Compliance in PracticeCompliance Strategies & RegulationsData Protection

Opt-in and Opt-out - How does Double-Opt-In work according to GDPR?

Opt-in and opt-out – How does the double opt-in work according to the GDPR?

Key Findings

The article emphasizes the critical role of data protection in email marketing. It introduces “Permission Marketing”, where companies send promotional content only to those who have explicitly consented. The “Double Opt-In” method is highlighted as a GDPR-compliant way to obtain such consent. It involves an initial opt-in followed by a confirmation email. The article also covers legal requirements under GDPR's Article 7, stressing that consent must be clear, voluntary, and revocable. “Opt-Out” option must be easily accessible to allow recipients to withdraw consent. Non-compliance risks legal repercussions and reputational damage.

In today's world, living without the internet is almost unimaginable for many people. News is consumed, emails are sent, and purchases are made online. In many cases, providing contact information is unavoidable, and it is even necessary in the realm of online shopping. However, often the data collected is not only used for providing a service but also utilized and processed to establish a certain level of customer loyalty. This can result in annoying spam emails, where additional information is sent at defined intervals, often unwanted. Email marketing is widely employed by many companies as it represents a cost-effective method to remain in a customer's memory and enhance their own reach and visibility. Companies must strike a balance between irritating advertising and helpful information to avoid alienating potential customers.

Fundamentally, it is crucial for both the sender and the recipient to properly assess the data protection relevance of this marketing method and when information can be sent. Particularly for email marketing recipients, understanding how consent is given and how it can be revoked is important. Companies need to recognize that email marketing is only possible when data protection is ensured and certain prerequisites are met. Failure to comply can lead to legal consequences, resulting in reputational damage and financial losses. It is strongly recommended for companies to thoroughly educate themselves in this area and, if necessary, consult the data protection experts at heydata to ensure a legally compliant email delivery.

Permission Marketing - What lies behind it?

Permission marketing is a method widely employed in many marketing departments. This approach involves sending information and advertisements and requires the recipient's consent. Companies utilize permission marketing to obtain relevant contact information. Often, attractive campaigns are launched, offering recipients discounts, product samples, or even prizes. The objective is to make customers feel valued and encourage them to provide their personal contact information. The companies' intention is to establish long-term customer loyalty and inform customers about services, products, and promotions, ideally resulting in a contract being concluded. Particularly in the B2B sector, the obtained contact information is passed on to the sales department, which will utilize the information for contacting potential leads. Permission marketing serves as a revenue driver that few companies can afford to overlook, making it crucial to strictly adhere to all legal requirements to ensure successful operations.

When permission marketing is implemented in email marketing, the sending of emails is accompanied by explicit consent, often ensured through the Double-Opt-In procedure. This procedure is used by companies to ensure compliance with all legal requirements, including unfair competition regulations (UWG) and data protection laws.

Opt-In - What does it mean?

Internet users usually won't find an opt-in checkbox when providing consent, but the term "opt-in" is equivalent to the commonly used fields of "consent" or "agreement" employed by companies. Consent can be given for a specific case, but it is also possible to provide consent for multiple cases. It is important that opt-in represents an enrollment process for the user, requiring active consent. In the realm of email marketing, companies often utilize the double opt-in procedure.

From a data protection perspective, the request for the collection and processing of personal data falls under the scope of Article 7 of the GDPR. This article defines how consent can be lawfully obtained:

  • Consent must be demonstrably given.
  • Consent must be requested in a clear and easily accessible form.
  • The language of the consent must be clear and straightforward.
  • Consent must be explicitly for a specific purpose.
  • Consent must be voluntary.
  • The right to revoke consent must be explained.
  • Revoking consent should be as easy as giving consent.

For data controllers in a company, this means, for example, that online forms should not have pre-selected checkboxes for individual points. It is essential to ensure transparent compliance with data protection regulations, as defined in Articles 12ff. of the GDPR. Therefore, when obtaining consent, a separate checkbox must always be provided. This is particularly important for companies using email software to send out email communications. In practice, many companies only obtain consent for the email dispatch itself. However, if a company also conducts evaluation and performance measurement of their email campaigns, it is necessary to specify a separate purpose in such cases.

The Definition of Double Opt-In

When dealing with the opt-in process, a responsible party quickly realizes that this method presents a general problem. The requirement for proof of consent is fundamental, and this requirement is challenging to fulfill through a simple opt-in process. In practice, this would mean that consent and personal data could be provided by someone not involved in the process. As a result, legitimizing the data subject is inadequately represented.

Companies must address this issue, and therefore, the double opt-in procedure is often employed, promising greater legal certainty. This procedure is familiar to individuals, as it involves sending a confirmation link to the recipient, who must confirm receipt. With this process, the sender can clearly identify and legitimize the owner of the provided email address. Exploring the requirements for implementing the double opt-in, it becomes evident that they are also defined in Article 7 of the GDPR and thus equivalent to the requirements of simple consent. A company must ensure that the provided personal data is only added to a potential email distribution list after the explicit confirmation of the double opt-in.

The procedure not only provides companies with data protection security but also fulfills the requirements for avoiding unfair competition. The German Act Against Unfair Competition (UWG) defines that sending a newsletter can be an unreasonable burden. Section 7(2), No. 3 of the UWG states that an unreasonable burden is always assumed, and promotional emails are deemed unreasonable if there is no explicit permission. Advertising is defined as a sales-promoting measure, encompassing all business actions aimed at selling goods or offering services.

Advantages and Disadvantages of Double Opt-In:

The common procedure of double opt-in (DOI) offers advantages for companies as it provides a legally secure method for confirming the receipt of mailings directly from recipients. Companies only need to ensure that the confirmation email is designed in compliance with legal requirements.

However, DOI has a disadvantage for email recipients as the confirmation link often ends up in the spam folder, causing the desired information to be easily forgotten. For companies, implementing double opt-in presents a challenge as it requires some administrative effort to be planned.

Opt-Out - What Does It Mean?

The term "opt-out" refers to the act of revoking consent. It allows individuals to prohibit, for example, data processing and object to receiving promotional emails. By opting out, newsletter or advertising senders are no longer permitted to continue sending emails to the former recipient. If consent needs to be revoked, the person listed as the recipient must withdraw their consent. It is important to note that opt-out revocations can be made without providing a reason, distinguishing them from revocations that require justification. In practice, recipients will find a link in newsletters or advertisements, typically located in the footer, which allows for digital revocation. The option to opt out must be placed in a way that makes it easy for recipients to initiate the objection.

Conclusion

In conclusion, permission marketing is an important aspect of marketing for many companies. However, it is crucial to ensure data protection compliance and strict adherence to legal requirements. The double opt-in procedure is a common method used to actively inform recipients about the receipt of emails and obtain their consent. Companies need to be aware of the legal requirements in email marketing and adhere to them to avoid financial and reputational consequences. Ensuring a legally compliant email delivery can only be achieved by following all relevant regulations and laws.

More articles

People & Culture and Data Protection

People & Culture Meets Data Protection: Tips for GDPR Compliance

At heyData, we protect the personal data of applicants and employees through central data management, role-based access, and automated processes. We use tools like Personio and 1Password to ensure GDPR compliance. Our policies include regular data reviews, automated deletion periods, and strict access controls. Data protection is an ongoing process, supported by continuous training and best practices to ensure the highest security standards.

Learn more
Is your Data Safe with Google Gemini

Is Your Data Safe with Google Gemini? What you need to know.

Discover the potential privacy risks lurking behind Google's Gemini. Learn how to navigate the digital landscape safely and protect your sensitive information from potential threats.

Learn more
amazon-alexa

Amazon Alexa and Data Protection

Nowadays, many households have voice assistants that are designed to make life a little easier and more convenient. There is a wide range on offer and many market players offer intelligent voice recognition systems in various designs and performance classes. The data protection factor in particular is often discussed with the virtual assistant "Alexa" and will be examined in more detail in this article.

Learn more

Get to know our team today, with no obligations!

Contact us