Campaign Monitor 2026: Australian Roots, Marigold Delaware Parent, and GDPR Risk for EU Email Marketing — Series Finale
Post #951 in the sota.io EU Cyber Compliance Series | EU-EMAIL-MARKETING-SERIE Post #6 — Finale
Campaign Monitor looks different from the other five platforms in this series. Founded in 2004 in Sydney, Australia — not Delaware or Silicon Valley — it has a distinctly non-American origin story. Its founders, Ben Richardson and David Greiner, built it as a bootstrapped tool for web designers sending HTML emails on behalf of clients. For its first decade, Campaign Monitor operated as an independent Australian software company, entirely outside the US corporate structure that makes CLOUD Act analysis necessary.
That changed in 2014. In September of that year, Insight Venture Partners — a US private equity firm headquartered in New York and incorporated in Delaware — acquired Campaign Monitor in a transaction reportedly valued at around $250 million. That acquisition transferred control of Campaign Monitor from its Australian founders to a US private equity firm. From that moment forward, Campaign Monitor's GDPR analysis has required examining its relationship with its US corporate parent.
The subsequent years brought further consolidation. In 2018, Insight Venture Partners merged Campaign Monitor with Emma, another US email marketing company. The combined entity was branded CM Group. Over the following years, CM Group continued acquiring email and marketing automation platforms: Sailthru (2020), Selligent (2021), Delivra, Vuture, and Liveclicker. In 2022, CM Group rebranded as Marigold — a unified brand for what had become a substantial private equity roll-up in the email marketing sector.
Marigold's holding company is incorporated in Delaware. The company that acquired and now controls Campaign Monitor is a domestic US person under the CLOUD Act. That is the central compliance fact this post examines.
Corporate Structure: From Sydney to Delaware
Campaign Monitor Pty Ltd — The Australian Operating Entity
Campaign Monitor's primary operating entity in its home market is Campaign Monitor Pty Ltd, an Australian proprietary limited company registered in New South Wales, Australia. The Pty Ltd structure is governed by the Australian Corporations Act 2001 and regulated by the Australian Securities and Investments Commission (ASIC).
Campaign Monitor Pty Ltd is not a US person. An order from a US District Court under the CLOUD Act cannot be directed to Campaign Monitor Pty Ltd as a domestic US person. If the US government wanted data from Campaign Monitor Pty Ltd directly, it would need to proceed through the US-Australia MLAT (Mutual Legal Assistance Treaty), involving Australian judicial process and the mutual legal assistance framework that both governments have agreed to under the Treaty on Mutual Legal Assistance in Criminal Matters.
This is the foundation of Campaign Monitor's marketing claim that it operates under Australian law with Australian infrastructure options. The claim about Campaign Monitor Pty Ltd is technically correct.
CM Group / Marigold — The Delaware Controlling Entity
The compliance analysis cannot stop at the subsidiary. Campaign Monitor Pty Ltd is wholly owned by Marigold (formerly CM Group), and the Marigold holding structure is incorporated in Delaware, United States.
Marigold's corporate hierarchy as of 2026:
- Marigold (parent brand) — Delaware-incorporated holding company structure
- Backed by Insight Venture Partners — New York-based PE firm, managing over $75 billion in assets, Delaware LP/LLC structures
- CM Group Holdings LLC — the Delaware vehicle that was the formal acquirer of Campaign Monitor in 2014 and subsequent acquisitions
- Campaign Monitor Pty Ltd (Australia) — operating subsidiary for Australian/non-US operations
- Campaign Monitor Inc. — US-market operating entity
- Various other subsidiaries: Emma Inc. (Tennessee), Sailthru Inc. (New York), Selligent SA (Belgium), Delivra Corp (Indiana), Vuture Ltd (UK)
Under this structure, the Delaware-incorporated parent entity — CM Group Holdings LLC and its successor Marigold — is a domestic US person under 18 U.S.C. § 2713. A US federal court can issue a CLOUD Act order to CM Group Holdings LLC / Marigold requiring production of data within its custody or control.
The Custody and Control Question
The operative CLOUD Act question is whether CM Group Holdings LLC / Marigold has "custody or control" of data held by Campaign Monitor Pty Ltd (Australia). This analysis turns on the following factors:
Corporate ownership: CM Group Holdings LLC fully owns Campaign Monitor Pty Ltd. In corporate law, a parent corporation does not automatically have custody or control of data held by its subsidiary — the subsidiary is a separate legal entity. However, the analysis does not end there.
Technical infrastructure access: If Marigold operates unified SaaS infrastructure across its portfolio brands — shared data platforms, unified CRM systems, common data lakes for cross-brand analytics — then the Delaware parent entity may have technical access to (and therefore custody or control of) data that Campaign Monitor processes on behalf of EU customers. This is particularly relevant given that CM Group/Marigold has explicitly positioned itself as a unified platform with "connected data" across its portfolio brands.
Governance and contractual authority: As the 100% shareholder of Campaign Monitor Pty Ltd, Marigold/CM Group Holdings LLC has the legal authority to direct Campaign Monitor Pty Ltd to produce data. Under the CLOUD Act, if a parent corporation can legally compel its subsidiary to produce data, and the parent is a domestic US person, the parent may be found to have custody or control of that data.
US-law obligations: When the Delaware parent receives a legal process demand under US law — including a National Security Letter, a FISA production order, or a grand jury subpoena — its legal counsel will assess what data it can access across its global portfolio. If cross-portfolio data access exists (for audit, compliance, or business intelligence purposes), that data may be producible under US process.
For EU compliance officers, the conservative and legally defensible position is: data processed by Campaign Monitor for EU customers is subject to potential CLOUD Act access through Marigold's Delaware parent structure. This is the same structural risk present in Mailchimp (Intuit/Delaware), Klaviyo (NYSE Delaware corporation), Constant Contact (Newfold Digital/Delaware), and ActiveCampaign (Delaware/Illinois).
Marigold's Business Model and Its GDPR Implications
The PE Roll-Up Model and Data Sharing
Marigold's growth strategy is fundamentally different from organic software development. It is a private equity roll-up — a model where a PE firm acquires multiple companies in the same sector and extracts value through consolidation, cross-selling, and cost reduction.
For GDPR purposes, the PE roll-up model introduces specific risks:
Cross-brand data sharing: PE roll-ups frequently implement shared services — shared data platforms, consolidated CRM systems, unified customer data lakes — to reduce costs and enable cross-selling. If Campaign Monitor customer data flows into a shared Marigold data platform that is accessible to Marigold's US corporate functions, that data is within the potential reach of CLOUD Act process directed at the Delaware parent.
DPA (Data Processing Agreement) chain complexity: When Campaign Monitor processes EU personal data as a processor under Article 28 GDPR, the agreement is with Campaign Monitor as the processor. But Campaign Monitor's sub-processors — including any Marigold shared services entities — must be disclosed and approved. The complexity of Marigold's multi-brand structure (with operating entities in Australia, the US, Belgium, the UK, and elsewhere) creates a complex sub-processing chain that is difficult to audit fully.
Exit risk: PE-backed companies are acquired and resold. Insight Venture Partners' investment in Campaign Monitor/Marigold is not permanent. A future acquisition by a US strategic buyer (such as a major US marketing cloud company) would trigger another round of data controller/processor analysis and potentially introduce new CLOUD Act-exposed entities into the data processing chain.
Marigold's GDPR Infrastructure Claims
Campaign Monitor / Marigold provides EU customers with a Data Processing Agreement that references:
- GDPR-compliant data processing under Article 28
- Standard Contractual Clauses (SCCs) for international data transfers
- EU data residency options on request (EU-based infrastructure)
These contractual commitments are real and do provide some legal protection. However, they address the legality of the data transfer (whether the transfer to a third country is lawful under GDPR Chapter V) rather than the CLOUD Act access risk (whether a US court can compel the production of EU customer data held by or accessible to Marigold's Delaware parent).
The SCCs obligate Marigold/Campaign Monitor to notify EU customers when they receive compelled disclosure demands from US authorities and to exhaust available legal challenges before complying. But this obligation exists at the contractual level — it does not eliminate the US government's legal authority to compel disclosure from a domestic US person.
CLOUD Act Analysis: Summary
| Factor | Campaign Monitor Assessment |
|---|---|
| Operating entity | Campaign Monitor Pty Ltd (Australia) — NOT a US person |
| Controlling parent | Marigold / CM Group Holdings LLC (Delaware) — IS a US person |
| PE ownership | Insight Venture Partners (Delaware LP) |
| CLOUD Act exposure | Via parent: Marigold/CM Group Holdings LLC can be compelled |
| EU data residency | Available as option; does not eliminate CLOUD Act risk |
| SCCs in place | Yes; addresses transfer legality, not compelled disclosure |
| GDPR enforcement record | No significant DPA enforcement actions against Campaign Monitor as of 2026 |
| Risk classification | HIGH — equivalent structural risk to Mailchimp, Klaviyo, Constant Contact, ActiveCampaign |
GDPR Compliance Record
Campaign Monitor has not been the subject of significant DPA enforcement actions in the EU as of 2026. This absence of enforcement is not a GDPR compliance guarantee — it reflects the fact that DPA investigation capacity is limited and enforcement tends to focus on the largest controllers and most visible violations.
Campaign Monitor's GDPR documentation includes:
Sub-processor disclosure: Campaign Monitor publishes a sub-processor list as required under GDPR Article 28(3)(d). The list includes US-based sub-processors, including AWS infrastructure in the EU regions and various US-headquartered SaaS tools. EU customers using Campaign Monitor should verify that all listed sub-processors have appropriate transfer mechanisms and that the list is kept current (some sub-processor lists are updated infrequently).
Data retention: Campaign Monitor's standard data retention terms allow customer data to be retained for a period after account termination. EU customers should review retention terms against their own ROPA (Records of Processing Activities) obligations under GDPR Article 30.
Consent management: Campaign Monitor's position on consent lawfulness places responsibility on the customer (the data controller) for ensuring that email lists are collected with appropriate consent. This is legally correct under GDPR — the email marketer is the controller, and Campaign Monitor is the processor — but it means that GDPR consent issues in email marketing campaigns are the controller's liability, not Campaign Monitor's.
EU Alternatives to Campaign Monitor
For EU organisations that need email marketing without CLOUD Act exposure through a US-incorporated parent, the following EU-headquartered platforms eliminate the structural risk:
Brevo (formerly Sendinblue) — French, EU-native
Brevo SAS is incorporated in France and headquartered in Paris. It is the most direct EU-native competitor to Campaign Monitor in terms of feature breadth — marketing automation, transactional email, SMS, and CRM features are available. Brevo processes EU customer data under French law and is regulated by the CNIL (Commission Nationale de l'Informatique et des Libertés).
Brevo's infrastructure is operated from EU-based data centres. It does not have a Delaware-incorporated parent. For EU organisations seeking a feature-equivalent to Campaign Monitor without CLOUD Act exposure, Brevo is the primary recommendation.
Key facts: Founded 2012, Paris, France. €166M revenue (2023 estimate). Enterprise tier available. 500,000+ customers. Self-hosted option not available; SaaS only.
MailerLite — Lithuanian, EU-native
MailerLite UAB is incorporated in Vilnius, Lithuania, and operates as an EU-headquartered SaaS platform. It is founder-controlled and bootstrapped — not backed by US PE or VC. MailerLite's data processing is governed by Lithuanian law and Lithuanian DPA (Valstybinė duomenų apsaugos inspekcija) oversight.
MailerLite focuses on simplicity and is a strong fit for small to medium organisations. Its pricing is competitive with Campaign Monitor at lower list sizes.
Key facts: Founded 2010, Vilnius, Lithuania. Bootstrapped/founder-controlled. 1 million+ customers. No US parent.
CleverReach — German, EU-native
CleverReach GmbH & Co. KG is headquartered in Rastede, Lower Saxony, Germany. It operates under German law and is regulated by the Lower Saxony DPA (Landesbeauftragter für den Datenschutz Niedersachsen). CleverReach is a mid-market platform with strong German-language support and is frequently used by German mittelstand companies for GDPR-compliant email marketing.
Key facts: Founded 2007, Rastede, Germany. German-law entity. Strong DACH market focus.
Rapidmail — German, EU-native
Rapidmail GmbH is headquartered in Freiburg im Breisgau, Germany. It is a smaller platform focused on simplicity and GDPR compliance for the German market. All data processing occurs in Germany. It is particularly suitable for SMEs seeking a straightforward, fully German-hosted email marketing solution.
Key facts: Founded 2008, Freiburg, Germany. Data stored exclusively in Germany. German DPA (Baden-Württemberg) jurisdiction.
EU-EMAIL-MARKETING-SERIE: Complete Six-Platform Comparison
This is the final post in the sota.io EU-EMAIL-MARKETING-SERIE. The series examined the six most widely used email marketing platforms and assessed each for CLOUD Act exposure and GDPR structural risk from a European data protection perspective.
| Platform | Legal Headquarters | Ultimate Parent | CLOUD Act Status | GDPR Risk Verdict |
|---|---|---|---|---|
| Mailchimp | Atlanta, Georgia, USA | Intuit Inc. (Delaware/NYSE) | Direct: Intuit is a domestic US person | HIGH — Unresolvable |
| Klaviyo | Boston, Massachusetts, USA | Klaviyo, Inc. (Delaware/NYSE) | Direct: Klaviyo Inc. is a domestic US person | HIGH — Unresolvable |
| Constant Contact | Waltham, Massachusetts, USA | Newfold Digital (Delaware PE) | Via parent: Newfold Digital Holdings is a domestic US person | HIGH — Unresolvable |
| ActiveCampaign | Chicago, Illinois, USA | ActiveCampaign LLC (Delaware/Silversmith) | Direct: Delaware LLC is a domestic US person | HIGH — Unresolvable |
| GetResponse | Gdańsk, Poland | GetResponse S.A. (Polish joint-stock company) | Via subsidiary only: GetResponse Inc. (Delaware) has limited scope over EU data | LOW — EU-Native with US Subsidiary Caveat |
| Campaign Monitor | Sydney, Australia | Marigold / CM Group Holdings LLC (Delaware PE) | Via parent: CM Group Holdings LLC is a domestic US person | HIGH — Unresolvable |
The Series Finding
Five of the six platforms examined in this series present an unresolvable CLOUD Act risk for EU data subjects. The structural problem is not a matter of data centre geography or DPA agreements — it is the corporate law status of the entity that controls the platform. When a Delaware corporation controls an email marketing platform, that Delaware corporation is a domestic US person, and US federal courts can compel it to produce data within its custody or control regardless of where that data is physically stored.
GetResponse is the outlier in this series — not because it is free of US exposure (its Delaware subsidiary introduces genuine risk that EU compliance teams must evaluate), but because the primary legal entity is Polish, the founder controls the company without US PE governance, and the CLOUD Act analysis requires the more complex MLAT route rather than a direct domestic order.
For EU organisations choosing an email marketing platform on GDPR compliance grounds, the correct decision is to use an EU-native platform: Brevo (France), MailerLite (Lithuania), CleverReach (Germany), or Rapidmail (Germany). These platforms eliminate the Delaware parent risk entirely.
What EU Compliance Officers Should Do
If your organisation currently uses Campaign Monitor for EU email marketing:
1. Map your sub-processor chain. Request Campaign Monitor's current sub-processor list and verify that all listed entities have appropriate transfer mechanisms. Pay particular attention to Marigold group entities that may access data across the portfolio.
2. Assess your ROPA. Ensure that your Records of Processing Activities under GDPR Article 30 accurately reflect Campaign Monitor as a processor and documents the transfer mechanism (typically SCCs) for the cross-border data transfer to a US-controlled entity.
3. Evaluate migration risk. If your GDPR compliance requirement is strict — for example, due to sector regulation (healthcare, financial services, public sector), DPA guidance in your Member State, or contractual obligations to EU customers — assess whether the structural CLOUD Act risk is acceptable for your use case.
4. Consider a phased migration. Transitioning email marketing platforms is operationally significant (list migration, template rebuilds, automation reconfiguration, sender reputation warm-up). A phased migration to Brevo or MailerLite is achievable with 3-6 months of planning and is the path to eliminating the structural CLOUD Act risk.
5. Review your consent records. Campaign Monitor's GDPR position places consent responsibility on the controller (you). Ensure your email lists are collected with valid consent under GDPR Article 6(1)(a) or another appropriate lawful basis, and that consent records are documented and time-stamped.
Verdict: Campaign Monitor for EU Email Marketing
Campaign Monitor's Australian origins are a historical artefact. The platform has been controlled by a Delaware-incorporated private equity vehicle since 2014, and as of 2026 operates under the Marigold brand within a complex multi-brand roll-up structure. The controlling entity — Marigold / CM Group Holdings LLC — is a domestic US person under the CLOUD Act.
For EU organisations with strict GDPR compliance requirements, Campaign Monitor presents the same structural risk as the other four US-controlled platforms in this series. The existence of an Australian operating subsidiary and EU data residency options does not eliminate the CLOUD Act risk that runs through the Delaware parent.
The EU-EMAIL-MARKETING-SERIE conclusion is clear: GetResponse (EU-native Polish entity) carries the lowest CLOUD Act exposure of the six platforms reviewed. For complete CLOUD Act elimination, EU-native alternatives — Brevo, MailerLite, CleverReach, Rapidmail — are the appropriate choice for EU organisations with strict data sovereignty requirements.
This post is part of the sota.io EU Cyber Compliance Series — the complete reference for EU organisations evaluating US SaaS platforms under GDPR and CLOUD Act constraints. See the full EU-EMAIL-MARKETING-SERIE: Mailchimp · Klaviyo · Constant Contact · ActiveCampaign · GetResponse · Campaign Monitor (this post)
EU-Native Hosting
Ready to move to EU-sovereign infrastructure?
sota.io is a German-hosted PaaS — no CLOUD Act exposure, no US jurisdiction, full GDPR compliance by design. Deploy your first app in minutes.