Q: What is a 'Double Opt-In' for consent? Why should I use Double Opt-In when I seek consent from my data subjects?

A: A double opt-in is simply a method to double-check the veracity of any given consent from a data subject.

Although it is not always a legal necessity, it should be considered best practice to use a system of double opt-ins, when processing using consents under the GDPR.

A double opt-in can be as straightforward as collecting contact details through an online form, and providing an unfilled checkbox for consent within the form.

The double opt-in part then comes in the form of a follow-up email. This mail can include an embedded link, which “activates” the consent.

By clicking the embedded link, the data subject has supplied a “double opt-in” of their consent to processing.

Recital 42, GDPR
​

Why is this necessary? To understand the value of seeking two permissions, we should first consider the process without it.

If a simple online form with a consent checkbox was considered adequate for processing, it would be possible for a third party to enter random email addresses into the form, giving “permission” for accounts which they did not own.

Furthermore: an unscrupulous enterprise could take a database of contacts’ email addresses and enter them into their own online forms: giving permissions for each one, and essentially “washing” their existing database with falsified consents.

By making consents under GDPR rely on access to the given email account, this second opt-in ensures that only the genuine account holder can give permission for the processing of their personal data.