It is both curious and comical to me how certain topics surrounding the GDPR (General Data Protection Regulation) seem to generate more buzz than others, whether they are correct or not. Such as the topic of consent being the only form of lawful processing, the overriding right to be forgotten in any circumstance and the belief that all forms of outbound marketing have been confined to history.
Who knows where these beliefs or myths come from; or why they are so persistent?
[You may also be interested to read "GDPR Myths and Monsters"]
In this blog post, I will explore the idea of double opt-in consent and whether it really is required by the GDPR.
What is Double Opt-in Consent?
From your own experience, when you have completed an electronic form, you probably were asked to accept terms and conditions of the company collecting the form by ticking a box indicating this choice. This is known as single opt-in. The single aspect is the individual instance of indicating acceptance of the terms and conditions, by ticking the box. The term opt-in relates to the fact that you had to tick a box in order to accept, rather than untick. This is also known as positive opt-in.
The bane of single opt-in forms for marketers is that savvy users who wish not to be contacted or who wish to hide their tracks, will enter a false email address in order collect the reward which was on the other side of the form.
Because of this, marketers create double opt-in scenarios, whereby the completion of a form leads to an email being sent to that address for verification before completion. This guarantees the validity of the email address. In this scenario, the click to confirm address present in the follow up email, is a secondary form of opt-in. Thus creating the conditions for double opt-in.
Is Double Opt-in Required by GDPR?
In short no. In fact the word "double" is not mentioned once in the regulation document. Article 7 sets out the conditions for consent, which must adhere to four key principles:
1. Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.
2. If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this regulation shall not be binding.
3. The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.
4. When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.
Where Has This Myth Come From?
So there you have it, double opt-in is not a requirement so long as consent is demonstrable by the data controller or processor collecting it.
The origins of double opt-in as a requirement under the GDPR is unknown. However, it may just be a mix up between marketing best practices and data protection regulation. A good marketing strategy will make use of double opt-in to keep form submissions clean from falsified personal data. But ultimately a choice on the part of the data controller.