The Italian Data Protection Authority reaffirms double opt-in as the “minimum standard” for demonstrating valid user consent
On 4 June, the Italian Data Protection Authority (the “Garante”) published a decision (decision No. 330/2025) that is very relevant in the context of digital marketing activities.
The company involved (an online car resale company, hereinafter the “company”) was held liable for several breaches of Regulation (EU) 2016/679, mainly concerning the sending of promotional emails without verifiable consent, as well as the lack of regulation in relationships with advertising partners, who could therefore process customer data without proper oversight from the data controller.
The most relevant aspect of the decision, however, concerns what appears to be an endorsement of the need to implement double opt-in techniques, considered a minimum measure to ensure evidence of consent to the processing of data for marketing purposes.
Double opt-in refers to the practice of sending a confirmation message to the email address provided, whereby the user must perform an additional action—typically clicking a confirmation link—to validate their registration and the associated consent for data processing for marketing purposes.
The facts contested by the Garante
The case arises from a complaint filed by a user who reported receiving numerous promotional emails regarding the company’s services since June 2023, despite asserting that no consent had ever been provided for such processing. The communications originated from various email addresses, and although the data subject submitted requests to exercise his/her rights, the company issued delayed and incomplete responses, giving the responsibility to third-party partners who allegedly collected consent via external portals, often unfamiliar to the complainant.
The documentation produced by the company in support of the consent was limited to simple registration logs, devoid of objective elements that could easily be challenged by the data subject, such as the indication of an IP address - disowned by the complainant - and a registration date, without any actual verification of the will expressed by the user.
The Garante's assessments
In its assessment of the case, the Garante reaffirmed a well-established principle: a data controller cannot absolve itself of responsibility by entrusting third parties, with the handling of the entire process of collecting and managing consent particularly when the promotional activity is directly attributable to the commissioning entity.
But the central issue concerns the manner in which consent must be collected and, above all, documented, so that it is actually demonstrable in the event of a dispute. On this point, the Garante's decision takes a particularly rigorous stance, stating that the mere production of log files, often (as in the present case) disowned by the data subject and lacking guarantees of immutability, is not sufficient to prove the validity of consent. Instead, the so-called double opt-in procedure is indicated as a minimum measure of protection for both the data subject and the data controller.
According to the Garante, this method represents the “state of the art” in documenting consent, as it provides stronger guarantees of the authenticity and traceability of the user's intent. It aligns fully with Article 24 of the Regulation, which requires the adoption of appropriate technical and organizational measures to ensure compliance, and also reflects the practical application of Article 7, which places the burden on the data controller to demonstrate that valid consent has been obtained.
In other words, in the absence of a double opt-in procedure, the risk for companies is that they will not be able to provide adequate proof in the event of a dispute, with all the resulting sanctioning consequences, as evidenced by the EUR 45,000 fine imposed on the company.
Practical implications
Although the Garante's decision does not elevate the double opt-in to an explicit and mandatory legal requirement, it does in fact qualify it as a minimum standard of diligence, also referring to previous decisions and codes of conduct, such as the one on telemarketing and teleselling, even if they refer to practices that are far more harassing than receiving an email.
It cannot be overlooked, however, that the systematic adoption of the double opt-in significantly increases the burden not only in terms of organisational requirements for data controllers, but also in terms of user experience. On one hand, companies are called upon to implement more complex enrolment management systems, with the need to monitor and store consent confirmations in a secure and unchangeable manner. On the other hand, the user is faced with an additional step, often perceived as an obstacle or an unnecessary complication, with the real risk of an increase in incomplete or abandoned registrations. In an increasingly dynamic digital environment, the simplicity of onboarding processes is a key competitive factor; the imposition of a double step risks resulting in a loss of business opportunities and reduced effectiveness of marketing campaigns.
Conclusion
Given these considerations, one may reasonably question whether such an approach is truly proportionate to the objectives of data protection. Although transparency and certainty of consent remain fundamental principles, an excessively strict interpretation could impose undue compliance obligations on businesses. It is broadly acknowledged that, once a user has signaled intent to receive marketing communications, requesting a further confirmation may be seen as an unwarranted obstacle, negatively affecting both conversion rates and user perception.
These principles are also perfectly applicable in cases where the controller relies on external partners to carry out direct marketing activities: as always stated by the Garante, also in the decision under comment, the responsibility for privacy always stays with the controller, who must adopt all necessary measures to ensure the lawfulness and traceability of the consents collected.
The Garante's measure should prompt all companies to carefully assess their procedures for collecting and managing consents, to review their contracts with external partners, and to consider adopting double opt-in systems or equivalent measures, in order to ensure full compliance with the expectations of the Supervisory Authorities.
