Legally Protecting Your Email List: 3 Opt-In Must-Haves

Don’t Skip These 3 Legal Must-Haves for Your Email Opt-In

Between the GDPR and approximately 20 states enacting their own data privacy laws, it’s more important than ever to make sure your email collection processes are legally clean! So let’s break down the three elements to a lawyer-approved opt-in.

The person must know they’re actually opting into your list

Something like “sign up for my newsletter!” is very clear and obvious to the user what they’re signing up for. You’re good on the “consent” front if that’s your call to action!

But if you’re telling people things like:

”Apply to be a guest on my podcast by filling out this form!”
”Pop in your email to get my free guide!”
”Get access to my custom GPT!”

…and requiring an email address to do so, it must be clear that you’re adding them to your email list if that’s what you’re doing.

If it’s not clear that someone is opting into your list, enable double opt-in

Double opt-in is a feature where someone enters their email address and then they receive an email saying something like “click to confirm you want to be added to so-and-so’s list.”

This is a great option if you don’t want to kill the vibe of the copy on your sign-up page but you do want to be sure you’re not setting yourself up for legal fines.

Marketers don’t traditionally love this because it requires an extra step for someone to sign up for your list. But… the marketer probably isn’t the one that would have to pay your fine, if you’re fined. So there’s that.

Have a privacy policy

It used to be that privacy policies were kind of a “say what you do, and then do that” type of legal document.

Nooooot anymore!

Now, a privacy policy is required under the GDPR (that’s a regulation governing anyone that’s collecting data from individuals inside of the EU). A privacy policy is also required if you’re in the US and you’re a) selling something from your website, and b) collecting personal information from your users.

I probably don’t have to say this, but an email address is personal information. (So is a first name.)

Your privacy policy should spell out a) the type of information you collect, b) how you collect it, and c) how you’re using it. (And it should talk about cookies, too.)

Psst, the Privacy Policy in my Website Protection Bundle does this.

Make sure your consent is “affirmative,” meaning NO pre-checked boxes

A pre-checked box (at your opt-in or at checkout) next to “I agree to the privacy policy!” is NOT affirmative consent.

The user has to check that box. The user has to “affirmatively” make that decision. (Not you.)

That’s why double opt-in is a beautiful thing. It requires a decisive action by the user to join your list. Sprinkle in some language about your privacy for extra legal fairy dust.

Conclusion

People should know that they’re signing up for your list. Have a privacy policy. No pre-checked boxes.

Make sure your opt-in meets these criteria to avoid GDPR or state-based violations and fines!