Q: What is a 'Double Opt-In' for consent? Why should I use Double Opt-In when I seek consent from my data subjects?
A: A double opt-in is simply a method to double-check the veracity of any given consent from a data subject.
Although it is not always a legal necessity, it should be considered best practice to use a system of double opt-ins, when processing using consents under the GDPR.
A double opt-in can be as straightforward as collecting contact details through an online form, and providing an unfilled checkbox for consent within the form.
The double opt-in part then comes in the form of a follow-up email. This mail can include an embedded link, which “activates” the consent.
By clicking the embedded link, the data subject has supplied a “double opt-in” of their consent to processing.
Recital 42, GDPR
Why is this necessary? To understand the value of seeking two permissions, we should first consider the process without it.
If a simple online form with a consent checkbox was considered adequate for processing, it would be possible for a third party to enter random email addresses into the form, giving “permission” for accounts which they did not own.
Furthermore: an unscrupulous enterprise could take a database of contacts’ email addresses and enter them into their own online forms: giving permissions for each one, and essentially “washing” their existing database with falsified consents.
By making consents under GDPR rely on access to the given email account, this second opt-in ensures that only the genuine account holder can give permission for the processing of their personal data.