GDPR, double opt-in and re-consent

8 minute read

Lot’s of you are asking about GDPR, the effect it will have and the actions you need to take. Here are 2 of the most common questions we hear relating to GDPR preparations.

Do I need to add a double-opt when adding new subscribers?

The short answer is no. There’s no requirement under GDPR to have a double opt-in process.

Is it a good idea? Definitely yes. Double opt-in may not be a GDPR requirement but we do recommend it as a Permission Marketing best practice. We always recommend a double-opt in process when you are collecting new data – for example, new subscriptions from a website form. It significantly increases the quality of genuine captured data and it avoids collection of data submitted to your forms by online bots or other unscrupulous sources.

Double opt-in is a simple process to implement. The usual process is that on submission of a data collection form an automated email is sent to the submitted email address. The new subscriber data is only confirmed and added to the database on successful receipt and interaction with this email – for example, the clicking of a verification link. This therefore verifies that the email address is both active and actively monitored and that the submitted details are correct.

Many marketers also  include often a thank you type of confirmation that the process is now complete. This can also be used to supply additional introductory information or to encourage the new subscribers onwards to the brand website. New subscribers are generally keen so it’s a good opportunity to advance the relationship. It also serves as a useful positive confirmation to the subscriber that their subscription has indeed been processed.

We don’t always use double-opt in. For new subscribers, definitely, yes. But if you are collecting additional data from existing subscribers (for example updating preferences or collecting additional profile information such as a birthday or location) you might want to consider turning this option off.  Good as it is, double-opt in does add another step to the process and this potentially introduces an additional point at which interest and opportunity might be lost. If in doubt, keep it.

Do I need to contact my existing subscribers to re-establish consent?

Again, the short answer is no.

Assuming that the conditions of consent were originally gathered in a way which is consistent with post-GDPR requirements and that the future intentions for use are also similar, then consent is considered to be continuous. There is no need to go back and re-establish this just because of GDPR.

But is it a good idea? Quite possibly, yes.

Consent is not the only condition for data processing under GDPR but it is one of the pillars upon which justification is built. GDPR requires that unless there is another justification (there are 5 other justification scenarios i.e.  legal obligation, public interest, vital interest, contractual, legitimate use), data processing can only be done with the consent of the data subject. As well as being a fundamental of permission-based marketing, this is actually not dissimilar to the current UK Data Protection legislation. In this respect the principle of consent has not radically changed.

However GDPR does newly extend and clarify the conditions under which consent is given. GDPR now requires that consent must be a clear and affirmative opt-in action, freely given with full knowledge of owner and intended purpose of processing. It can’t be implied, assumed, bundled or otherwise connected and only applies for a specifically identified purpose.

For those already following a robust permission based strategy the new conditions of consent which GDPR brings should introduce little in the way of new difficulty. In many respects GDPR is designed to bring everyone closer to the permission ideal, so it is those who are either ignoring or loosely applying the concept of consent who will need to up their game. In any case, as mentioned before, consent is not the only justification. GDPR also includes a justification under the heading of ‘legitimate use’. This is similar to the so-called ‘soft opt-in’ (or legitimate interest) which is commonly used by email marketers under the current Data Protection laws.

In principle, as long as a clear, genuine and mutually beneficial relationship is in place, and that the processing is anticipated, appropriate and doesn’t otherwise infringe the rights and freedoms of the individual, then data processing can still be undertaken without consent. A quick look at my own inbox suggests that many email marketers are commonly applying this scenario, and although consent is still the preferred route, my guess is that this will not significantly change under GDPR. In fact, after much discussion and lobbying the justification of Legitimate Use has been referenced within the GDPR copy as being specifically aligned to the needs of marketers.

However, the other major change with GDPR is that whatever justification you are making for the processing data (consent or otherwise) you need to have made an assessment of the possible impact of this assumption, in advance. This is new.

Having said all that, many people are taking the opportunity to contact their database to either re-affirm consent, or in the cases where (GDPR compliant) consent is not in place, to establish this. Some are specifically referencing GDPR in this process, but others are simply taking this step as a courtesy – after all, permission is a politeness and re-engaging in this way can be used to show that data protection is an important consideration and serve to strengthen an existing relationship.

There’s the danger (in fact a high probability) that some subscribers will also take this opportunity to re-assess their situation and withdraw their consent. So if you take this step, be prepared for losses. However re-engaging in this way will have the double benefit of strengthening the bond with your loyal subscribers and cleaning out those who are unlikely to engage further in the future.

Thinking about GDPR

If you’d like more information on the background and requirements of GDPR for email marketing try this blog post too: