Is Double Opt-in Required? It Depends on the Country

Is double opt-in required for newsletter signups in Europe? The short answer: yes in Germany in practice, strongly recommended in Austria, optional everywhere else. The answer depends on where your subscribers live, not where your business is.

Some EU countries treat double opt-in as the only defensible form of consent. Others accept single opt-in with a clear checkbox. If you're sending newsletters across borders, you need to know where the line sits in each market.

Where double opt-in stands across Europe

The EU-wide baseline is set by Article 13 of the ePrivacy Directive 2002/58/EC (consent for unsolicited commercial communication) combined with the GDPR. The EDPB's Guidelines 05/2020 on consent make clear that controllers must be able to demonstrate consent (GDPR Art 7(1)). Double opt-in is one way to do that. It is not the only way outside Germany.

Single opt-in vs double opt-in

Single opt-in means a person enters their email in your signup form and they're immediately added to your mailing list. One step, done.

Double opt-in adds a confirmation step. After filling in the form, the subscriber receives an email with a confirmation link. Only after clicking that link do they actually join your list.

That extra step matters more than you'd think. It proves the person who owns that email address actually wanted to sign up. Without it, anyone could enter someone else's address.

Country-by-country breakdown

The GDPR doesn't specifically mention double opt-in. It requires "freely given, specific, informed and unambiguous" consent (Article 4(11)) and demonstrability under Article 7(1). How national regulators interpret "unambiguous" and "demonstrable" is where the rules diverge.

Germany: required in practice

Germany is the strictest country in Europe on this topic. While no statute spells out "you must use double opt-in," the Bundesgerichtshof (Federal Court of Justice) ruled in BGH I ZR 164/09 of 10 February 2011 (the "Double-Opt-In" judgment) that the sender carries the burden of proving valid prior consent for every commercial email. Court decisions are searchable on the BGH website by case reference. The practical way to discharge that burden is double opt-in with a logged confirmation click.

Without it, you're exposed to Abmahnungen. These are formal cease-and-desist letters under UWG § 7 (Gesetz gegen den unlauteren Wettbewerb, the Act Against Unfair Competition) read together with GDPR Articles 6 and 7. Competitors or consumer protection associations can send them. Legal fees start around €1,000 and rise quickly if the case escalates. German courts consistently side against businesses that can't produce consent proof, and the BfDI (federal data protection commissioner) treats demonstrable consent as a baseline expectation.

If you have any German subscribers, use double opt-in. You can check whether your signup form already uses double opt-in with our free scan.

Austria: strongly recommended

Austria follows German legal thinking closely. Austrian courts look at BGH rulings for guidance, and the legal culture around Abmahnungen exists here too. The Austrian Telekommunikationsgesetz (TKG) requires prior consent for unsolicited commercial email, mirroring Article 13 of the ePrivacy Directive 2002/58/EC. While there's no landmark Austrian ruling specifically requiring double opt-in, going without it is a risk most Austrian lawyers advise against.

Netherlands: not required, but smart

Dutch law doesn't require double opt-in. The Autoriteit Persoonsgegevens (AP) considers single opt-in with clear, unambiguous consent sufficient under Article 11.7 of the Telecommunicatiewet and GDPR Article 7. A visible checkbox with plain language like "Yes, I want to receive your newsletter" meets the standard.

That said, many Dutch email marketing guides recommend double opt-in anyway. It keeps your list clean and gives you a paper trail if someone ever complains to the AP or ACM.

Belgium: single opt-in is fine

Belgian data protection law accepts single opt-in as long as the consent is clear. A checkbox that isn't pre-checked, with a link to your privacy policy, does the job under Article XII.13 Wetboek van economisch recht (Code of Economic Law). The APD/GBA (Belgian Data Protection Authority) hasn't pushed for double opt-in.

United Kingdom: soft opt-in allowed

The UK has its own rules under PECR Regulation 22 (Privacy and Electronic Communications Regulations 2003). PECR allows the "soft opt-in" for existing customers. If someone bought something from you or negotiated for it, you can email them about similar products without fresh explicit consent, provided you offered an opt-out at collection and in every message.

For new contacts who haven't bought from you, you still need consent. Single opt-in with a clear checkbox is enough. The ICO's direct marketing guidance does not require double opt-in, although it does require records that demonstrate consent.

Ireland: not required

Ireland transposed the ePrivacy Directive through national e-Privacy Regulations and enforcement sits with the Data Protection Commission. Single opt-in with logged consent meets the standard. The DPC has not published guidance demanding a confirmation step.

France and Spain: not required, BtoB nuance

France's CNIL accepts single opt-in for BtoC marketing if the consent box is unticked and the purpose is clear. CNIL guidance even allows a softer regime for BtoB email to professional addresses where the content relates to the recipient's job. In Spain the AEPD takes the same line under Ley 34/2002 LSSI Art 21. Neither regulator demands double opt-in.

Nordics: generally single opt-in

Sweden, Norway, Denmark and Finland all accept single opt-in with proper consent. The focus is on making the consent clear and documented rather than requiring a confirmation email. Some Nordic businesses use double opt-in for quality reasons. Regulators don't demand it.

Why double opt-in protects your business

Even where it's not legally required, double opt-in solves real problems.

Proof of consent. If a subscriber complains to a data protection authority, you need to show they actually signed up. A double opt-in record with a timestamp, IP address and confirmation click is hard to argue against. A single database entry showing their email was added on a certain date is much weaker.

Cleaner lists. People mistype their email addresses. Bots fill in forms. Ex-partners sign up their former partners for every newsletter they can find (this happens more than you'd expect). Double opt-in catches all of these before they become your problem.

Better deliverability. Email providers like Gmail and Outlook track spam complaints. If people who never signed up start marking your emails as spam, your sender reputation drops. That means your emails land in the junk folder for everyone, including people who actually want to hear from you.

Fewer spam complaints. A subscriber who confirmed their signup is far less likely to hit the "Report spam" button. They made a deliberate choice twice.

How to set it up

Most email marketing tools support double opt-in. Here's where to find the setting.

Mailchimp

Go to Audience > Settings > Audience name and defaults. Under "Form Settings," check the box for "Enable double opt-in." This applies to all new subscribers for that audience.

Brevo (formerly Sendinblue)

Double opt-in is configured per signup form. When creating or editing a form, go to the Settings tab and select "Double confirmation" under the confirmation type. You'll need to customize the confirmation email template too.

MailerLite

Go to Sites > Forms, select your form, and in the settings panel switch on "Double opt-in." MailerLite sends a default confirmation email, but you can edit it under Campaigns > Subscriber emails.

General tips for all platforms

Keep the confirmation email short. One line explaining what they're confirming, one button to click. Don't add marketing content, images or extra links. The subscriber wants to confirm and move on.

Set a deadline for confirmation. Most tools automatically remove unconfirmed signups after a few days. If someone doesn't confirm within 48 hours, they probably mistyped their email or changed their mind.

What about your existing list?

If you're switching from single opt-in to double opt-in, don't panic. You don't need to re-confirm your entire list. The change only applies to new subscribers going forward.

If you do want to clean up your existing list, send a re-engagement campaign first. Ask inactive subscribers if they still want to hear from you. Remove anyone who doesn't respond after two attempts. This isn't a legal requirement in most countries, but it improves your deliverability.

Check your signup forms

Your newsletter signup is one of the things our free website scan checks. It looks for pre-checked boxes, missing privacy policy links and consent language. If your forms don't meet GDPR standards, the scan flags it with specific fix instructions.

For a full walkthrough of GDPR-compliant newsletter forms, read our guide on newsletter signup and GDPR. For the complete picture of your website's compliance, the GDPR compliance checklist covers everything from cookies to contact forms.

FAQ

Is double opt-in required by the GDPR?

The GDPR itself doesn't mention double opt-in by name. It requires "unambiguous" consent for marketing emails. In Germany, courts have interpreted this to mean double opt-in is the only safe method. In most other EU countries, single opt-in with clear consent language is accepted.

Can I get fined for not using double opt-in?

In Germany, the bigger risk isn't fines from regulators but Abmahnungen from competitors. These cease-and-desist letters under the UWG can cost €1,000 or more in legal fees per incident. In other countries, the risk of fines for using single opt-in with proper consent is low.

Does double opt-in hurt my conversion rate?

Yes, slightly. You'll typically see 10-30% of signups drop off at the confirmation step. But those people either mistyped their address, weren't that interested or weren't real in the first place. The subscribers who confirm are more engaged and more likely to open your emails.

What if I have subscribers from multiple countries?

Use double opt-in for everyone. It's the simplest approach and protects you in every jurisdiction. Trying to apply different rules based on the subscriber's country adds complexity and creates room for mistakes. The small drop in signups is worth the legal safety.

Do I need double opt-in for transactional emails?

No. Transactional emails like order confirmations, shipping updates and password resets don't need marketing consent at all. They're sent as part of fulfilling a contract. Double opt-in only applies to marketing and newsletter emails.