Is DOI required by any laws?

No major privacy or anti-spam law explicitly mandates double opt-in by name, but several jurisdictions have legal standards that make DOI the practical requirement. Germany provides the clearest example: while the law doesn't use the term "double opt-in," German courts have consistently ruled that senders bear the burden of proving consent, and DOI provides the most reliable evidence. Sending commercial emails without verifiable proof of consent exposes you to legal challenges and potential injunctions, making DOI the de facto standard for German subscribers.

The GDPR requires that consent be demonstrable. You umust be able to prove that a subscriber opted in if challenged. While single opt-in technically satisfies this if you maintain detailed signup records (IP addresses, timestamps, form screenshots), DOI provides a more robust evidence trail because the confirmation click demonstrates that the actual email owner-not just someone who typed their address-consented. For high-risk processing or in dispute scenarios, DOI's verification record offers stronger legal protection than SOI's form submission logs alone.

Other jurisdictions take varying approaches. CASL in Canada requires express consent for commercial messages, and while DOI isn't mandated, it's strongly recommended to demonstrate compliance. CAN-SPAM in the US doesn't require prior opt-in at all (only honoring opt-outs), so neither SOI nor DOI is legally required for general commercial email to US recipients. However, industry expectations, deliverability considerations, and the desire for global compliance often lead sophisticated email programs to adopt DOI regardless of minimum legal requirements. The law may not spell out "double opt-in," but the burden of proving consent often makes it the safest path.