Do You Need Double Opt-In for GDPR? One repeated question that keeps coming up within the small business communities is whether you need to switch all your opt-in forms to double opt-in for GDPR.


 Do I need double opt-in?
 Do I have to use double opt-in for everyone?
 Is single opt-in enough to prove that someone has signed up to my list with consent?
 What about the subscribers who didn’t confirm through double opt-in?
 Am I going to have to scrap my whole email list?!


Double opt-in is when a new subscriber to your email marketing list receives a second email asking them to confirm their email address by clicking a link.

This “double opt-in process” is designed to make (double) sure that the person who received the email actually wants to be on your list.
It is considered to be marketing best practice but things have got a little confused and hyped up.

I have seen a lot of conflicting advice going around leading many to believe it is mandatory for GDPR.


This blog post aims to set the story straight.

Do you need double opt-in for GDPR?

The quick and easy answer is no.

It is not a requirement in the GDPR legislation to have double opt-in. You do not NEED double opt-in for GDPR to ensure compliance and consent.

So, does this mean that we can all switch it off?

Maybe not.

If we are welcoming GDPR as an opportunity to make our lists cleaner, then double opt-in can increase the quality of new leads into our lists. It avoids the chance of false data entered by a bot or by someone who is not the owner of the email address. It also ensures that subscribers who do go through the double opt-in process are interested in what we have to offer.

Double opt-in may be useful depending on what type of data you are processing.

GDPR has renamed “Sensitive Data” as “Special Category Data” which includes racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural person's sex life or sexual orientation.

If you are dealing with any information in this category, then you will need to have “explicit consent” to use it. An example of how to get explicit consent might be to use double opt-in.

“All I've been hearing is that double opt-in is the only way to prove consent”

GDPR does impose a higher standard of consent than we have under existing regulations but consent is not the only lawful ground for processing someone’s data.

In addition, double opt-in for GDPR is not the only answer to getting consent.

Consent in GDPR is a whole other kettle of fish and has many different levels to consider. I’ll be going into this in more detail in a future blog.
If you can’t wait thought, learn more in this video I delivered inside my free “GDPR for Online Business” Facebook group on GDPR and granularities of consent.

Your first step to understanding GDPR for your business should be to download my free GDPR Checklist. Here you'll discover the easy way to become GDPR compliant.

The checklist includes steps to ensure you have consent for your marketing, without necessarily needing double opt-in.

Next time you see a double opt-in for GDPR argument going on with information that you now know is not true, please do them all a favour and give them the link to this post and suggest they join my Facebook group.

Then they’ll have access to clear and simple legal GDPR guidance that won't scare them to death!


Transcript of the video

I'm Suzanne Dibble, a data protection expert. This me, raw and uncut, but delivering you massive free value in terms of knowledge about GDPR. Hmm, it's starting to rain.

Okay, so today's question is do you need a double opt-in post GDPR for your marketing emails? And the quick answer is no, you don't. Okay? So nothing in the legislation says that you need double opt-in. Now, this is GDPR I'm talking about, if you're in the States or in Canada then you have your own laws, which I know do require double opt-in. So we're just talking purely about GDPR.

Now, slightly more complex than that, in that there is this new … Well, it's kind of similar to what there was before, but a little bit expanded, and they call it special category data, what we used to think of as sensitive data. And that's things like your race, your political persuasion, and your religious beliefs. And it also now extends to bio-metric data.

Oh, excuse me, up the hill here. And there are number of things like that, and I'll post what new sensitive data is in the comments below. If you're dealing with that type of information, then you need explicit consent. Now, the working party has just released some guidance on what constitutes explicit consent. Now, as an example of how to get explicit consent, they say that double opt-in might be a way of getting that explicit consent. So if you're processing sensitive information, or special category data, then double opt-in might be appropriate.

But the simple answer is no, GDPR does not in every case require double opt-in. If you're dealing with sensitive data, then it might be a way of demonstrating explicit consent. Hope that clears things up, if not, comment on the video and I'll answer your question.


Suzanne Dibble

Suzanne Dibble is a multi-award winning business lawyer who consults with multi-nationals on data protection law and the upcoming GDPR. The Legal Services Board and the Law Society have heralded her innovative approach to helping small business owners with complex regulations. Suzanne worked with Richard Branson at Virgin where she managed a group wide data protection project which resulted in Virgin nominating Suzanne for the Solicitor of the Year Award and subsequently Suzanne was runner up in this prestigious award. Suzanne has had second to none training and experience at a top City law firm, leading billion pound deals and being on the board of £100m+ business (resulting in her being listed in the Who’s Who of Britain’s Business Elite two years in a row). Suzanne is one of the few lawyers that really understands the online world and the small business world and puts law and regulation in the context of your business. There has been a lot of scaremongering and hype about GDPR (with the headline fines of 20m) and Suzanne brings a practical, balanced approach.

DISCLAIMER: as I do not know your individual circumstances, none of my blogs, my videos, my guidance in the Facebook group or any other materials available to you where I have not taken you on as a one to one client shall be construed as legal advice and I shall have no liability to you in any circumstances should you choose to rely on any of the materials I publish.
GDPR Facebook Group Page

Data Breaches Happen. How Prepared is your Organization?

Avoid administrative fines by being fully compliant with GDPR!

Download Suzanne Dibble's Customizable GDPR Compliance Pack to Protect Your Business!