Let’s talk double opt-ins.

I get a lot of questions about GDPR and how to remain compliant. It is nearly 18 months since GDPR came into force and there is now some more clarity about how these new laws affect the use of opt-ins – double opt-ins, to be specific.

Questions like, “Are  double opt-ins mandatory to be compliant with GDPR?” and “Do you have to use a double opt-in for everything and every sign up?” 

What is a double opt-in?

A double opt-in is when a new subscriber to your email marketing list receives a second email asking them to confirm their subscription by clicking a confirmation link.

This “double opt-in process” is designed to make certain that the person who received the email actually wants to be on your list and is aware that they are signing up to your email marketing list.

A single opt-in is one step process – a person is required to enter their email address once in the sign-up box on the landing page and no confirmation is required and they immediately become a subscriber to whatever you have offered for subscription.

Are double opt-ins mandatory under GDPR?  No, but meeting the consent requirements is!

A better question would be, “Am I following the rules for consent in the opt-in process I am using?” 

Consent rules under the GDPR

Whenever you use a single or double opt-in the following consent rules must be followed.

  1. Consent must be requested in clear, specific and unambiguous terms to be considered informed consent and therefore auto-checked boxes for consent are illegal.
  2. Consent must be granular – you cannot bundle consent. This means consent to your newsletter does not mean consent to other opt-ins. Consent for each opt-in must be separate.
  3. Requests for consent should provide a clear explanation of how the data will be used.
  4. You must make it possible to unsubscribe or refuse consent without penalising the subscriber.  In this way, consent is a choice.
  5. Parental consent is required for children under 16 years.
  6. Special Category Data (sensitive information) such as health, race, or genetics data require explicit consent such as double opt-in.
  7. Consent for further processing (i.e. when you already have a commercial relationship with the customer) is not required.

4 compelling reasons why a double opt-in may be considered best practice

  1. The GDPR provides the best opportunity to clean up our email marketing lists and ensures that our list building is meaningful. It also helps us keep our marketing responsible and respectful of the consumer and market at large.
  2. The quality of new leads into our lists is increased by the use of double opt-ins. This is because it stops false data entered by a bot or someone who is not the owner of the email address from contaminating our lists.
  3. A double opt-in process ensures that subscribers who confirmed their email address (via a second email asking them to click a link) really do want to be on your list and are interested in our business and service offerings.
  4. Double opt-ins are useful in obtaining “explicit consent.” If you collect Sensitive Information such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural person’s sex life or sexual orientation.

You can use a single opt-in (except where “explicit consent” is required)  provided you meet the consent requirements detailed in the GDPR.

GDPR imposes a higher standard of consent than previous legislation. However, consent is not the only lawful ground for someone’s data. There are a number of lawful grounds for collecting data and these are discussed in my free GDPR Compliance Checklist.

Double opt-in or single opt-in?

Double opt-in is a method by which consent is made certain and should be used where explicit consent is required e.g where you are collecting sensitive information or Special Information Category data.  By using a double opt-in there is no question that the person who has opted-in meant to opt-in.

A double opt-in process, with certainty, allows subscribers to receive the “free gift” but opt-out of receiving further marketing if they don’t want to receive it.

You can achieve certainty with a single opt-in by ensuring that your single opt-in is set up to meet the rules of consent i.e the single opt-in process provides:

  • full disclosure about what is being offered for subscription,
  • how that information will be used via a GDPR compliant Privacy Policy,
  • separate consent is requested for each opt-in,
  • and that the ability to refuse consent or unsubscribe is clearly available.

GDPR has raised the bar about the type of information you need to provide about your Privacy practices and management. Therefore, you need to have a Privacy Policy in place that contains information about how you manage the information you collect when you are requesting consent. Click here to purchase a GDPR Compliant Privacy Policy Template.

For guidance on how to make sure your business is GDPR compliant, download my free GDPR Compliance Checklist.

To obtain tailored advice to  clear up your questions about your opt-in or consent processes or requirements book in for a Power Session, and request this topic in particular (opt-ins/consent/website legals) HERE.

Shalini x