What is COI/DOI? It's just address validation and permission verification -- you send a welcome or verification message and the recipient has to click on a link to prove they want the subscription. And it's not a new thing, here's me talking about it on this very blog fifteen years ago.
I consider the terms "double opt-in" and "confirmed opt-in" are interchangeable. I find that most of the time, internet security and anti-spam folks call it COI, and marketers and some deliverability folks (like me!) call it DOI. When doing so, they refer to the same process of requiring an active response to the initial welcome or verification email.
There are a lot of good reasons to implement COI/DOI, but today's specific question is -- does Germany "require" it? Ultimately this is a legal question, and I'm not a lawyer, so I'm not qualified to answer legal questions. So this is not legal advice! But I can share and link to what other folks have said on this topic, so that's what I will do.
I'll start with the most important bit. The relevant data protection authorities in Germany do indicate that they consider COI/DOI to be required.
Dr. Axel Spies, Special Legal Consultant to law firm Morgan Lewis wrote on March 04, 2022 that according to updated guidlines released dated February 18th, 2022 by the German Conference of DPAs (data protection authorities), yes, double opt-in is required: "For the electronic declaration of consent, the double opt-in procedure is required to verify the declaration of intent of the data subject, whereby the verification requirements of the German High Court - BGH re [interpretation of] the UWG (ruling of February 10, 2011) must be taken into account in the documentation process."Source here (H/T Jennifer Lantz, JD Supra and Mediapost)
Next, Litmus has this excellent article on international opt-in requirements that they published in 2016. They say: "German courts have decided that a single opt-in process is not sufficient proof of prior consent. They argue that a person other than the owner of an email could have entered the address in a form. Even though there is no law that explicitly requires a double opt-in in Germany, 45% of German brands have adopted this process as best practice—just to be on the safe side."
I am told that the case law referenced in the Litmus article is a good place to start for understanding where the COI/DOI requirement comes from. If you can speak the language, I suggest diving into the linked Teradata case study for more information.
This 2012 article from the German E-Mail Marketing Tipps blog may be getting a bit dusty, but suggests a similar answer: "Double opt-in is not legally mandated in Germany. But it is recommended in many scenarios. Without a well-documented DOI you may not be able to prove permission, depending on the judge."
This Lexology article from 2014 says, "2013 guidelines advise a double opt-in for consent provided electronically."
And finally, what do ISPs say? Here's one example of a reply from a German-based ISP that a friend was kind enough to share with me. The ISP said, "As you surely know the sender needs to have recipients Double-Opt-in/Closed-Loop-Opt-in confirmed before mailing to German residents to comply with the German Bundesdatenschutzgesetz."
What is COI/DOI? It's just address validation and permission verification -- you send a welcome or verification message and the recipient has to click on a link to prove they want the subscription. And it's not a new thing, here's me talking about it on this very blog fifteen years ago.
I consider the terms "double opt-in" and "confirmed opt-in" are interchangeable. I find that most of the time, internet security and anti-spam folks call it COI, and marketers and some deliverability folks (like me!) call it DOI. When doing so, they refer to the same process of requiring an active response to the initial welcome or verification email.
There are a lot of good reasons to implement COI/DOI, but today's specific question is -- does Germany "require" it? Ultimately this is a legal question, and I'm not a lawyer, so I'm not qualified to answer legal questions. So this is not legal advice! But I can share and link to what other folks have said on this topic, so that's what I will do.
I'll start with the most important bit. The relevant data protection authorities in Germany do indicate that they consider COI/DOI to be required.
Dr. Axel Spies, Special Legal Consultant to law firm Morgan Lewis wrote on March 04, 2022 that according to updated guidlines released dated February 18th, 2022 by the German Conference of DPAs (data protection authorities), yes, double opt-in is required: "For the electronic declaration of consent, the double opt-in procedure is required to verify the declaration of intent of the data subject, whereby the verification requirements of the German High Court - BGH re [interpretation of] the UWG (ruling of February 10, 2011) must be taken into account in the documentation process." Source here (H/T Jennifer Lantz, JD Supra and Mediapost)
Next, Litmus has this excellent article on international opt-in requirements that they published in 2016. They say: "German courts have decided that a single opt-in process is not sufficient proof of prior consent. They argue that a person other than the owner of an email could have entered the address in a form. Even though there is no law that explicitly requires a double opt-in in Germany, 45% of German brands have adopted this process as best practice—just to be on the safe side."
I am told that the case law referenced in the Litmus article is a good place to start for understanding where the COI/DOI requirement comes from. If you can speak the language, I suggest diving into the linked Teradata case study for more information.
This 2012 article from the German E-Mail Marketing Tipps blog may be getting a bit dusty, but suggests a similar answer: "Double opt-in is not legally mandated in Germany. But it is recommended in many scenarios. Without a well-documented DOI you may not be able to prove permission, depending on the judge."
This Lexology article from 2014 says, "2013 guidelines advise a double opt-in for consent provided electronically."
The Certified Senders Alliance, a centralized European whitelist provided this brief guidance in 2017: "DOI: if not now, then when?!" For more detail, this CSA/ECO guide (see section 2.10) provides additional guidance.
German law firm "IT-Recht Kanzlei" who seems to focus on IT law, published this guidance in August 2018: E-Mail-Marketing 2018: What changes in the DSGVO regarding newsletters?
And finally, what do ISPs say? Here's one example of a reply from a German-based ISP that a friend was kind enough to share with me. The ISP said, "As you surely know the sender needs to have recipients Double-Opt-in/Closed-Loop-Opt-in confirmed before mailing to German residents to comply with the German Bundesdatenschutzgesetz."
Comments
Post a Comment
Comments policy: Al is always right. Kidding, mostly. Be polite, please and thank you.