Is double opt-in mandatory?

Still have a question, spotted an error, or have a better explanation or a source we should cite?

Technically, no. Double opt-in isn't universally mandatory under CAN-SPAM, GDPR, or CASL. None of those laws specifically require a confirmation email. They require valid, documented consent. How you get that consent is largely up to you.

There is one clear exception. German courts have consistently held that double opt-in is the only legally safe way to prove consent for marketing email. If you're sending to recipients in Germany, it's effectively required. No confirmation email means no proof, and no proof means you're exposed.

Outside Germany, the real question isn't legal. It's practical. Double opt-in does two things single opt-in doesn't. It filters out typos and fake addresses before they ever hit your list, and it gives you a timestamped confirmation click as proof that a real person actively wanted your emails. That second thing matters a lot if you ever face a spam complaint or a GDPR inquiry.

The honest tradeoff is conversion rate. Double opt-in typically reduces list growth by 20-30% because some people sign up and then never click the confirmation link. Whether that's a problem depends on what you want from your list. Fewer subscribers who confirmed they want your emails almost always outperform a bigger list of people who may have forgotten they signed up (or never meant to).

Here's a rough decision framework worth keeping in mind:

  • Sending to Germany or Austria: use double opt-in. It's not optional in practice.
  • Sending to the EU broadly: double opt-in gives you cleaner GDPR consent documentation. Strongly recommended.
  • B2B cold outreach: different rules apply entirely. B2B consent works differently, and double opt-in doesn't really fit the cold outreach model anyway.
  • High-volume consumer marketing in the US: single opt-in is legal, but your list hygiene will suffer over time. Expect higher bounce rates and more spam complaints unless you clean regularly.

One thing that often gets overlooked: even if you skip double opt-in, you still need to record when and where someone signed up, what they were told, and what they agreed to. That's the minimum for any decent consent audit trail. (The confirmation click in double opt-in just makes that audit trail very clean and hard to dispute.)

If your list feels like it's picked up some dead weight over time, a list validation can sort it out. Or if you're figuring out the right signup flow for your specific setup, our SOS hotline is free and we'll give you a straight answer.

Contributors

Who worked on this answer

Every name links to their profile. Every company links to their site. Real people, real accountability.

Ask an AI · tailored to your setup

Get a personalised recommendation

I'm setting up a signup form and weighing whether to use double opt-in. Tell me: 1. Whether it's legally required for my specific region or audience (list any regions I mention) 2. What list size impact I should realistically expect 3. Whether my current opt-in setup creates a usable consent audit trail 4. What signup flow you'd recommend for my use case Context to fill in: region you're sending to, B2B or B2C, current monthly signup volume, ESP you're using

Edit the yellow boxes, then send to the AI of your choice.