With the implementation of the General Data Protection Regulation in May 2018, the goal has been to return control of personal data back to the user. All email promotions require obtaining explicit agreement to receive emails, or “opt in,” hence limiting abuse. A great benefit for internet users, this new regulation should be seen in the same way by businesses, who see in it a higher rate of engagement on their marketing campaigns. So let’s take a look at best practices for opt in, opt out, and double out in, and how to avoid the capture of your personal data on the internet.

Defining opt in

Opt in means explicit consent given to receive communications—usually for marketing and advertising—from a business.

To grow their businesses and build customer loyalty, businesses often use newsletters, promotional emails, or even promotional SMS messages. However, before sharing promotional information with customers, businesses must get consent from those who will receive them. That’s where opt in comes in. This consists of a user on a website providing their consent to receive promotional and marketing material.

GDPR and opt in

The purpose of the General Data Protection Regulation (GDPR) is to protect the personal data of European Union citizens. This regulation focuses primarily on online marketing and data collection transparency. On May 25, 2018, the GDPR hardened regulations related to online sollicting. Consent should be a “freely given, specific and informed indication of the data subject’s wishes.”

The user should be completely free to unsubscribe from business communications and still be able to use the website. All practices that consist of requesting personal data in order to be able to use the website is illegal.

The consent of internet users should be obtained in an individualized and specific way, they should be able to, for example accept to receive the newsletter but not promotional emails. The user should be informed of how and by whom the data collected would be used and this consent must be collected in an explicit way, without ambiguity. The practice of passive opt in, which consists of pre-checking certain consent boxes is completely prohibited by the GDPR since 2018. Giving the user the option to stop all commercial communication if they so wish is required.

Princple applications of opt in

The gathering of user data is visible from all sides on the internet, but what are its main uses?


Emailing, or all the marketing and promotional emails sent by a business. Whether it consists of a monthly newsletter, an email communicating a short-lived promo or promoting a new product, email-related opt ins are ubiquitous on the internet. In order for a business to use this type of email, the user needs to give their explicit consent first, most often when they visit the business’s website. This consent is most often requested when creating an account on the website.

In order to no longer receive this type of promotional email, an unsubscribe link is usually available on the bottom of each email. This process is more or less quick and easy depending on the business.

Another way to method for collecting personal data is everyone online. That’s right, we’re talking about cookies!


Just like how a hamburger menu doesn’t literally refer to a sandwich, cookies, in internet jargon, doesn’t refer to baked, chocolate chip treats.

But what are the cookies we see everywhere on the internet these days? Cookies are the little text files saved to your computer, that you accept when you visit a website. These cookies make it possible for a website to save data about your usage of their website. In particular, they save the clicks you make on a page or the products you viewed in order to analyze your usage patterns. Cookies make it possible for a business to customize their user experience for each user of their website and target the ads that will be provided to you.
Using cookies requires the collection of personal data, and so it is subject to the regulations in GDPR, just like emails. Like you see on every website you visit, a banner alerts you to the use of cookies and gives you the ability to deactivate all of them, or just a part. However, the practice of requiring you to accept all cookies in order to visit a website is illegal.

Opt in, opt out, and double opt in: what are the differences?

Several methods exist which enable businesses to obtain users’ personal data and their consent. These are opt in, opt out, and double opt in.

Opt in

There are two types of opt in: active and passive opt in. The process of active opt in consists of giving users the ability to accept (or not) to provide personal data, usually by checking a box in a web form. When an internet user navigates to a website, or when they sign up on that site, they should see a banner with options like, “I accept to receive information by email,” or “I accept the use of cookies.” The user, then, is free to decide if they accept (or not) that their personal data be used for commercial reasons.

Unike active opt in, passive opt in uses the same type of banner but the boxes are already pre-checked. As previously mentioned, this practice is categorically prohibited by GDPR.

Opt out

Opt out is another mechanism for sending commercial emails. This method authorizes a business to send content without requiring the user’s consent. This practice is allowed, but is rigorously regulated. Opt out can only be used in two specific cases:

  • When a user has already given their consent for the processing of their data by a business, the business is free to suggest that they subscribe to similar communications. These emails can in particular include other products from the same business or its partners.
  • A business offering services related to an internet user’s profession has the right to use opt out and suggest products or services

The internet user should nontheless be clearly informed of how their data will be used and the possibility to retract their consent. To retract it, the user should inform the business that they do not want their personal data to be used by a specific service. This generally consists of a box to check.

Double opt in

Double opt in is a way to verify the opt in. A user first provides their consent while browsing a website in the same way as for the opt in process described above. Then, an email is sent to the email address the user provided with a link that permits the user to confirm their choice. It is this confirmation which makes it double opt in.

This method can make it possible to ensure that the email address provided is correct, but also that the user actually wants to receive the content sent by the business. The business can also use the opportunity of a double opt in to send a list of interet areas for users to select in order to then provide customized content. Additionally, double opt in also lets you establish a trace of the consent as required by GDPR.

And now you are familiar with opt in, opt out, double out in and their applications on the internet. Strengthening these processes by GDPR enables internet users to better master their personal data and the way in which thye are used. GDPR ensures the protection of user data. Sanctions imposed in cases of non-compliance by a business can be up to €375,000 (nearly $400,000 in USD) or 5% of a business’s revenues as well as a suspension of the website (link in French).

If you want to avoid missing any Gandi news and recent publications, please feel free to subscribe to our newsletter. The double-opt-in form is available in the footer of Gandi’s blog 😉