Double opt-in means a new subscriber confirms their signup by clicking a link in a confirmation email before receiving anything else. It is one extra step, and it is the difference between a list you can defend and a list you have to hope nobody asks about.

What the GDPR actually requires

The GDPR never uses the words "double opt-in". What it requires is that consent be freely given, specific, informed, and unambiguous, and, crucially in Article 7, that you can demonstrate that consent was given. That last part is where single opt-in falls apart: anyone can type any email address into a form. Without confirmation, you cannot prove the owner of the address agreed to anything.

German and Austrian case law has treated confirmed opt-in as the standard for years, and regulators across the EU, including Poland's UODO, consistently point to it as best practice. If a complaint lands on a supervisor's desk, a double opt-in record ends the conversation.

Single vs double opt-in

Single opt-inDouble opt-in
Proof of consentWeak: form submission onlyStrong: confirmed by the address owner
List qualityTypos, bots, fake signupsReal, deliverable addresses
DeliverabilityHigher bounce and complaint ratesCleaner metrics, better reputation
Signup conversionSlightly higherLoses the 20 to 30% who never confirm

Yes, double opt-in loses some signups. The people it loses are disproportionately typos, bots, and the uncommitted, exactly the addresses that would later bounce or hit "spam".

How to set it up properly

  1. The form promises only what it does. "Get our newsletter, about twice a month" beats "Subscribe". No pre-ticked boxes, and no bundling consent into a purchase.
  2. The confirmation email is instant and minimal. One sentence, one button. It must not contain marketing content, because the recipient has not consented yet.
  3. Nothing else sends until the click. Unconfirmed addresses sit in a pending state and expire after a couple of weeks.
  4. Record the evidence. Store the signup timestamp, the confirmation timestamp, and the form or source the consent came from. This record is your Article 7 proof.
  5. Make leaving as easy as joining. Every email needs a working unsubscribe that takes effect immediately, plus the one-click List-Unsubscribe header (RFC 8058) that Gmail and Yahoo now require from bulk senders.

The compliance checklist

  • Signup form states what you will send and how often
  • Confirmation email sent immediately, containing no promotion
  • Unconfirmed contacts never receive campaigns
  • Consent records stored: timestamps and source
  • One-click unsubscribe in every campaign
  • Unsubscribes and complaints suppressed permanently

In SendMerlin this whole flow is the default, not a setting to find: double opt-in confirmation, consent records, suppression, and RFC 8058 one-click unsubscribe are wired into every list from day one.

Frequently asked questions

Is double opt-in legally mandatory in the EU?

Not by the letter of the GDPR, but you must be able to prove consent, and double opt-in is the accepted way to do that. In practice German courts and several regulators treat it as the required standard.

What about the subscribers I collected without confirmation?

You can run a re-permission campaign: one email asking them to confirm they still want to hear from you. Everyone who does not confirm gets removed. Painful once, clean forever.

Does double opt-in apply to B2B emails too?

Consent rules differ for B2B in some member states, but proof and deliverability arguments are identical. If in doubt, confirm.