According to the General Data Protection Regulation (GDPR), subscribing to a newsletter requires a demonstrably granted lawfulness of processing. This can be achieved with a double opt-in. But what exactly is this and how do you implement it in a GDPR-compliant manner as a website operator?
Double opt-in, what is that anyway?
Art. 6 GDPR is about the lawfulness of the processing of data. When sending newsletters, for example, this means that the provider must have consent and provide proof of this. Proof is not that you enter an email address in a registration form and agree to the terms of use by clicking on it. In that case, anyone could enter other people's email addresses without being the owner of them.
The double opt-in process is as follows:
- I am on a website and would like to apply for the newsletter there.
- I enter my email address and agree that an email containing the privacy policy, or at least a link to it, will be sent to me at this address.
- Within the email, it explains exactly what happens to the data, how it is processed and that I should consent to this processing.
- Furthermore, I must confirm that I have taken note of the privacy policy.
- Then click on the fat confirmation button and everything will be fine.
Now the provider receives from me a confirmation of my given e-mail address, the confirmation that I have taken note of his privacy policy and the confirmation that I have agreed to his statements regarding the processing of my data. All of this is his proof to me, which he must provide after being asked to do so.
Double opt-in is, for example, the double confirmation of wanting something.
Double opt-in with Mautic
On our website, we use the open source tool Mautic to achieve GDPR compliance - for double opt-in as well as for contact form and cookie banner. But the software can do much, much more. It actually serves marketing automation and manages contacts and campaigns. Founded in 2014 and developed for all operating systems, its self-declared mission is "Equality". We also call it digital sovereignty.