Double Opt-In: Definitive Legal Requirements for Meticulous Marketers

Double Opt-In Legal Requirements Country Map

What is Double Opt-In?

Double Opt-In is a process whereby the provider of some service requires a would-be new user of that service to take an additional step to verify their agreement to sign up for that service. 

That’s a mouthful, I know – in simpler terms: Double Opt-In is when you have to receive an email and click on a hyperlink within that email before a website will let you create an account.

In the context of email marketing specifically, “Double Opt-in” is a term that describes a process whereby a company doing email marketing will not only obtain permission from the intended email recipient first through something like a consent checkbox in a web form, they will also send another notification (requiring action on behalf of that individual, such as clicking a hyperlink) to the recipient to confirm that they wish to receive marketing communications (or sign up for the service).  This proves definitively that the recipient owns and controls the email address or mobile device to which the notification was sent. 

Why do people use Double Opt-In?

2 reasons, one business and one legal:

  1. Marketing Reason: Double Opt-In creates a “cleaner” database of contacts.
  2. Legal Reason: Double Opt-In solves a legal problem arising from privacy law.

Does GDPR Legally Require Double Opt-In?

Sort of – yes and no.  The internet is extremely confused on this subject; half the articles say yes and the other half no.  Here’s why people are confused: GDPR does not explicitly say, “You have to have a double opt-in process for end user signups or you’re breaking the law.” 

What GDPR does say is that you must get a would-be recipient’s consent prior to sending them marketing emails (or texts, phone calls, etc.)  Of course, many of you read this and are thinking “well, yeah, I get consent from end users because I have a checkbox on my signup webform where the end user can opt-in to receive marketing communications.” 

Here’s the thing: just because a web form was submitted that contains a given human being’s contact information does not mean that the human being in question is the one who submitted it.  The webform submission could have come from a bot, for example.  Or perhaps it came from a different human being; for example, perhaps the signup came from the (unknowing) recipient’s jilted ex-lover who now practices signing the recipient up for lots of junk mail as a form of cathartic revenge.  You just never know, do you?

This is where Double Opt-In comes in.  Double Opt-In proves definitively that the submitter of the web form is the owner of the email account (or other contact information) being submitted to the web site.

Which Countries Legally Require Double Opt-In?

Many reputable secondary sources list Austria, Germany, Greece, Switzerland, Luxembourg, and Norway as categorically requiring double-opt in.  However, I was unable to find primary sources confirming this, except for Austria and Germany.  This is understandable given that many popular articles on the subject of Double Opt-In aren’t written by lawyers or legal researchers but by…well, who knows?  My guess is that these authors are conflating wishy-washy regulatory guidance with actual legal requirements.  Here’s what I found.

Austria required: The Austrian Data Protection Authority issued an opinion in a case indicating that Double Opt-in is required when marketing to Austrians. 

Germany required: In 2022 the German data protection authorities release updated guidance (nur auf Deutsch, bitte entschuldigen Sie) explicitly requiring double opt-in (citing some German case law) (“For the electronic declaration of consent, the double opt-in procedure is required to verify the declaration of intent of the data subject, whereby the verification requirements of the German High Court – BGH re [interpretation of] the UWG (ruling of February 10, 2011) must be taken into account in the documentation process.”).

Greece, Switzerland, Luxembourg, and Norway “recommended”: Basically all four of these countries have had their data protection authorities issue guidance “recommending” double opt-in but there is no legal requirement to do so.  For my marketing homies out there, “guidance” is not to be confused with an actual legal opinion from a judge or a law/statute from a legislative body like a parliament or congress.  Here is a link to the Norwegian marketing guidance and, if you speak Greek, here is a link to the Greek email marketing guidance.

The important thing to understand is that, while GDPR is a law, the interpretation of GDPR is up to the judges and/or data protection authorities (administrative agencies) of the individual countries that are subject to the GDPR.  As such, it’s possible for different countries to come to different conclusions about GDPR, including whether or not Double Opt-In is required in the context of digital marketing.

Some EU countries have not weighed in on the subject, so to speak.  That means it’s possible that Double Opt-In will be required in those countries in the future.  As such, the most conservative, future-proof approach to digital marketing in the EU is to require Double Opt-In for all end users whose IP addresses correspond to an EU member state.

A more practical, albeit less risk-averse approach would be to only require Double Opt-In for the EU countries listed above.

Now, again, these are legal requirements.  There are arguments to be made (and many knowledgeable thought leaders in the marketing industry more broadly have made them) that using Double Opt-In as part of a holistic marketing strategy is itself more beneficial than a Single Opt-In methodology.  In other words, for some, Double Opt-In is a marketing imperative regardless of the state of the law.

Can you break Double Opt-In countries down for me using smaller words?

So, to summarize, marketers have 5 options when it comes to Double Opt-In, listed in order from most conservative to least conservative:

  1. The “I believe in the actual business and operational advantages of Double Opt-In” Approach: Require Double Opt-In for all end user registrations globally.
  2. The Future-Proofing, Conservative Approach: Require Double Opt-In only for IP addresses (or physical addresses, if your webform is capturing them) corresponding to E.U. countries.
  3. The Goldilocks Approach: Require Double Opt-In only for IP addresses (or physical addresses, if your webform is capturing them) corresponding to Germany, Austria, Switzerland, Norway, Luxembourg, and Greece.
  4. The “Maverick: I had the shot, there was no danger, so I took it” Approach­: Require Double Opt-In only for IP addresses (or physical addresses, if your webform is capturing them) corresponding to Germany and Austria.
  5. The “We don’t market in the European Union anyway and Double Opt-In will shrink my list” approach: Single Opt-In globally.

What’s Single Opt-In, and is it legal?

Single Opt-In is a process whereby the provider of some service requires a would-be new user of that service to only take a single step to opt-in to receiving marketing communications (as opposed to Double Opt-In, which requires 2 steps).  For example, filling out a webform with your contact information and clicking the submit button is all that’s required.

Yes, Single Opt-In is legal in many countries.

Are there any other email marketing requirements from GDPR?

Yes, you should read about the concept of bundling under GDPR.

Call Us

OR

Free Initial Consultation