No, yes, double yes – three choices that are more or less part of (online) marketing nowadays. These procedures are called opt-out, opt-in and double opt-in. In this article, we explain what exactly is hidden behind these three terms, what the procedures look like in practice, which legal requirements website operators have to observe and how exactly they can implement them quickly and easily.
So it pays to keep at it 😉
PS: In our article on Cookie Banner Text Examples, we explain in detail the meaning of opt-in and opt-out procedures in relation to the setting of cookies.
What is the Opt-out procedure?
The opt-out function is now obsolete. The purpose of the opt-out procedure is to explicitly prohibit data processing – but this is done in an unlawful way. In the opt-out procedure, a person gives their silent consent, for example, to the setting of tracking cookies or to receiving a newsletter. Conversely, this means that the consent is considered legally valid until the data subject objects to it. “Opt-out” therefore means something like “refuse”. This type of consent pleased marketers in particular, as they could diligently collect and process data. However, data protectionists were not pleased – on the contrary. And the legislator also found this way of obtaining consent unacceptable, which is why the opt-out procedure was abolished in most cases when the GDPR came into force.
Is the opt-out procedure legal?
According to Article 7 of the GDPR, the responsible person must be able to prove that the data subject has given his or her voluntary consent to the processing of personal data. This is almost impossible by means of the opt-out procedure. Consent given by a person in advance (opt-out procedure) is no longer sufficient. Instead, an active and informed consent must be given by the user.
The reason for the strict regulations regarding consent is the protection of personal data. Wherever they play a role – be it in the analogue or digital world – the issue of data protection comes into play. As soon as it comes to processing personal data, the data subject must give active and informed consent. In addition, the data subject must always have the possibility to revoke consent (Art. 7 GDPR).
Examples of the opt-out procedure
- Already preset selection in a cookie banner (not allowed in most cases)
- Changed settings in the browser due to an update
- Postal advertising to existing customers for the same product type
Opt-in procedure – what is it?
Yes, I do 👰 The opt-in procedure is the opposite of the opt-out model. Which brings us to the primary difference between opt-out and opt-in: In contrast to the opt-out function, the core of the opt-in procedure is the active consent of the user. Both opt-in and opt-out procedures are used in so-called permission marketing. This form of marketing deals with the sending of e.g. information or advertising material to the recipient on the basis of the recipient’s consent. Strictly speaking, the opt-in procedure – like the opt-out procedure – is old hat and has not only existed since 2018 (introduction of the GDPR). However, the opt-in procedure and data protection have become an inseparable duo since the introduction of the General Data Protection Regulation (GDPR). Moreover, the opt-in function can be handled by means of an opt-in form – an electronic form that unambiguously obtains the consumer’s consent (e.g. cookie banner).
Examples of the opt-in procedure
- The sending of information or advertising material after voluntary provision of one’s own data (by post, e-mail, SMS or telephone)
- A requested callback
- Consenting to the processing of personal data or setting non-essential cookies
Single opt-in procedure
As the term already suggests, with the single opt-in procedure consent only has to be given once. The user therefore only has to submit his or her data. Validation by means of a confirmation email or similar is not necessary with the opt-in procedure. The single opt-in procedure is not very data-protection-friendly, as it is not so easy to determine that, for example, the filling out of a contact form actually took place by the specified person.
Double opt-in procedure
You probably already know about the double opt-in process.The double opt-in function is practically the YES, I DO 👰👰 If, for example, you want to create a customer account you will usually be confronted with this consent procedure. In practice, the double opt-in method looks like this: after entering your data, you receive an email in which you have to click on a link to confirm your registration. This ensures that you are the owner of the email address provided (and that someone else will not be bothered with future emails).
In general, the double opt-in is a popular method in email marketing. But opt-in can also take the form of an SMS or a phone call. In contrast to the opt-out and single opt-in method, it can definitely be assumed that the user has given his or her consent of his or her own free will (and that he or she has not consented by mistake, e.g. by ticking one too many checkboxes).
A possible disadvantage of the double opt-in method is the costly implementation of the method, technical errors (the confirmation email does not reach the recipient) and, in addition, you may be bounced by more prospects because the method of verification takes longer.
Examples of the double opt-in procedure
- Registration in an online shop
- Newsletter registration (email marketing)
- SMS code for verification (confirmation code)
- Verification call (confirmation code)
- Postal letter with one-time password after registration
Is the double opt-in procedure mandatory?
A double opt-in procedure, e.g. for email newsletters, is not mandatory under the GDPR. But according to the Unfair Competition Act it is – confusing, all these laws! In general, the double opt-in procedure is considered the best method to securely obtain consent. Marketers can thus ensure, among other things, that the recipient of a newsletter has actually agreed to receive it. But it also makes it much easier to prove consent because the mailbox can usually be assigned to a specific owner. In addition, the two-step double opt-in method is wonderfully suited to reduce the risk of spam registrations.
Website operators in particular should no longer be strangers to the opt-in procedure since the GDPR came into force. Personal data is exactly what makes the heart of every profit-oriented website operator beat faster. On the other side are data protectionists, strengthened by the law. If you want to handle your consent to the setting of non-essential cookies and the processing of personal data in a data-protection compliant and simple way, you should definitely try Real Cookie Banner – the beginner-friendly cookie banner for WordPress.