GDPR and double opt-in for email marketing campaigns: Is it required?
The need for double opt-in for email marketing campaigns in companies to comply with the GDPR is a recurring question from a lot of clients; many of them spend days finding a tool for their campaigns that allows for double opt-in.
Is double opt-in for company email marketing necessary?
The answer is plain and simple: no.
With the approval of the GDPR (in May 2018), it became mandatory for the consent to process personal data (also for email marketing campaigns) to be explicit.
In other words, a positive action or explicit confirmation from the recipient of the commercial email was needed in order to carry out the campaigns.
However the GDPR does not mention anywhere that this opt-in (or explicit consent) must be doubled. This system normally implies double acceptance:
- First opt-in: in the email registration process (with a check box).
- Second opt-in: by accepting the subsequent confirmation email.
Although this system can be useful, let’s be clear about this: you will never receive a penalty if the registration system in your Newsletter or email marketing campaigns does not include a double verification or double opt-in system.
Double opt-in: So what does the GDPR require?
Before answering this question, it must be indicated that the GDPR is “technologically neutral”, which means, it never suggests, much less imposes, a specific technology. The GDPR tells you “make sure you do this” but does not tell you “how to do it”, as long as you get the former done.
Having clarified this, what the GDPR does require in relation to consents is:
- It must be explicit (we have already seen this).
- Whoever collects the data (the company) must have proof of this consent. In the words of the GDPR “Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data”
How do I have proof of consent (with and without the double opt-in)?
The obligation to have sufficient proof of consent in your email marketing campaigns can be fulfilled in different ways:
- First of all, make sure that in the process of collecting emails, the user must expressly accept your Privacy Policy, before sending their data. This invalidates the pre-check boxes and, of course, any registration processes in which access to the Privacy Policy is not provided.
- Despite few websites applying it, the GDPR requires that the basic information of the Privacy Policy must be included in the same visual area of the data collection box, which is known as the First information layer. The Spanish Data Protection Authority addressed this matter in its Guide to the Duty to Report. In this guide, you can find specific examples of how to fulfil this obligation.
- Along with the above, if the case requires it, you can use “third parties” who file these consents, acting as “digital notaries”. In case of conflict in relation to whether or not consent has been given, these third parties can prove whether this was really the case. I recommend you assess it in each case because sometimes it can be a useful tool.
- Finally, the double opt-in which, although we have already said that it is not mandatory, can be a good way to prove this consent.
For how long do I have to keep the proof of consent?
Consent is by definition revocable, which means it can be withdrawn. In other words, whoever gave you consent for your campaign can withdraw it whenever they want.
In that case, you must bear in mind that after the unsubscribe request, that person still has time to report any irregularities in the use of their data (up to three years in the most serious cases); therefore, proof of consent should be filed for that period of time.
Is consent always mandatory for email marketing campaigns?
No. There is an option, not yet overly explored by companies, which is legitimate interest, which I discussed in my last post.
In short, you can carry out email marketing campaigns without consent as long as the recipient is a current customer and you inform him or her of the same products or services that he or she contracted initially. The post discusses the details to be considered.
Contact us if you would like us to check whether your registration or management system for your email marketing campaigns is in line with the GDPR.