Let’s talk opt-ins. I get a lot of questions about GDPR and how to remain compliant. It is nearly 18 months since GDPR came into force and there is now some more clarity about how these new laws affect the use of opt-ins – double opt-ins, to be specific.
Questions like, “Are double opt-ins mandatory to be compliant with GDPR?” and “Do you have to use a double opt-in for everything and every sign up?”
What is a double opt-in?
A double opt-in is when a new subscriber to your email marketing list receives a second email asking them to confirm their subscription by clicking a confirmation link.
This “double opt-in process” is designed to make certain that the person who received the email actually wants to be on your list and is aware that they are signing up to your email marketing list.
A single opt-in is one step process – a person is required to enter their email address once in the sign-up box on the landing page and no confirmation is required and they immediately become a subscriber to whatever you have offered for subscription.
Are double opt-ins mandatory under GDPR? No, but meeting the consent requirements is!
A better question would be, “Am I following the rules for consent in the opt-in process I am using?”
Consent rules under the GDPR
Whenever you use a single or double opt-in the following consent rules must be followed.
- Consent must be requested in clear, specific and unambiguous terms to be considered informed consent and therefore auto-checked boxes for consent are illegal.
- Consent must be granular – you cannot bundle consent. This means consent to your newsletter does not mean consent to other opt-ins. Consent for each opt-in must be separate.
- Requests for consent should provide a clear explanation of how the data will be used.
- You must make it possible to unsubscribe or refuse consent without penalising the subscriber. In this way, consent is a choice.
- Parental consent is required for children under 16 years.
- Special Category Data (sensitive information) such as health, race, or genetics data require explicit consent such as double opt-in.
- Consent for further processing (i.e. when you already have a commercial relationship with the customer) is not required.
4 compelling reasons why a double opt-in may be considered best practice
- The GDPR provides the best opportunity to clean up our email marketing lists and ensures that our list building is meaningful. It also helps us keep our marketing responsible and respectful of the consumer and market at large.
- The quality of new leads into our lists is increased by the use of double opt-ins. This is because it stops false data entered by a bot or someone who is not the owner of the email address from contaminating our lists.
- A double opt-in process ensures that subscribers who confirmed their email address (via a second email asking them to click a link) really do want to be on your list and are interested in our business and service offerings.
- Double opt-ins are useful in obtaining “explicit consent.” If you collect Sensitive Information such as racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural person’s sex life or sexual orientation.
You can use a single opt-in (except where “explicit consent” is required) provided you meet the consent requirements detailed in the GDPR.
GDPR imposes a higher standard of consent than previous legislation. However, consent is not the only lawful ground for someone’s data. There are a number of lawful grounds for collecting data and these are discussed in my free GDPR Compliance Checklist.
Double opt-in or single opt-in?
Double opt-in is a method by which consent is made certain and should be used where explicit consent is required e.g where you are collecting sensitive information or Special Information Category data. By using a double opt-in there is no question that the person who has opted-in meant to opt-in.
A double opt-in process, with certainty, allows subscribers to receive the “free gift” but opt-out of receiving further marketing if they don’t want to receive it.
You can achieve certainty with a single opt-in by ensuring that your single opt-in is set up to meet the rules of consent i.e the single opt-in process provides:
- full disclosure about what is being offered for subscription,
- separate consent is requested for each opt-in,
- and that the ability to refuse consent or unsubscribe is clearly available.
For guidance on how to make sure your business is GDPR compliant, download my free GDPR Compliance Checklist.
To obtain tailored advice to clear up your questions about your opt-in or consent processes or requirements book in for a Power Session (opt-ins/consent/website legals) HERE.
Lawyer, Contract Specialist, Speaker & Advocate for Women in Business.
Drawing on more than 15 years’ experience as a lawyer and a woman in business, Shalini Nandan-Singh helps Australian service-based entrepreneurs protect their businesses and their bottom lines with empowered legal advice and contracts.
Encouraging listeners to #loveyourlegals, Shalini firmly believes that business legals should be an authentic extension of your business. Her goal is to educate audiences that, rather than confusing legalese, business legals should be an authentic extension of your business, creating positive business boundaries that support you in working with your clients with compassion and understanding.
Disclaimer: This blog is written to support business owners to consider legal requirements and issues that may arise in business. The information provided is for general and educational purposes only. It is not intended as legal advice for your individual circumstances. Please consult your lawyer for advice specific to you and your business.