Double Opt-in GDPR: Is It Compulsory?

Posted on Aug 20, 2023

Laptop with GDPR text on top of it

GDPR introduced a new era of protections for consumer privacy and forever changed the way that businesses across Europe captured, processed, stored, and used personal data.

There was a lot of confusion amongst business owners and marketers in the run-up to the regulations being implemented in May 2018, with many people not knowing quite what to do to ensure compliance.

In the UK, the ICO has done a great job of outlining the responsibilities of organizations in the protection of their customer data. There’s also a lot of great information about how to comply on the official GDPR website.

But despite the official support and guidance available, there are still a few commonly held myths around certain areas of personal data management and processing.

One of those myths is that it’s necessary to have a double opt-in GDPR process for email lists. This isn’t true. Double-opt in email lists is not a requirement of GDPR in the UK.

The only country where there is a compliance requirement for double-opt in newsletter subscriptions is Germany, where examples of case law (rather than GDPR legislation) have made it important for businesses to embrace double-opt in.

Some businesses such as Google have decided to err on the side of caution in a few other territories as well, and to receive their marketing and performance emails, Google Ads users need to double opt-in if they are located in Austria, Germany, Greece, Switzerland, Luxembourg, and Norway.

So even though double opt-in GDPR is a myth, and not compulsory to ensure compliance with legislation, if you’re reaching international customers it’s still a good idea. And there are plenty of other reasons why your business might want to choose a double opt-in email subscription method for your lists.

What is double opt-in and why is it important?

Before we jump into why double opt-in can be so useful for the quality and effectiveness of your email lists, let’s first look at the weaknesses of the single opt-in method.

The challenges with single-opt in

When you have a single opt-in, people are added to your lists simply by supplying their email address and taking an action like checking a box. This single action is taken as consent to receive your marketing emails.

This sounds quick and easy, and it is. But it’s also prone to error and poor data quality.

Any spelling errors in email addresses means an incorrect contact is automatically added to your list.

Another example of a weakness of single opt-in is fake or erroneous emails - either from bots or malicious activity. There are a variety of scenarios where this could happen, but as an example, imagine you have friends or colleagues that thought it might be amusing to add your email address to an irrelevant list. A single-opt in process would have no way of verifying that you genuinely wanted to receive marketing emails.

How double opt-in overcome these challenges

With a double opt-in process for your email lists, after supplying their email address and consenting to receive your communications, subscribers need to take a second step of verifying their details before they are added to your list.

It’s typical for a verification email to be sent almost immediately after a user has opted in to deliver the best verification rates.

Moosend has a great article about what should go into a verification email, with a list of examples including this email from Tease Tea:

A screenshot of an email containing a double opt-in email

By adding this second ‘validation’ layer to your opt-in process, you’re taking steps to prevent incorrect and mistyped email addresses from making their way to your list. You’re also eliminating any fake or spoof email addresses from contacts who aren’t really that interested in your emails.

The benefits of using a double opt-in email list strategy

There is a lot of debate amongst email marketers about whether to choose a single opt-in or double opt-in email subscription process.

On the one hand, single opt-in can help you build your email lists more quickly. You won’t ‘lose’ genuine subscribers that forget to verify their email address. There are also arguments that it’s a faster process - you can email subscribers with a welcome message immediately without having to wait for verification. Another suggestion is that single opt-in is a better user experience with fewer hoops to jump through, and as long as you retain relevant records surrounding the opt-in, your business complies with GDPR email consent.

Advocates for double-opt in email lists would generally say that the quality of your email list is more important than its size. They would challenge the argument that having to receive and click a verification email can be frustrating for subscribers by saying if a subscriber is genuinely interested and wants to hear from you - they’ll appreciate the additional steps you’re taking to protect their time and their privacy.

But perhaps the most compelling benefits that support the use of double-opt in are surrounding email performance:

Fewer bounces

Having a high bounce rate can impact your sender reputation with ISPs. Using double opt-in to verify the accuracy of the email addresses in your list can help reduce the bounce rate of your email campaigns and improve your deliverability.

Fewer spam complaints

A double opt-in process also eliminates the risk of erroneous or fake email addresses being added to your list, which can in turn reduce the number of spam complaints. This can also help reduce the risk of any damage to your sender reputation and improve your deliverability.

Improved engagement rates

When subscribers have taken that extra step of verifying that they want to receive your emails, they are more likely to be engaged with your messages and be receptive to your content.

Improved analysis and reporting

If your email list has a high number of inaccurate or fake email addresses, it can massively skew the accuracy of your reporting and your understanding of how well your true subscribers are responding to your messages.

Embracing a double opt-in email list process can improve the quality of your analysis and reporting dramatically.

Reduced costs

If your email marketing solution is priced based on the number of subscribers you have in your list, you’ll still be paying for any addresses that bounce or go to an incorrect address from a single opt-in process.

By choosing double opt-in, you can have the peace of mind that you’re only paying for list members that have shown a genuine interest in receiving your messages.

Build trust with your subscribers

By showing your subscribers that you care about data accuracy, data privacy, and only sending them messages they are genuinely interested in, you can help to enhance your credibility and give them the reassurance that you’re not going to send them messages they don’t want.

It’s considered data protection ‘best practice’

If we take a step back from the ‘letter of the law’ and look more toward the spirit of the law, the entire purpose of GDPR was to provide individuals with greater rights and controls over their personal data and help establish better standards for the way that businesses collect, process and manage data.

So even though double opt-in isn’t compulsory under GDPR legislation, it is ‘best practice’ in the sense that it does improve the way that businesses collect and store personal data and gives individuals more control.

Double opt-in email lists help with global compliance

There are examples of case law in Germany that supports a legal requirement for businesses to practice double opt-in. Other countries that also favor double opt-in include Austria, Greece, Switzerland, Luxembourg, and Norway. So if you’re running a multinational campaign, embracing double opt-in will help ensure your opt-in process is compliant across all territories.

A quick look at the downsides, and a middle-ground solution

This obviously wouldn’t be a balanced article without looking at the disadvantages of using double opt-in for your email lists.

Make no mistake about it - choosing a double opt-in newsletter subscription process will reduce the growth rate of your list.

It’s suggested that only 50-70% of subscribers actually click on the verification email of a double opt-in process.

It’s worth thinking about this carefully based on the specific needs of your business and your growth objectives, and debate whether you’d rather have 100 emails with potential for error, or 50-70 emails that you know are verified.

Setting up double opt-in can also be more complex to configure, which can pose challenges for smaller businesses without an in-house tech team, although a lot of modern ESPs are well set up to make the process easier than it used to be.

One middle-ground solution is to take a hybrid approach by creating two email lists from your double opt-in email subscription process.

The first list could be ‘verified emails’ - these are the subscribers that have verified their email address through a double-opt in process.

The second list could be ‘opted in but unverified’ where you have the GDPR email consent requirements you need, but not the double opt-in verification. You could carefully monitor this second list for activity, move engaged subscribers into ‘verified’, and make a call on whether you suppress or remove inactive addresses.

If you’re looking for a solution to help you manage multiple lists, an email list management software like Simplelists is something to consider.

What are the GDPR mailing list consent requirements?

We started this article by answering the question “Is double opt-in required by GDPR?” and confirming that double opt-in was not compulsory for GDPR compliance in the UK.

But what is compulsory for compliant GDPR email marketing, and what should you be doing?

We’ve put together a quick checklist of the points you’ll want to consider, although we’d recommend visiting the ICO for more comprehensive information and seeking your own legal guidance for the specific nature of your business.

Have a clear opt-in process

We’re not going to muddy any waters by talking about the other forms of lawful basis for contacting individuals via email (although if you’re interested in further reading, the ICO has a breakdown of the six lawful bases for data processing.)

For the purpose of this article and your compliant GDPR email marketing campaign, let’s assume that you are using ‘consent’ as your lawful basis for processing data.

To be compliant with GDPR, your consent process must be clear, unambiguous, and involve a “clear affirmative action” (otherwise known as an opt-in).

Pre-ticked boxes are a no-go area if you’re going to comply with GDPR email consent, as it doesn’t meet the criteria of being a clear affirmative action.

It’s also important to make sure that you don’t make opting into your email list a precondition of signing up to your service or other terms. It needs to be separate and “unambiguous”.

Keep valid records to demonstrate consent

Another thing that’s really important if you’re going to demonstrate compliance is to keep documented evidence of consent.

The ICO recommends keeping records of:

  • Who signed up to your email list (the email address)
  • When they signed up (timestamp)
  • How they signed up (which form, on which channel)
  • What you told them when they signed up (is clear and unambiguous)

Be clear about how your business uses personal data

Your business should also have a privacy policy on your website that outlines how personal data is used, how it is stored, and how long it is going to be kept. Not only will this help you be compliant with GDPR, but it can also help build trust with your customers.

Make it easy for users to unsubscribe

GDPR unsubscribe rules state that it needs to be easy for subscribers to withdraw their consent at any time. Every email message you send should have a clear link to either your email preference centre or an unsubscribe button to satisfy this requirement.

Support an individual’s ‘right to be forgotten’

It’s not enough just to offer subscribers the ability to unsubscribe from your email list. You also need to honor any individual’s “right to be forgotten” and erase all their data if they make such a request.

Your GDPR email compliance checklist

Here are a few points you may want to consider and include as a checklist to ensure that you’re compliant with GDPR when sending emails to your subscribers.

  1. Obtain consent
  2. Double opt-in
  3. Privacy policy
  4. Data minimization
  5. Data storage
  6. Data retention
  7. Data subject rights
  8. Unsubscribe mechanism
  9. Data protection officer (DPO)
  10. Dat breach notifications

For more information, download our free checklist

GDPR email compliance checklist

Consequences of non-compliance with GDPR

Part of the reason there was so much panic and confusion in the run-up to GDPR was that the fines and legal ramifications were significant if businesses were found to be non-compliant.

Many marketers still worry about the ability to prioritize personalization without compromising privacy.

But managing your marketing in a GDPR compliant way is important if you’re going to avoid consequences.

We’ll quickly run through three of the main consequences if your business is found not to comply with the GDPR email compliance checklist.

Fines and legal issues

There are two levels of penalties for businesses in the UK if they are found to have breached GDPR.

The lower levels of penalties are fines of up to £8.7m or 2% of annual global turnover for breaching articles relating to children’s consent, processing that doesn’t require identification, and the general obligations of processors and controllers.

Higher fines of up to £17.5m or 4% of global annual turnover relate to breaches of data processing principles, the lawfulness of processing, conditions for consent, data transfers, and the rights of data subjects.

Termination of third-party services

With the potential financial penalties being so severe, many platforms and third-party services understandably insist that only compliant data and processing practices can be used with their solution.

If you’re found to be using their services in a non-compliant way and against terms and conditions, it’s possible that your access to important third-party tools could be revoked.

Loss of reputation

If you’re found to be in breach of GDPR, your reputation is also likely to be impacted along with your finances and ability to access certain third-party services.

Businesses that breach regulations are typically made an example of to encourage compliance from others, and websites like Enforcement Tracker keep tabs on all GDPR decisions to date.

Choosing the opt-in method that is right for your business

Double-opt in is not a legal requirement for compliance with GDPR in the UK.

As long as you have a clear method of collecting consent, and you keep valid records of consent - your choice of opt-in methodology should really depend on the requirements of your business.

That said, there are a lot of benefits to embracing the double opt-in process, including improvements to your email deliverability and engagement rates, more accurate reporting, and making sure you are globally compliant.

However you choose to build your email subscriber lists, Simplelists can help make your email marketing easy by managing and segmenting your contacts and delivering your email campaigns to subscribers.

If you’d like to experience the benefits of Simplelists for yourself, sign up for our one month free trial.

Sign up today for your free trial

Tags: