefit, I moved over to that.
I now use the “Mailchimp for Agencies” option.
It offers the same levels of access as the standard “add a user” option… but also gives the agency some flexibility.
If your Agency/VA has an “agency account”, then they can send an email to you requesting access to your account.
As the account owner, you can still restrict the access you give to an agency (i.e. viewer/author/manager/admin), but once you’ve granted the agency access, the agency can add other ‘collaborators’ to the agency account – thus letting them allow other specialists access to your data (e.g. a designer/copywriter), without having to share their log in details – and you can see them on your account as well.
…and you can still “remove them” from your account once the relationship is over (much as you can a standard user).
Actions you should take
If you’re not sure about what you should be doing now here’s a quick hit list of specific actions you should take:
- Change your Mailchimp password – if you’ve got more than one person who’s got access to your account with your username password – change the password NOW, and then go in and add each as a new user for the account. If you miss anyone, don’t worry, cos they’ll surely reach out when they can’t get access!
- Add new internal Mailchimp users as “users” – Get them to set up their own log-ins and control their access at Account >> Settings >> Users
- Add new external Mailchimp users as an “agency” – If you’re working with an external agency/VA get them to apply to manage your account as an agency – so you can see who else they use to access your account (and adding another level of safety).
- Review existing users regularly – if you’re already using users to manage your account, great… but when was the last time you reviewed access?… I know I’ve stopped working with a couple of clients… and I’ve still got access to their data.
If you are an Agency/VA…
- Set yourself up as an agency – it’s pretty easy, just go to Account >> Settings >> Details and scroll down to the Mailchimp for Agencies tick-box and set it up
- Request access to your client accounts – Once you’ve set it up – you can see a new tab on the Account page – Clients – where you can request access to your client’s Mailchimp accounts.
It’s your data… Protect it
In a data protection/GDPR world, from a legal point of view, you need to make sure your data is only accessible to those who you want to give access to – it just makes sense.
…but from a business protection point of view, ensuring that the most valuable asset you have, the one that will help if anything ever goes wrong, is essential.
Make sure you’re covered as soon as you can and limit potential data abuse/misuse.
Want to know more Essential Mailchimp stuff?
We've got a series of "must read" articles on things we consider essential when it comes to Mailchimp - To do Mailchimp 'the right way', you really need to check them out.
Option 3 – The ‘Automated Post Send Action’ workaround
OK… so we’re now moving into something a bit more advanced that ‘will’ work on a single click, but it’s a bit ‘convoluted’ and might not work directly for your requirements.
It’s called the ‘post send action’ option and works like this…
- You create an email with a specific link in that you’d like, when clicked, to update something in Mailchimp (a tag, group or field).
- You then create an ‘automated’ email with the trigger “that specific link in that specific email is clicked”.
- The link will have to have some destination to go to, so you’ll need a “we confirm your click and you’ve been updated” page somewhere.
- In the automation you use the ‘post send action’ option to update the record with whatever changes you want to make.
- The automated email gets sent – it can say something like “thanks for letting us know you’re into widgets”.
- …and the post send action updates the record accordingly.
It’s not the most ‘elegant’ of solutions, but it does work. It does however have a downside.
The biggest downside is that you have to create this for every single link AND EMAIL you want clicked. So you can’t just set it up to work every time someone clicks the link in any email… you need one for each email which has the link in.
If you’re doing this just in a welcome email – then not too much of an issue – but chances are you’d like someone to tell you their interested in widgets in lots of your emails… and if so you’ll need “lots” of these automations.
So technically, it works, but it’s not the most practical solution.
Option 4 – Automation Leave & Join Merge Tags
Another way you can ‘workaround’ is to use automation leave and join merge tags.
These merge tags, when clicked will automatically add someone to an automation, or remove them from one.
…and using a similar process to that used with the “Automated Post Send Action” above, you can assign tags/remove tags after the first email in the automation is triggered.
If you want to use this option… it’s less ‘clunky’ than creating a specific automation for every email/link you use… and is therefore a much better option.
…but you still need an automation for each element you want updated in a record, and, like I said, it’s rather clunky.
(for reference, the merge tags to use as links are:
and of course you need to use the right campaign id to do this)
The remove will “remove them from the automation flow” but it won’t update their records – as there’s no automation to use the post send action on.
So …better… and probably the best option we’ve all got at the moment (until Mailchimp get things sorted).
…is there any other way?
Option 5 – Chimplinks
What’s a Chimplink I hear you ask?
Well, there something I created a while ago to allow me to do exactly what we’re all looking for.
Essentially, I create a link (with a url chimpl.ink/chimpanswers/link123) with the email merge tag appended to the end of the link.
…and then in my system I set it up so that the record gets updated with the appropriate information (tag/group/field) and when clicked, the individual gets’ redirected to a thank you page.
It’s slick and it works for me and I use it for many of my existing clients.
Unfortunately I can’t get it to “remove” a tag or group (so if I want to have someone opt out of some communication I create an “opt out” tag), but it gives me the option of creating segmentation links in my emails which don’t need an automation directly linked to them!
I’m considering making these available to users at a low cost (e.g. 3 links for 1 year for £20) and if you’re interested, click here to let me know directly and I’ll let you know when they’re ready to roll out.
So there you have it.
Being able to segment on a single click in an email is something many of us want… it’s just it’s not something Mailchimp has available… yet.
There are several workaround which you can probably use… and I’ve even created my own option.
…but until the chimps in power add this option, we’re all just waiting!!!
Click here to let us know and register for future Mailchimp training specifically designed for agencies and VA’s just like you.
Robin Adams is a business owner who is passionate about helping businesses build effective marketing systems that work and don't waste money. Having a lifetime of Marketing experience (he's got a degree in Marketing before there were degrees in Marketing!) and having worked for big and small businesses and both client and agency side, he understands not only the theory, but the systems that are required to underpin everything.
51% marketer and 49% Chimp, Robin is the main man behind chimpanswers.com and the Mailchimp Answers Facebook Group - the world's biggest Mailchimp User Group. Connect with him on Linkedin.
Want to know more essential Mailchimp stuff?
We’ve written a series of “must read” articles on things we consider essential when it comes to Mailchimp – To make the most of Mailchimp, you need to check them out.
Book a Chat
Want to get your Marketing moving... or get Mailchimp done 'the right way'?
The best first step is to give us a call... so what's stopping you?
Get Mailchimp Done 'The Right Way'
Looking to get Mailchimp done 'the right way'? Why not let us do it for you.
Struggling to know how to really use Mailchimp. Check out our training to see what works for you.