Doble opt-in en email marketing para empresas

GDPR and DOUBLE OPT-IN for Email Marketing campaigns: IS IT REQUIRED?

The need for double opt-in for email marketing campaigns in companies to comply with the GDPR is a recurring question from a lot of clients; many of them spend days finding a tool for their campaigns that allows double opt-in.

Is double opt-in for companies’ email marketing necessary?

The answer is plain and simple, no. 

With the approval of the GDPR (in May 2018), it became mandatory that the consent to process personal data (also for email marketing campaigns) should be explicit.

In other words, a positive action or explicit confirmation from the recipient of the commercial email was needed to carry out the campaigns.

However the GDPR does not mention anywhere that this opt-in (or explicit consent) must be doubled. Usually this system implies a double acceptance:

  1. First opt-in: in the email registration process (with a check box). 
  1. Second opt-in: by accepting the subsequent confirmation email.

Although this system can be useful, let’s be clear about this: you will never receive a sanction if your registration system in your Newsletter or email marketing campaigns does not include a double verification or double opt-in system.

Double opt-in: So what does the GDPR require?

Before answering this question, it is necessary to indicate that the GDPR is “technologically neutral”, that is, it never suggests, much less imposes, a specific technology. The GDPR tells you “make sure you do this” but does not tell you “how to do it”, as long as you get the first done.

Having clarified this, what the GDPR does require in relation to consents is:

  1. It must be explicit (we have already seen this). 
  2. That whoever collects the data (the company) has proof of this consent. In the words of the GDPR “Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data”
Página principal de un panel de control de métricas de un software de análisis de datos vista desde un ordenador portátil.

How do I have proof of consent (with and without the double opt-in)?

The obligation to have sufficient proof to demonstrate consent in your email marketing campaigns can be achieved in different ways:

  • First of all, make sure that in the process of collecting emails, the user must expressly accept your Privacy Policy, before sending their data. This invalidates the pre-check boxes and, of course, any registration processes in which access to the Privacy Policy is not provided.
  • Despite few websites applies it, the GDPR requires that the basic information of the Privacy Policy must be included in the same visual area of ​​the data collection box, which is known as the First information layer. The Spanish Data Protection Authority addressed this matter in its Guide to the Duty to Report. In this guide you can find concrete examples of how to fulfil this obligation.
  • Along with the above, if the case requires it, you can count on “third parties” who file these consents, acting as “digital notaries”. In case of conflict in relation to whether or not consent has been given, these third parties can prove whether this was really the case. I recommend that you value it in each case because sometimes it can be a useful tool.
  • Finally, the double opt-in which, although we have already said that it is not mandatory, can be a good way to prove this consent.

How long do I have to keep the proof of consent?

Consent is by definition revocable, that is, it can be withdrawn. In other words, whoever gave you consent for your campaign can withdraw it whenever they want.

In that case, you must bear in mind that after the unsubscribe request, that person still has time to report possible irregularities in the use of their data (up to three years in the most serious cases); therefore, it is recommended that the proof of consent be archived for that period of time.

Is consent always mandatory for email marketing campaigns?

No. There is an option, still little explored by companies, which is legitimate interest and which I discussed in my last post.

In summary, you can carry out email marketing campaigns, without consent, as long as the recipient is a current customer and you inform him or her of the same products or services that he or she contracted at the beginning. In the post I tell you the details to take into account.

Contact us if you want us to validate that your registration or management system for your email marketing campaigns is aligned with the GDPR.

The legality of your company,
in the best hands


(+34) 692 14 05 71