Opt-in and Opt-out - How does Double-Opt-In work according to GDPR?
Key Findings
The article emphasizes the critical role of data protection in email marketing. It introduces “Permission Marketing”, where companies send promotional content only to those who have explicitly consented. The “Double Opt-In” method is highlighted as a GDPR-compliant way to obtain such consent. It involves an initial opt-in followed by a confirmation email. The article also covers legal requirements under GDPR's Article 7, stressing that consent must be clear, voluntary, and revocable. “Opt-Out” option must be easily accessible to allow recipients to withdraw consent. Non-compliance risks legal repercussions and reputational damage.
In today's world, living without the internet is almost unimaginable for many people. News is consumed, emails are sent, and purchases are made online. In many cases, providing contact information is unavoidable, and it is even necessary in the realm of online shopping. However, often the data collected is not only used for providing a service but also utilized and processed to establish a certain level of customer loyalty. This can result in annoying spam emails, where additional information is sent at defined intervals, often unwanted. Email marketing is widely employed by many companies as it represents a cost-effective method to remain in a customer's memory and enhance their own reach and visibility. Companies must strike a balance between irritating advertising and helpful information to avoid alienating potential customers.
Fundamentally, it is crucial for both the sender and the recipient to properly assess the data protection relevance of this marketing method and when information can be sent. Particularly for email marketing recipients, understanding how consent is given and how it can be revoked is important. Companies need to recognize that email marketing is only possible when data protection is ensured and certain prerequisites are met. Failure to comply can lead to legal consequences, resulting in reputational damage and financial losses. It is strongly recommended for companies to thoroughly educate themselves in this area and, if necessary, consult the data protection experts at heydata to ensure a legally compliant email delivery.
Table of Contents:
Permission Marketing - What lies behind it?
Permission marketing is a method widely employed in many marketing departments. This approach involves sending information and advertisements and requires the recipient's consent. Companies utilize permission marketing to obtain relevant contact information. Often, attractive campaigns are launched, offering recipients discounts, product samples, or even prizes. The objective is to make customers feel valued and encourage them to provide their personal contact information. The companies' intention is to establish long-term customer loyalty and inform customers about services, products, and promotions, ideally resulting in a contract being concluded. Particularly in the B2B sector, the obtained contact information is passed on to the sales department, which will utilize the information for contacting potential leads. Permission marketing serves as a revenue driver that few companies can afford to overlook, making it crucial to strictly adhere to all legal requirements to ensure successful operations.
When permission marketing is implemented in email marketing, the sending of emails is accompanied by explicit consent, often ensured through the Double-Opt-In procedure. This procedure is used by companies to ensure compliance with all legal requirements, including unfair competition regulations (UWG) and data protection laws.
Opt-In - What does it mean?
Internet users usually won't find an opt-in checkbox when providing consent, but the term "opt-in" is equivalent to the commonly used fields of "consent" or "agreement" employed by companies. Consent can be given for a specific case, but it is also possible to provide consent for multiple cases. It is important that opt-in represents an enrollment process for the user, requiring active consent. In the realm of email marketing, companies often utilize the double opt-in procedure.
From a data protection perspective, the request for the collection and processing of personal data falls under the scope of Article 7 of the GDPR. This article defines how consent can be lawfully obtained:
- Consent must be demonstrably given.
- Consent must be requested in a clear and easily accessible form.
- The language of the consent must be clear and straightforward.
- Consent must be explicitly for a specific purpose.
- Consent must be voluntary.
- The right to revoke consent must be explained.
- Revoking consent should be as easy as giving consent.
For data controllers in a company, this means, for example, that online forms should not have pre-selected checkboxes for individual points. It is essential to ensure transparent compliance with data protection regulations, as defined in Articles 12ff. of the GDPR. Therefore, when obtaining consent, a separate checkbox must always be provided. This is particularly important for companies using email software to send out email communications. In practice, many companies only obtain consent for the email dispatch itself. However, if a company also conducts evaluation and performance measurement of their email campaigns, it is necessary to specify a separate purpose in such cases.
Do you want to master the GDPR for your marketing strategy?
Get our complete guide and learn from real-life examples.
The Definition of Double Opt-In
When dealing with the opt-in process, a responsible party quickly realizes that this method presents a general problem. The requirement for proof of consent is fundamental, and this requirement is challenging to fulfill through a simple opt-in process. In practice, this would mean that consent and personal data could be provided by someone not involved in the process. As a result, legitimizing the data subject is inadequately represented.
Companies must address this issue, and therefore, the double opt-in procedure is often employed, promising greater legal certainty. This procedure is familiar to individuals, as it involves sending a confirmation link to the recipient, who must confirm receipt. With this process, the sender can clearly identify and legitimize the owner of the provided email address. Exploring the requirements for implementing the double opt-in, it becomes evident that they are also defined in Article 7 of the GDPR and thus equivalent to the requirements of simple consent. A company must ensure that the provided personal data is only added to a potential email distribution list after the explicit confirmation of the double opt-in.
The procedure not only provides companies with data protection security but also fulfills the requirements for avoiding unfair competition. The German Act Against Unfair Competition (UWG) defines that sending a newsletter can be an unreasonable burden. Section 7(2), No. 3 of the UWG states that an unreasonable burden is always assumed, and promotional emails are deemed unreasonable if there is no explicit permission. Advertising is defined as a sales-promoting measure, encompassing all business actions aimed at selling goods or offering services.
Advantages and Disadvantages of Double Opt-In:
The common procedure of double opt-in (DOI) offers advantages for companies as it provides a legally secure method for confirming the receipt of mailings directly from recipients. Companies only need to ensure that the confirmation email is designed in compliance with legal requirements.
However, DOI has a disadvantage for email recipients as the confirmation link often ends up in the spam folder, causing the desired information to be easily forgotten. For companies, implementing double opt-in presents a challenge as it requires some administrative effort to be planned.
Opt-Out - What Does It Mean?
The term "opt-out" refers to the act of revoking consent. It allows individuals to prohibit, for example, data processing and object to receiving promotional emails. By opting out, newsletter or advertising senders are no longer permitted to continue sending emails to the former recipient. If consent needs to be revoked, the person listed as the recipient must withdraw their consent. It is important to note that opt-out revocations can be made without providing a reason, distinguishing them from revocations that require justification. In practice, recipients will find a link in newsletters or advertisements, typically located in the footer, which allows for digital revocation. The option to opt out must be placed in a way that makes it easy for recipients to initiate the objection.
Questions about data protection? We are happy to help!
Get in touch!Conclusion
In conclusion, permission marketing is an important aspect of marketing for many companies. However, it is crucial to ensure data protection compliance and strict adherence to legal requirements. The double opt-in procedure is a common method used to actively inform recipients about the receipt of emails and obtain their consent. Companies need to be aware of the legal requirements in email marketing and adhere to them to avoid financial and reputational consequences. Ensuring a legally compliant email delivery can only be achieved by following all relevant regulations and laws.
More articles
How to avoid expensive data breaches: Data security for SMEs
Data leaks cause companies millions in losses every year. Small and medium-sized organizations, which often use outdated security strategies, are particularly at risk: Software updates are not carried out regularly, backup strategies and encryption are patchy. There is a lack of a comprehensive security concept that gives employees clear guidance on how to handle data and what measures they need to take immediately in the event of damage. The best prevention consists not only of technology, but also of a combination of technical security measures, standardized processes and data-competent employees.
Learn moreNIS2 Directive: Key Steps & Risks of Non-Compliance
The NIS2 Directive, effective from October 17, 2024, imposes stricter cybersecurity requirements across the EU, targeting a broader range of sectors. Non-compliance risks include hefty fines, enforcement actions, reputational damage, operational disruptions, and even criminal sanctions for top management. To comply, organizations need to assess if they fall under the directive's scope, then evaluate and strengthen their cybersecurity measures. This includes enhancing risk management, access controls, incident response, and third-party security. Compliance isn't only about legal adherence but also improving overall security and trust.
Learn moreHow to Use WhatsApp for Business While Staying GDPR Compliant
With over 2 billion users, WhatsApp is a powerful business tool to engage customers. However, compliance with GDPR is a major concern, particularly for the classic WhatsApp and WhatsApp Business apps, which process metadata and access contact data. The WhatsApp Business API, designed for larger businesses, offers a more secure solution, integrating with external Business Solution Providers (BSPs) to ensure data protection. Choosing a BSP in the EU/EEA with proper data management capabilities is crucial for maintaining GDPR compliance and leveraging WhatsApp's reach effectively.
Learn more