Double Opt-in: Required or Not? It Depends on the Country

Someone signs up for your newsletter. Do they need to confirm their email address before you can send them anything? The answer depends entirely on where they live.

Some EU countries treat double opt-in as a legal requirement. Others don't mention it at all. If you're sending newsletters across borders, you need to know where the line is.

Single opt-in vs double opt-in

Single opt-in means a person enters their email in your signup form and they're immediately added to your mailing list. One step, done.

Double opt-in adds a confirmation step. After filling in the form, the subscriber receives an email with a confirmation link. Only after clicking that link do they actually join your list.

That extra step matters more than you'd think. It proves the person who owns that email address actually wanted to sign up. Without it, anyone could enter someone else's address.

Country-by-country breakdown

The GDPR doesn't specifically mention double opt-in. It requires "freely given, specific, informed and unambiguous" consent. How countries interpret "unambiguous" is where things diverge.

Germany: required in practice

Germany is the strictest country in Europe on this topic. While no law explicitly says "you must use double opt-in," the Bundesgerichtshof (Federal Court of Justice) has ruled that businesses need to prove consent for every subscriber. The practical way to do that is double opt-in.

Without it, you're exposed to Abmahnungen. These are formal cease-and-desist letters under the UWG (Unfair Competition Act). Competitors or consumer protection groups can send them, and they come with legal fees starting around €1,000. German courts consistently side against businesses that can't produce consent proof.

If you have any German subscribers, use double opt-in. Full stop.

Austria: strongly recommended

Austria follows German legal thinking closely. Austrian courts look at BGH rulings for guidance, and the legal culture around Abmahnungen exists here too. While there's no landmark Austrian ruling specifically requiring double opt-in, going without it is a risk most lawyers would advise against.

Netherlands: not required, but smart

Dutch law doesn't require double opt-in. The Autoriteit Persoonsgegevens (AP) considers single opt-in with clear, unambiguous consent sufficient. A visible checkbox with plain language like "Yes, I want to receive your newsletter" meets the standard.

That said, many Dutch email marketing guides recommend double opt-in anyway. It keeps your list clean and gives you a paper trail if someone ever complains.

Belgium: single opt-in is fine

Belgian data protection law accepts single opt-in as long as the consent is clear. A checkbox that isn't pre-checked, with a link to your privacy policy, does the job. The GBA (Belgian Data Protection Authority) hasn't pushed for double opt-in.

United Kingdom: soft opt-in allowed

The UK has its own rules under PECR (Privacy and Electronic Communications Regulations). They even allow "soft opt-in" for existing customers. If someone bought something from you or inquired about your services, you can email them about similar products without explicit consent, as long as you gave them an easy opt-out.

For new contacts who haven't bought from you, you still need consent. But single opt-in with a clear checkbox is enough. The ICO doesn't require double opt-in.

Nordics: generally single opt-in

Sweden, Norway, Denmark and Finland all accept single opt-in with proper consent. The focus is on making the consent clear and documented rather than requiring a confirmation email. Some Nordic businesses use double opt-in for quality reasons, but regulators don't demand it.

Why double opt-in protects your business

Even where it's not legally required, double opt-in solves real problems.

Proof of consent. If a subscriber complains to a data protection authority, you need to show they actually signed up. A double opt-in record with a timestamp, IP address and confirmation click is hard to argue against. A single database entry showing their email was added on a certain date is much weaker.

Cleaner lists. People mistype their email addresses. Bots fill in forms. Ex-partners sign up their former partners for every newsletter they can find (this happens more than you'd expect). Double opt-in catches all of these before they become your problem.

Better deliverability. Email providers like Gmail and Outlook track spam complaints. If people who never signed up start marking your emails as spam, your sender reputation drops. That means your emails land in the junk folder for everyone, including people who actually want to hear from you.

Fewer spam complaints. A subscriber who confirmed their signup is far less likely to hit the "Report spam" button. They made a deliberate choice twice.

How to set it up

Most email marketing tools support double opt-in. Here's where to find the setting.

Mailchimp

Go to Audience > Settings > Audience name and defaults. Under "Form Settings," check the box for "Enable double opt-in." This applies to all new subscribers for that audience.

Brevo (formerly Sendinblue)

Double opt-in is configured per signup form. When creating or editing a form, go to the Settings tab and select "Double confirmation" under the confirmation type. You'll need to customize the confirmation email template too.

MailerLite

Go to Sites > Forms, select your form, and in the settings panel switch on "Double opt-in." MailerLite sends a default confirmation email, but you can edit it under Campaigns > Subscriber emails.

General tips for all platforms

Keep the confirmation email short. One line explaining what they're confirming, one button to click. Don't add marketing content, images or extra links. The subscriber just wants to confirm and move on.

Set a deadline for confirmation. Most tools automatically remove unconfirmed signups after a few days. If someone doesn't confirm within 48 hours, they probably mistyped their email or changed their mind.

What about your existing list?

If you're switching from single opt-in to double opt-in, don't panic. You don't need to re-confirm your entire list. The change only applies to new subscribers going forward.

If you do want to clean up your existing list, send a re-engagement campaign first. Ask inactive subscribers if they still want to hear from you. Remove anyone who doesn't respond after two attempts. This isn't a legal requirement in most countries, but it improves your deliverability.

Check your signup forms

Your newsletter signup is one of the things our free website scan checks. It looks for pre-checked boxes, missing privacy policy links and consent language. If your forms don't meet GDPR standards, the scan flags it with specific fix instructions.

For a full walkthrough of GDPR-compliant newsletter forms, read our guide on newsletter signup and GDPR. And if you want the complete picture of your website's compliance, the GDPR compliance checklist covers everything from cookies to contact forms.

FAQ

Is double opt-in required by the GDPR?

The GDPR itself doesn't mention double opt-in by name. It requires "unambiguous" consent for marketing emails. In Germany, courts have interpreted this to mean double opt-in is the only safe method. In most other EU countries, single opt-in with clear consent language is accepted.

Can I get fined for not using double opt-in?

In Germany, the bigger risk isn't fines from regulators but Abmahnungen from competitors. These cease-and-desist letters under the UWG can cost €1,000 or more in legal fees per incident. In other countries, the risk of fines for using single opt-in with proper consent is low.

Does double opt-in hurt my conversion rate?

Yes, slightly. You'll typically see 10-30% of signups drop off at the confirmation step. But those people either mistyped their address, weren't that interested, or weren't real in the first place. The subscribers who confirm are more engaged and more likely to open your emails.

What if I have subscribers from multiple countries?

Use double opt-in for everyone. It's the simplest approach and protects you in every jurisdiction. Trying to apply different rules based on the subscriber's country adds complexity and creates room for mistakes. The small drop in signups is worth the legal safety.

Do I need double opt-in for transactional emails?

No. Transactional emails like order confirmations, shipping updates and password resets don't need marketing consent at all. They're sent as part of fulfilling a contract. Double opt-in only applies to marketing and newsletter emails.