Opt-in and Opt-out - How does Double-Opt-In work according to GDPR?

Opt-in and opt-out – How does the double opt-in work according to the GDPR?

Key Findings

The article emphasizes the critical role of data protection in email marketing. It introduces “Permission Marketing”, where companies send promotional content only to those who have explicitly consented. The “Double Opt-In” method is highlighted as a GDPR-compliant way to obtain such consent. It involves an initial opt-in followed by a confirmation email. The article also covers legal requirements under GDPR's Article 7, stressing that consent must be clear, voluntary, and revocable. “Opt-Out” option must be easily accessible to allow recipients to withdraw consent. Non-compliance risks legal repercussions and reputational damage.

In today's world, living without the internet is almost unimaginable for many people. News is consumed, emails are sent, and purchases are made online. In many cases, providing contact information is unavoidable, and it is even necessary in the realm of online shopping. However, often the data collected is not only used for providing a service but also utilized and processed to establish a certain level of customer loyalty. This can result in annoying spam emails, where additional information is sent at defined intervals, often unwanted. Email marketing is widely employed by many companies as it represents a cost-effective method to remain in a customer's memory and enhance their own reach and visibility. Companies must strike a balance between irritating advertising and helpful information to avoid alienating potential customers.

Fundamentally, it is crucial for both the sender and the recipient to properly assess the data protection relevance of this marketing method and when information can be sent. Particularly for email marketing recipients, understanding how consent is given and how it can be revoked is important. Companies need to recognize that email marketing is only possible when data protection is ensured and certain prerequisites are met. Failure to comply can lead to legal consequences, resulting in reputational damage and financial losses. It is strongly recommended for companies to thoroughly educate themselves in this area and, if necessary, consult the data protection experts at heydata to ensure a legally compliant email delivery.

Permission Marketing - What lies behind it?

Permission marketing is a method widely employed in many marketing departments. This approach involves sending information and advertisements and requires the recipient's consent. Companies utilize permission marketing to obtain relevant contact information. Often, attractive campaigns are launched, offering recipients discounts, product samples, or even prizes. The objective is to make customers feel valued and encourage them to provide their personal contact information. The companies' intention is to establish long-term customer loyalty and inform customers about services, products, and promotions, ideally resulting in a contract being concluded. Particularly in the B2B sector, the obtained contact information is passed on to the sales department, which will utilize the information for contacting potential leads. Permission marketing serves as a revenue driver that few companies can afford to overlook, making it crucial to strictly adhere to all legal requirements to ensure successful operations.

When permission marketing is implemented in email marketing, the sending of emails is accompanied by explicit consent, often ensured through the Double-Opt-In procedure. This procedure is used by companies to ensure compliance with all legal requirements, including unfair competition regulations (UWG) and data protection laws.

Opt-In - What does it mean?

Internet users usually won't find an opt-in checkbox when providing consent, but the term "opt-in" is equivalent to the commonly used fields of "consent" or "agreement" employed by companies. Consent can be given for a specific case, but it is also possible to provide consent for multiple cases. It is important that opt-in represents an enrollment process for the user, requiring active consent. In the realm of email marketing, companies often utilize the double opt-in procedure.

From a data protection perspective, the request for the collection and processing of personal data falls under the scope of Article 7 of the GDPR. This article defines how consent can be lawfully obtained:

  • Consent must be demonstrably given.
  • Consent must be requested in a clear and easily accessible form.
  • The language of the consent must be clear and straightforward.
  • Consent must be explicitly for a specific purpose.
  • Consent must be voluntary.
  • The right to revoke consent must be explained.
  • Revoking consent should be as easy as giving consent.

For data controllers in a company, this means, for example, that online forms should not have pre-selected checkboxes for individual points. It is essential to ensure transparent compliance with data protection regulations, as defined in Articles 12ff. of the GDPR. Therefore, when obtaining consent, a separate checkbox must always be provided. This is particularly important for companies using email software to send out email communications. In practice, many companies only obtain consent for the email dispatch itself. However, if a company also conducts evaluation and performance measurement of their email campaigns, it is necessary to specify a separate purpose in such cases.

The Definition of Double Opt-In

When dealing with the opt-in process, a responsible party quickly realizes that this method presents a general problem. The requirement for proof of consent is fundamental, and this requirement is challenging to fulfill through a simple opt-in process. In practice, this would mean that consent and personal data could be provided by someone not involved in the process. As a result, legitimizing the data subject is inadequately represented.

Companies must address this issue, and therefore, the double opt-in procedure is often employed, promising greater legal certainty. This procedure is familiar to individuals, as it involves sending a confirmation link to the recipient, who must confirm receipt. With this process, the sender can clearly identify and legitimize the owner of the provided email address. Exploring the requirements for implementing the double opt-in, it becomes evident that they are also defined in Article 7 of the GDPR and thus equivalent to the requirements of simple consent. A company must ensure that the provided personal data is only added to a potential email distribution list after the explicit confirmation of the double opt-in.

The procedure not only provides companies with data protection security but also fulfills the requirements for avoiding unfair competition. The German Act Against Unfair Competition (UWG) defines that sending a newsletter can be an unreasonable burden. Section 7(2), No. 3 of the UWG states that an unreasonable burden is always assumed, and promotional emails are deemed unreasonable if there is no explicit permission. Advertising is defined as a sales-promoting measure, encompassing all business actions aimed at selling goods or offering services.

Advantages and Disadvantages of Double Opt-In:

The common procedure of double opt-in (DOI) offers advantages for companies as it provides a legally secure method for confirming the receipt of mailings directly from recipients. Companies only need to ensure that the confirmation email is designed in compliance with legal requirements.

However, DOI has a disadvantage for email recipients as the confirmation link often ends up in the spam folder, causing the desired information to be easily forgotten. For companies, implementing double opt-in presents a challenge as it requires some administrative effort to be planned.

Opt-Out - What Does It Mean?

The term "opt-out" refers to the act of revoking consent. It allows individuals to prohibit, for example, data processing and object to receiving promotional emails. By opting out, newsletter or advertising senders are no longer permitted to continue sending emails to the former recipient. If consent needs to be revoked, the person listed as the recipient must withdraw their consent. It is important to note that opt-out revocations can be made without providing a reason, distinguishing them from revocations that require justification. In practice, recipients will find a link in newsletters or advertisements, typically located in the footer, which allows for digital revocation. The option to opt out must be placed in a way that makes it easy for recipients to initiate the objection.


In conclusion, permission marketing is an important aspect of marketing for many companies. However, it is crucial to ensure data protection compliance and strict adherence to legal requirements. The double opt-in procedure is a common method used to actively inform recipients about the receipt of emails and obtain their consent. Companies need to be aware of the legal requirements in email marketing and adhere to them to avoid financial and reputational consequences. Ensuring a legally compliant email delivery can only be achieved by following all relevant regulations and laws.

About the Author

More articles

5 Data Protection Tips for Easter

Get your business ready for Data Privacy 2023: Tips for the Easter season.

Data privacy remains a crucial factor in the business world. Particularly in Germany, data privacy regulations are very strict, and companies should prepare for further tightening of these regulations in 2023. By complying with data privacy requirements, companies demonstrate their responsible handling of personal data and gain the trust of their customers. In this blog post, we would like to provide you with a few tips on how to prepare your business for the data privacy regulations in Germany in 2023.

Learn more
Data Integrity: Essential IT Protection Goals

IT protection goals – data integrity

The IT protection goals of confidentiality, integrity, and availability are critical to protecting information and data from unauthorized access. Confidentiality requires access restrictions and encryption. Integrity means that authorized persons can only change data and that changes are traceable. Availability ensures access to data for authorized persons. Companies often extend these goals to include authenticity, bindingness, and accountability. The protection goals can be implemented with the help of information security management systems (ISMS) in accordance with ISO 27001. Regularly reviewing and evaluating the protection goals is important to minimize risks and prevent damage.

Learn more
Unlocking Data Privacy in E-Commerce: Overcoming Challenges and Adopting Best Practices

Data Privacy in E-Commerce: Challenges and Best Practices

Obtaining effective consent from individuals is a central principle of data privacy. However, in e-commerce, it is often challenging to obtain valid consent as customers are reluctant to read extensive privacy policies or engage in complex consent processes. Lack of consent or unclear consent can lead to misunderstandings and loss of trust among customers, potentially resulting in long-term damage to a company's reputation. Furthermore, insufficient consent may have legal consequences, such as fines or compensation claims.

Learn more

Get to know our team today, with no obligations!

Contact us