<img height="1" width="1" src="https://www.facebook.com/tr?id=1046809342117480&amp;ev=PageView &amp;noscript=1">

VSEC Blog: IT Security Channel News brought to you by Infinigate UK

Share the Infinigate UK Blog on LinkedIn Share the Infinigate UK Blog on Twitter Share the Infinigate UK Blog on Facebook Share the Infinigate UK Blog on Google+ Share the Infinigate UK Blog via Email

Does GDPR Require Double Opt-in Consent?

Posted: 08 August 2018

Does GDPR Require Double Opt In Email Subscribe

It is both curious and comical to me how certain topics surrounding the GDPR (General Data Protection Regulation) seem to generate more buzz than others, whether they are correct or not. Such as the topic of consent being the only form of lawful processing, the overriding right to be forgotten in any circumstance and the belief that all forms of outbound marketing have been confined to history.

Who knows where these beliefs or myths come from; or why they are so persistent?

[You may also be interested to read "GDPR Myths and Monsters"]

In this blog post, I will explore the idea of double opt-in consent and whether it really is required by the GDPR.

What is Double Opt-in Consent?

From your own experience, when you have completed an electronic form, you probably were asked to accept terms and conditions of the company collecting the form by ticking a box indicating this choice. This is known as single opt-in. The single aspect is the individual instance of indicating acceptance of the terms and conditions, by ticking the box. The term opt-in relates to the fact that you had to tick a box in order to accept, rather than untick. This is also known as positive opt-in.

The bane of single opt-in forms for marketers is that savvy users who wish not to be contacted or who wish to hide their tracks, will enter a false email address in order collect the reward which was on the other side of the form.

Because of this, marketers create double opt-in scenarios, whereby the completion of a form leads to an email being sent to that address for verification before completion. This guarantees the validity of the email address. In this scenario, the click to confirm address present in the follow up email, is a secondary form of opt-in. Thus creating the conditions for double opt-in.

Image result for double opt in

 

Is Double Opt-in Required by GDPR?

In short no. In fact the word "double" is not mentioned once in the regulation document. Article 7 sets out the conditions for consent, which must adhere to four key principles:

1.  Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data.

2.  If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this regulation shall not be binding.

3.  The data subject shall have the right to withdraw his or her consent at any time. The withdrawal of consent shall not affect the lawfulness of processing based on consent before its withdrawal. Prior to giving consent, the data subject shall be informed thereof. It shall be as easy to withdraw as to give consent.

[You may also be interested to read "What to do when you receive a "Withdrawal of Consent" under the GDPR"]

4.  When assessing whether consent is freely given, utmost account shall be taken of whether, inter alia, the performance of a contract, including the provision of a service, is conditional on consent to the processing of personal data that is not necessary for the performance of that contract.

Where Has This Myth Come From?

So there you have it, double opt-in is not a requirement so long as consent is demonstrable by the data controller or processor collecting it.

The origins of double opt-in as a requirement under the GDPR is unknown. However, it may just be a mix up between marketing best practices and data protection regulation. A good marketing strategy will make use of double opt-in to keep form submissions clean from falsified personal data. But ultimately a choice on the part of the data controller.

Does the GDPR require double opt in

Chris Payne Senior Technical Consultant, Infinigate UK
Posted by: Chris Payne
Senior Technical Consultant, Infinigate UK
Share via:
    

Subscribe to VSEC Blog Updates

Terms and Conditions:
  • When completing this form, you are indicating your consent for this processing activity. By doing this you are providing Infinigate UK with lawful consent to process your submitted personal data for one or both of the marketing purposes below:
    • We will use your details to send you blog updates.
    • We will match your answers to areas of interest which believe you have and may send you additional marketing materials related to those areas.
  • We will keep your personal data for nine months, upon which we will delete your personal data unless you have consented to further processing or we have legitimate interests to retain it. You are free to withdraw your consent at any time by contacting our marketing department or using one of our unsubscribe links in our communications.
  • In some cases where you indicate consent for supplying you with additional promotional marketing material, we will share your personal data with one of our reseller partners, should your areas of interest match a solution or service they provide. We instruct all our reseller partners to communicate this data transfer with data subject affected.
  • Your personal data is stored in a marketing automation solution database, access to this is limited to authorised users and all necessary steps to ensure data security is maintained.

For further information about this form, your rights under the General Data Protection Regulation or how to exercise them, please contact Infinigate's marketing department here.

Popular Posts