CSA, how did your criteria actually come about?
Part II: DOI – the double opt-in

A series of articles on the background to individual CSA criteria

In this series of articles, we look at selected CSA criteria and provide information on their benefits and the reasoning behind them. In this article, we look at the double-opt-in (DOI) process used in email marketing. In the DOI process, a subscriber gives consent to receive a newsletter or other promotional email in two steps.

Please note: The criterion considered here (under Recommended Criteria, 3.1) is recommended by the CSA (and urgently so).

A DOI is not required by law, neither in the General Data Protection Regulation (GDPR) nor in other laws. However, the GDPR obliges the sender to be able to prove that consent has been given, see Article 7(1) GDPR. And this proof has so far been recognised by the courts exclusively via a DOI. And that brings us to a full circle: Using the DOI procedure can avoid a lot of trouble.

Remark: This article looks more at the “why”. For those who would like to know how best to set up the procedure, we recommend the following article: DOI: if not now, then when?!

What is the double opt-in procedure?

To explain the DOI procedure, it is best to start first with an explanation of what the SOI, the single opt-in, is: This is a simple tick in the registration form with which a recipient confirms that a company may send a promotional email to an email address. Then comes the ‘double’ part: Once the email address has been entered, a second confirming email with a confirmation link will be sent to the email address (note that this must not be promotional; otherwise, you will already be sending without confirmation). This method ensures that the recipient has personally provided the confirmation. The sender stores the corresponding confirmation as proof in their records.

How did the procedure come about?

For a long time, it was sufficient to enter the corresponding email address in a list in order to receive advertising emails (confirmed opt-in). The disadvantage of this, however, was the potential for abuse by third parties. Anyone could simply enter other people’s email addresses. It was, therefore, necessary to create a way of sending the advertising mail to only those who had registered for it.

Disadvantages of the procedure

Recipients may only be sent communications after confirmation. But what if the recipient’s confirmation is not forthcoming? From the advertiser’s point of view, the contact is lost because the confirming mail is overlooked or forgotten if it is sent only later or ends up in the spam folder.

Another disadvantage is that the sender must technically ensure that the confirmations are tracked and recorded. That requires effort.

What are the consequences of non-compliance?

First of all: Nothing. But according to the GDPR, the sender must be able to prove at any time – and especially in the event of a dispute – that the email address was collected lawfully. Otherwise, there is a risk of financial penalties in the event of a dispute if the proof of confirmation cannot be shown.


The basic idea of the CSA is to improve commercial email marketing and protect a sender’s reputation. In addition, we want to protect them from legal and financial risks. To ensure legitimate email marketing and protection against abuse, the CSA has, therefore, long recommended the DOI procedure.

Related Articles

    Get in touch with us