What is a ‘Double Opt-In’ of consent? | GDPR FAQ

Q: What is a Double Opt-In for consent? Why should I use Double Opt-In when I seek consent from my data subjects?

A: A double opt-in is simply a method to double-check the veracity of any given consent from a data subject.

Although it is not always a legal necessity, it should be considered best practice to use a system of double opt-ins, when processing using consents under the GDPR.

A double opt-in can be as straightforward as collecting contact details through an online form, and providing an unfilled checkbox for consent within the form.

The double opt-in part then comes in the form of a follow-up email. This mail can include an embedded link, which “activates” the consent.

By clicking the embedded link, the data subject has supplied a “double opt-in” of their consent to processing.

References:

  • Recital 42, GDPR
  • Additional Information:

    Why is this necessary? To understand the value of seeking two permissions, we should first consider the process without it.

    If a simple online form with a consent checkbox was considered adequate for processing, it would be possible for a third party to enter random email addresses into the form, giving “permission” for accounts which they did not own.

    Furthermore: an unscrupulous enterprise could take a database of contacts’ email addresses and enter them into their own online forms: giving permissions for each one, and essentially “washing” their existing database with falsified consents.

    By making consents under GDPR rely on access to the given email account, this second opt-in ensures that only the genuine account holder can give permission for the processing of their personal data.