My lists are single opt-in. Is double opt-in required to be GDPR-compliant?

There are benefits to double opt-in but it’s not enough to be compliant with the GDPR. Double or single opt-in on their own don’t guarantee GDPR compliance because they’re not enough to prove consent. They also won’t help you track, consent from your contacts. The GDPR requires you to:

• fulfill informational obligations, including clearly stating to your EU-based contacts how you’ll use their information,
• collect consent to process their data,
• give them easy access to withdraw their consent at any given moment.

To collect and track consent upon subscription, and also to inform the data subject about the rules for processing personal data by your organization, add checkbox fields with consent clauses and a link to your privacy policy to your signup forms or landing pages. Of course, you can enable the extra confirmation step to improve deliverability and click-through rates. But, don’t rely solely on double opt-in to be compliant with the GDPR.

Remember that sending commercial or marketing communications may also involve the obligation to comply with other legal requirements, regulated by laws other than the GDPR.

Do I need to reconfirm contacts added to a single opt-in list?

Having single opt-in lists doesn’t automatically mean that you have to send a reconfirmation email to contacts in these lists. If your list is single opt-in but you can prove consent, you don’t need to run a reconfirmation campaign.

You should send a reconfirmation email if you, for example:

• can’t prove that your contacts have given you clear consent to process their personal data,
• would like to use their contact information in a way other than the one they agreed to.
  For example, they agreed to receive educational content but you would like to send them marketing emails.