MailPoet, WooCommerce, GDPR and Schrems II

Another earlier post translated because of public demand. And clearly one that wrote itself almost on it’s own. And again a bit of jurisdiction as covered before with the Google fonts blogpost. So what’s about MailPoet, WooCommerce and how do they connect to GDPR and Schrems II? And what is this after all?

Let’s start with some definitions: MailPoet, WooCommerce, GDPR and Schrems II


MailPoet is a newsletter service. Like MailChimp, CleverReach, … you name them. But slightly different in one point. MailPoet is a WordPress plugin which keeps the design, content creation and – with some limits, we’ll come to this in a minute – and the sending process on your own server that also hosts your WordPress.

MailPoet and GDPR

Thus having said the GDPR part is almost completely covered. Because of this on premise approach for creation, dispatch and analysis you’ll still need consent from the receipient, but not an order processing contract with a third-party. Advantage MailPoet!

The limits of MailPoet

Your own server is capable to cover emailings up to 50 reciepients and a managable amount of – let’s say – one sendout a month, even if it’s a big one. I would consider it a perfect solution for a small association or a school class (resp. their parents) to get regularly updated. Reason is: with any bigger volume the latent danger increases to get the server blacklisted as a spam hub. As a result all mail dispatch form this server is disrupted. Not only your newsletter, but all your email. And in case of a shared hosting any other mail trafic from other domains hosted on this server. In short: you don’t exactly endear yourself to your hoster.

The MailPoet solution for this

With an increasing number of receipients you need to look for another outgoing mail services. There are a couple of specialized servers for this. Their inherent job is to just send out bulk emails. As long as those are based in EU – not a big deal. Get yor order processing contract and of you go. And as MailPoet has european roots they do not only offer the a.m. plugin, but a premium plan for sending out emails for 1000+ receipients.

As a matter of fact: with an increasing number of receipients and frequency of sendings the prices of MailPoet become less attractive. There are solutions for this, too. MailPoet basically allows almost any other SMTP-server to be used. Most of the big, really powerful ones – i.e. sendgrid, sendinblue or sendblaster – are based in US. If you want to make sure your mail is dispachted GDPR compliant you might want to look out for Amazon SES (simple email service) which can be configured to use SMTP endpoint Frankfurt e.g. within EU jurisdiction.

The next obstacle: Schrems II

Schrems II is the common name for the latest judgement from ECJ covering the privacy shield agreement between US and EU. In short: I just doesn’t work, as long US intelligence is allowed to spy on any data. With that the nessessity of a „comparable privacy standard“ compared to EU is not fulfilled. Neither was it with it’s predecessor „safe harbour“ and how ever they might name the upcoming agreement they’re working on it will surely face the same fait.

As SCCs – standard contractual clauses – are considered still legit by the ECJ many US providers are opting for this as a substitute. Unfortunately this won’t work in reality either. Instead of relying on a intergovernmental act of review and approval (which turned out to be not fulfilled) now ones own responsibility is required. Be honest: can you judge Googles, Apples, FaceBooks, Microsoft, Amazons, … whoever claims about privacy? And can and will you review them? And if you do: what would be the outcome? Will NSA, CIA, FBI and others withdraw their spying because it’s you now reviewing? Just forget it!

Now what about WooCommerce and MailPoet?

First of all: there are some integrations – almost ever have been which tie WooCommerce and MailPoet together. Why not ask for the sign up to the newsletter with the next offers right in the checkout process? Since 7th December 2020 there’s a new plot twist:

MailPoet von WooCommerce erworben. Was macht das mit DSGVO und Schrems II?

MailPoet has been acquired by WooCommerce and – as far as they say – nothing will change. At the moment.

The elephant in the room about MailPoet, WooCommerce, GDPR and for sure Schrems II

WooCommerce and the company behind Automattic are US companies. Yes, indeed there are subsidiaries in Ireland (sic!) for both. The irish data protection authorities are not really well known for enthusiasm about persuing privacy violations.

To quote MailPoet and WooCommerce: „at the moment“ everything is (still) fine. As long as there’s not a change about the a.m. mailservers run by MailPoet. The minute „synergy“ is called and servers are migrated to US – which I suppose is most likely with WooCommerce and Automattic behind – Schrems II come into the picture. At that very point the MailPoet service for EU jurisdiction is dead.

Both the privacy policy of WooCommerce and Automattic aren’t currently neither satisfying in terms of Schrems II (just relying on a.m. SCC) nor do they cover the recent case of MailPoets servers. Which in my eyes is a fatal mistake as the merger wasn’t done in a day. There could have been more than just refering to the new (old) WooCommerce privacy policy.


At this very moment my judgement would be:

  • MailPoet is still usable and my prefered choice for a small amount of receipients and a low-frequency newletter
  • for the mid-size newsletter coverage which is handled by MailPoets servers one has to thoroughly observe the upcoming steps of MailPoet, WooCommerce and Automattic
  • both – WooCommerce and Automattic – have to address their insufficient privacy policies. Irish Subs, SCC and „do no evil“ statements to conceal or downplay US servers are just not enough.