If you engage in email marketing targeting clients in Europe, you must ensure you comply with the GDPR. After all, email addresses qualify as personal data. But do you need to implement double opt-in to target people affected by the GDPR?

The short answer is no. But the longer answer is you probably should.

Double opt-in means subscribers must validate their email address before being added to your mailing list. While this is not a GDPR requirement, it has several advantages.

In this post, we'll explore what the GDPR requires from businesses that target European customers through email marketing. We'll also look at one European country that requires double opt-in and why your company should consider upgrading to double opt-in as standard.


What Is Double Opt-In?

Double opt-in is an enhanced way of collecting consent that requires a customer to perform two actions before being added to your mailing list:

  • Submit their information via a consent form on your website
  • Validate an email sent to their email account to confirm they consent to being added to your mailing list

The example below from Chipotle informs customers that they will need to confirm their subscriptions. It also makes unsubscribing very easy and obvious:

Chipotle Alerts sign-up form

The follow-up screen makes it clear that there is one more step to take to become a subscriber:

Chipotle Alerts sign-up form confirmation page

The example below from ClassIn shows another option - to asking your customer to enter a confirmation code to confirm their consent to use their email address for marketing purposes:

ClassIn verification code email

The alternative, single opt-in, only requires a customer to submit their personal data on your website to confirm consent. So, which is best for complying with the GDPR?

Does the GDPR Require Double Opt-In?

No, the GDPR does not require double opt-in for any EEA country, and UK GDPR does not require it either. The GDPR does not use the term "double opt-in" and doesn't contain the concept.

However, as shown in the excerpt below, it does set out some guidelines for consent:

  • Must be "freely given, specific, informed, and unambiguous"
  • Could include a written or oral statement
  • Other options include a tick box
  • "Silence, pre-ticked boxes, or inactivity" do not constitute consent

GDPR consent guidelines

So, if the double opt-in is not part of the GDPR framework, why are some businesses adopting it as standard when adding EEA customers to their mailing lists? The answer is Germany.

Germany's double opt-in requirements

While many EU countries recommend the use of double opt-in for direct marketing, Germany has gone a step further. As an EU-member state, it is governed by the GDPR. However, the German Act Against Unfair Competition (Gesetz gegen den unlauteren Wettbewerb or "UWG"), Section 7, sets out double opt-in as the standard for prior consent for direct marketing.

Additionally, the German Data Protection Conference (DSK's) guidelines, issued in 2022, established double opt-in as a requirement. These requirements have been upheld by court judgments, meaning that if you want to reach out via email to customers in Germany, you need to implement double opt-in protocols.

Exemptions under Germany's UWG

While double opt-in is the standard under German law, there are four exemptions to the UWG:

  • The email address was obtained during a purchase or service transaction.
  • The sender only uses the email address to promote similar products or services and does not use it to promote other businesses.
  • The recipient has not opted out of receiving emails.
  • The recipient is informed that they can unsubscribe for free, both when they sign up and in every email from then on.

While these exemptions may allow you to continue using the data of existing customers, it is crucial to implement double opt-in measures when targeting new customers.

Do other EEA countries require double opt-in?

Currently, no other EEA countries have made double opt-in a requirement for obtaining consent for email marketing. However, it is recommended by the authorities in the following countries:

  • Austria
  • Greece
  • Luxembourg
  • Norway
  • Switzerland

Other countries may follow suit, so if you target any EEA customers, now may be the time to implement double opt-in protocols.

Pros and Cons of Double Opt-In

In the current business environment, customers are more sensitive than ever to data privacy issues. They also have limited tolerance for spam emails. Against this backdrop, double opt-in can have the following benefits:

  • Higher trust: By implementing double opt-in even when it is not an explicit requirement, your business demonstrates its commitment to respecting the privacy of its customers’ data.
  • Higher quality mailing list: By having customers validate their emails, you ensure that customers on your mailing list really want to be there and their email addresses are valid.
  • Future-proofing: Implementing additional safeguards now may put your business ahead of the curve when more stringent data protection laws emerge in the future.
  • Fewer spam complaints: People who don’t want your emails will be less likely to actually receive them if you require them to really confirm that they want them.
  • Compliance with EEA country regulations: While it is not required by the GDPR, you will be able to safely target customers in Germany and respect the double opt-in recommendations of other EEA countries.

However, there are also drawbacks to consider, including:

  • Clunky process: Some users may find the process too cumbersome or time-consuming and fail to follow through.
  • Missed customers: Some customers may not complete the process, meaning you potentially miss out on business.
  • Fewer subscribers: The issues mentioned above may result in a smaller mailing list.

Many businesses decide that the pros outweigh the cons, especially as the result should be a more targeted list of motivated customers. If you decide this is the right approach, or you target customers in Germany, let's see how you can implement this data security measure.

How to Implement Double Opt-In for Email Marketing

Enabling double opt-in is usually a straightforward process. It will vary depending on your email marketing platform, but we have outlined the basic steps here.

Enable double opt-in in settings

Log in to your email marketing platform and go to your email list settings. You should find an option such as "Enable double opt-in" or "Confirmed opt-in." Update this on all relevant mailing lists.

Create a confirmation email

Write a clear, simple confirmation email that thanks customers for signing up and explains there's just one more step to go to become confirmed subscribers. Make the call to action clear so they follow through and become subscribers.

As shown below, Chipotle uses a very simple, text-based email with a validation link to complete the two-step process. However, many email marketing companies provide a range of templates that can be customized to appeal to your customers:

Chipotle double opt-in link

Close the loop

Once the new customer clicks the link to verify their email address, ensure it links to a page that does the following:

  • Confirms they are now on your mailing list
  • Thanks them for signing up
  • Let them know how to unsubscribe at any time

Keep up-to-date consent logs to prove you have lawful access to your customers' personal data. Implement a system to promptly update or erase their data when you receive requests.

The General Data Protection Regulation (GDPR) is a data privacy law that helps protect the personal data of the citizens and residents of the European Economic Area (EEA), which includes the EU, plus Iceland, Liechtenstein, and Norway. The UK has also adopted the GDPR into its law, so if you target UK customers, you'll also need to comply with it.

Your business's geographical location is irrelevant. If you supply services (in this case, email marketing) to EEA or UK customers, you must follow the GDPR's data collection and processing regulations.

The GDPR is not out to stop your business from using email marketing. In fact, it can strengthen your relationship with your customers by building trust. The GDPR governs how you collect, use, and store any personal data, including email addresses, from your European customers.

Let's look at five key aspects of the GDPR that affect email marketing.

Process data lawfully

First, you must ensure that you have a legal basis for collecting the customer's email address and any other personal data you plan to use for email marketing.

As seen in the excerpt from Article 6 of the GDPR below, there are six lawful grounds for collecting data. For email marketers, the first two are crucial:

Article 6 of the GDPR with first 2 points highlighted

Simply put, you must ask the customer (data subject) for permission (consent) to use their data to perform a service that they have requested (email marketing).

As shown below, Article 5 of the GDPR also establishes that you must be fair and transparent - telling the customer exactly why you are collecting their data and how you will use it at the point of collecting their consent.

You must also ensure that your Privacy Policy complies with the GDPR and that your customers know how to access it before they consent to email marketing:

GDPR Article 5 excerpt 1

To obtain the consent you need, you can either choose single or double opt-in, and we'll explore the pros and cons of both shortly.

Minimize the data you collect

Data minimization means collecting only the minimum data needed to deliver the service the customer has requested. In email marketing, this could just be a customer's email address or include collecting customers' names to personalize the experience. The GDPR, Article 5, clause (c), shown below, highlights that the data must be "adequate, relevant, and limited."

GDPR Article 5 section C

Keep data accurate and up-to-date

Any business that maintains an email list with EU-based customers needs to create an easy way for them to update inaccurate data. Individuals can also ask for their data to be removed at any time, which brings us to opting out.

The GDPR's accuracy clause (Article 5, clause (d), shown below) requires businesses to update or erase inaccurate or out-of-date information. Under the GDPR, all customers have the "right to erasure"-to request that a business delete any personal data it holds about them.

Each business must have robust controls in place so that when a user updates their data or opts out of your mailing list, their data is updated or erased within 30 days:

GDPR Article 5 section d

Set storage limits

No business should store personal data on its email list longer than needed, as seen in Article 5, clause (e) below. You must set out how long you will retain a customer's data in your Privacy Policy:

GDPR Article 5 section e

Keep customer data secure

One of the guiding principles of the GDPR is "data protection by design and default." Your business can use a variety of measures to achieve this. Technical measures include encryption and pseudonymization. In email marketing, technical security measures could take these forms:

  • Encryption: When data is collected, encrypt it using an algorithm such as AES-256.
  • Pseudonymization: Go beyond encryption by storing hashed (scrambled) email addresses with the potential to trace them back to actual customer names only if needed for targeted campaigns.

Organizational measures include setting strict policies for personal data access that only permit access to authorized personnel. If you do not process the data yourself, it is your responsibility to ensure that the company complies with the GDPR.

These data security measures can ensure that your business complies with Article 5, clause (f), shown below:

GDPR Article 5 section f

Penalties for non-compliance with the GDPR

If a business does not comply with the GDPR, it could face hefty fines. Under the GDPR, penalties are set by each country's Data Protection Authority (DPA) and are guided by the three principles of being "effective, proportionate, and dissuasive."

As the excerpt from the European Commission below explains, you may get away with a warning for a likely infringement. However, you could be fined up to €20 million, or 4% of your worldwide turnout, for a proven infringement. Note that this is your turnover, not your profit. However, each DPA sets its own penalties on a case-by-case basis using the guiding principles mentioned earlier.

Additionally, you could be banned from processing EEA personal data:

European Commission: Info on penalties for violating the GDPR

This review of the GDPR's requirements for email marketing demonstrates how rigorous the law is and how seriously every business must take its obligations under it. Now, let's see why double opt-in is increasingly seen as the gold standard for companies engaging in email marketing to European customers.

Summary

The GDPR does not require double opt-in for email marketing. However, Germany does, and other European countries recommend it. So, if you target European customers, take steps to implement double opt-in for email marketing consent.

While not specifically requiring double opt-in, the GDPR does require businesses targeting European customers to maintain high standards when collecting and processing personal data. Ensure your business follows the GDPR's standards on lawful data processing, transparency, data minimization, accuracy, secure storage, and customer control over personal data.

Implementing double opt-in could help your business improve the quality of its mailing lists, reduce spam complaints, and future-proof itself against ever-evolving data protection laws.

Privacy Policy Generator
The first step to compliance: A Privacy Policy.

Stay compliant with our agreements, policies, and consent banners — everything you need, all in one place.

Generate Privacy Policy