Does GDPR require double opt-in?

GDPR does not explicitly mandate double opt-in. The regulation requires valid consent and the ability to demonstrate it, but doesn't specify the technical mechanism for obtaining consent. Single opt-in with appropriate documentation could technically satisfy GDPR's consent requirements if you can prove the subscriber took an affirmative action to subscribe.

However, double opt-in is strongly recommended because it creates superior evidence of consent. The confirmation click proves: (1) the email address is valid and accessible, (2) the person controlling that address actively confirmed intent, (3) you have a timestamped record of verification. This documentation makes defending against consent challenges far easier.

Regulators haven't issued definitive guidance making DOI mandatory, but enforcement actions suggest preference for DOI as best practice. When fines run into millions of euros, the marginal friction of confirmation clicks is trivial compared to the legal protection DOI provides. GDPR doesn't require double opt-in, but the accountability principle's demand for demonstrable consent makes DOI the practical gold standard for compliance confidence.