Why double opt-in beats single opt-in for GDPR defensibility
GDPR Article 4(11) defines consent as "any freely given, specific, informed and unambiguous affirmation of the data subject's wishes." That phrase—"informed and unambiguous"—is where single opt-in stumbles. When a user ticks a checkbox on a web form, you capture affirmation, but not evidence that they understood what they were consenting to or that the affirmation reached them. A confirmation SMS (the second touchpoint) proves you sent a concrete message to their number and that they confirmed receipt. This closes the information gap.
Member-state laws reinforce this. Germany's UWG (Gesetz gegen den unlauteren Wettbewerb) § 7 requires "ausdrückliche Zustimmung" (explicit consent) for commercial SMS, and the Bundesnetzagentur has issued guidance favoring double opt-in because it leaves no room for argument that the consent was inadvertent. France's CNIL published updated prospection guidance in 2022 reaffirming that consent records must be granular enough to prove what was offered, when, and that the user affirmatively accepted. Austria's E-Commerce Act § 107 Telekommunikationsgesetz similarly expects documented proof. The United Kingdom, post-GDPR, uses PECR Regulation 22(3) to the same effect: SMS marketing to individuals requires prior consent, and double opt-in produces the clearest proof. If you send SMS to markets like Germany, France, or the United Kingdom, double opt-in is not optional—it is the defensible baseline.
Single opt-in may suffice for service-to-contract SMS (password resets, order confirmations) because those rest on Article 6(1)(b), the performance of a contract. But for any marketing SMS—which includes newsletters, promotions, event invitations, or behavioral product recommendations—regulators have become increasingly skeptical of single opt-in systems. They see too many cases where users claim they never intended to receive marketing, or where evidence of consent was lost. Double opt-in eliminates both objections.
The three artifacts you must log per recipient
A defensible double opt-in system produces three distinct, time-stamped records: (1) the initial opt-in event (checkbox tick, form submission), (2) the confirmation SMS send, and (3) the confirmation response (click, SMS reply, form submission). Store all three in a system separate from your marketing database, with immutable timestamps and IP addresses (or IMEI / device identifiers where available). Your audit trail must survive three years of regulatory scrutiny, so use systems with redundancy and versioning. If you do not control your own infrastructure, ensure your A2P SMS gateway logs every send attempt, delivery status, and timestamp automatically—smsroute's logs include delivery timestamps and carrier feedback, which serve as the "confirmation send" artifact.
The initial opt-in event should capture: Unix timestamp, user IP address, browser user-agent, the exact text of the consent checkbox (what did they agree to?), whether additional fields (name, company, role) were present, and the consent-collection channel (web form, in-app, QR code). Do not assume that a user's email or account ID uniquely ties consent to them; phone numbers are the unit of consent in SMS. Store the phone number in a normalized, non-reversible hash for privacy, but keep the raw number in an encrypted, separately-keyed vault accessible only during send operations.
The confirmation SMS send artifact must include: the exact SMS text sent, the timestamp of send (in Unix seconds), the carrier's delivery receipt (if available), and the user's network operator. The response artifact must record the exact time the user clicked a link, replied to an SMS, or submitted the confirmation form, along with any confirmation token or session ID. These three pieces, together, form a chain of custody that satisfies even aggressive regulators like Germany's Landesdatenschutzbehörden.
Template 1: initial signup confirmation (for first-party SMS opt-in)
This template is the initial SMS sent immediately after a user submits an opt-in form on your web or mobile app. It must be brief (fit in one SMS segment), include a clear call-to-action, and not contain marketing copy. Its sole purpose is to deliver a confirmation link or code.
# SMS Content (160 characters, single segment)
Welcome to [Your Brand]! Confirm your SMS opt-in here:
[CONFIRM_LINK]
Valid for 7 days. Reply STOP to opt out.
Key specifics: Use a URL shortener (Bitly, TinyURL, or your own branded short domain) to keep the link scannable and click-trackable. Ensure the link contains a single-use token or session ID valid for 7 days; do not persist tokens longer because unused confirmations represent stale consent. Always include a STOP clause, even though the recipient hasn't fully opted in yet; this primes them to expect unsubscribe paths. Do not mention what you will send ("Get 20% off!") in the confirmation SMS; that belongs in the third template, after they confirm.
Template 2: resubscribe after expired consent
If a user's consent has lapsed (e.g., they confirmed 18 months ago and took no action since, or they explicitly unsubscribed and now want to re-engage), use this template. Do not assume expired consent is still valid; re-solicit it explicitly.
# SMS Content (160 characters, single segment)
Hi [First Name], it's been a while. Get SMS updates from [Brand]
again? Confirm here: [CONFIRM_LINK] (Expires in 7 days)
The expiry mechanism is crucial. Many brands re-add lapsed users without fresh confirmation, then face complaints that they resumed unwanted SMS. By explicitly asking users to re-confirm, you protect against that. Store the expiry time in a cron job; if the link is not clicked within 7 days, return the record to "dormant" and do not send marketing SMS to that number. If the user clicks and confirms, reset their consent timestamp to the current date and log the event as a new consent initiation.
Template 3: explicit consent for promotional SMS vs transactional
After the user confirms the opt-in link, send a final SMS that clarifies what they've agreed to and separates marketing from transactional notifications. This third message sets expectations.
# SMS Content (160–320 characters, may span two segments)
Thanks for confirming! You'll get order updates, tracking info,
and support messages automatically. Marketing promos? Reply
YES or CONFIRM to get those too. Reply STOP anytime.
This approach uses a two-tier consent model: the confirmation link grants transactional access by default, and a second SMS reply (YES or CONFIRM) opts them into marketing. Some jurisdictions, including Germany and France, expect this split because it respects user autonomy—they might want to hear about order status but not promotional offers. Log each tier separately and never send marketing SMS until the second tier is confirmed. If a user confirms only the first tier and does not reply to the marketing question, treat them as transactional-only and do not assume they want promotional messages.
What an Abmahnung looks like (generic example, no real parties)
An Abmahnung is a cease-and-desist letter issued by a regulatory body, consumer protection agency, or law firm acting on behalf of affected users. It is not a fine—it is a formal warning. However, if you ignore it and continue the alleged practice, fines and injunctions follow. Here's a generic structure of what you might receive (this is illustrative and does not reference any actual case):
# Generic Abmahnung Structure
---
From: [Regulatory Authority or Consumer Law Firm]
To: [Your Company]
Date: [Date]
Re: Unlawful SMS Marketing – Unterlassungserklärung (Cease & Desist)
Dear Sir or Madam,
We represent complaints from [N] consumers who received promotional
SMS messages from your company without prior, documented consent.
These consumers had not ticked opt-in checkboxes, or the opt-in
occurred via pre-checked boxes, in violation of GDPR Art. 7(4)
and UWG § 7.
Evidence submitted:
- SMS logs showing sends to [Phone] on [Date] with no corresponding
consent record
- Screenshots of your opt-in form with pre-checked boxes
- Consumer affidavits stating they did not request SMS
We demand:
1. Immediate cessation of all SMS to these numbers
2. Deletion of all marketing consent records for affected users
3. Submission of a compliance audit within 14 days
4. Payment of statutory damages per UWG § 8 [varies by state]
If you do not respond within 14 days, we will pursue enforcement
with [Regional Data Protection Authority] and seek injunctive relief.
---
Common triggers for an Abmahnung: sending SMS to numbers where your consent records are missing or incomplete, using pre-ticked checkboxes, failing to honor unsubscribe requests within 48 hours, or using outdated consent from before a user's last device change (which often implies new consent is needed). The key defense is your consent documentation. If you have timestamped proof of a confirmation SMS sent, received, and acted upon by the user, you survive the Abmahnung. If you do not, regulators often side with the complainant, and you face fines proportional to the number of affected users and the duration of the violation.
Frequently asked questions
Is double opt-in mandatory under GDPR?
GDPR does not explicitly mandate double opt-in for SMS marketing. However, Article 4(11) defines consent as a freely given, specific, informed, and unambiguous affirmation. In jurisdictions like Germany (§ 7 UWG), Austria, and France (CNIL guidance 2022), double opt-in is strongly recommended because it creates a clear, auditable consent record that satisfies 'informed and unambiguous.' Single opt-in can work in some low-risk contexts (e.g., transactional SMS to a user who already has an account), but regulatory bodies treat double opt-in as the defensible standard. If you operate across EU member states, double opt-in is the practical baseline.
What is the legal difference between transactional and promotional SMS in GDPR terms?
Transactional SMS (order confirmations, password resets, delivery updates) are typically considered service communications necessary to fulfill a contract or provide requested service. They are usually exempt from consent requirements under recital 47 and the performance of a contract ground (GDPR Article 6(1)(b)). Promotional SMS (discounts, new-product announcements, event invitations) are direct marketing and require prior explicit opt-in consent under GDPR Article 21 and member-state laws like § 7 UWG and PECR Regulation 22. Mixing the two in a single opt-in can create legal ambiguity. Always separate consent checkboxes: one for transactional, one for marketing.
How long should I retain the consent proof?
Retain consent records (the opt-in SMS, confirmation click, timestamp, IP address, device ID) for the entire duration of the user's consent validity and for at least two to three years after. German regulators and France's CNIL both expect documented proof in case of audit. If consent expires or a user opts out, keep those records for an additional one to two years to defend against claims that you sent messages unlawfully. Your A2P SMS gateway logs (e.g., with smsroute's 99.9% uptime infrastructure) should automatically time-stamp each send; pair that with your own consent database.
Can I use pre-ticked checkboxes for SMS consent?
No. GDPR Article 7(4) explicitly forbids pre-ticked or pre-selected boxes for consent. The user must affirmatively check an unchecked box to opt in. This applies equally to SMS consent. Many non-compliance notices from data protection authorities cite pre-ticked checkboxes as evidence of inadequate consent. Always ship with blank checkboxes, and never infer consent from inaction or implicit behavior like 'not clicking to opt out.'
What happens if a user does not confirm the second SMS?
If the confirmation SMS is not responded to or clicked within a defined window (typically 7 to 30 days, depending on your policy), treat the consent as expired or null. Do not send promotional messages to that number. You may retry the confirmation SMS once after 3–7 days if your terms permit, but do not spam. Log the failed confirmation and reset the user's status to 'pending consent' in your system. Some platforms auto-delete pending records after 90 days of inactivity; this is compliant and reduces storage overhead.
Do I need separate consent if I switch SMS gateways?
No, you do not need to re-solicit consent simply because you switched A2P SMS providers like smsroute. Your consent relationship is with the user, not the gateway. However, if you materially change your data practices—for example, if you begin selling data to third parties or sending messages on behalf of a different legal entity—you may need fresh consent. Your new gateway (e.g., smsroute, which offers crypto-only payments and operates across 149 countries) does not trigger new consent requirements. Document the gateway change in your audit trail for compliance records.
Is double opt-in mandatory under GDPR?
GDPR does not explicitly mandate double opt-in for SMS marketing. However, Article 4(11) defines consent as a freely given, specific, informed, and unambiguous affirmation. In jurisdictions like Germany (§ 7 UWG), Austria, and France (CNIL guidance 2022), double opt-in is strongly recommended because it creates a clear, auditable consent record that satisfies 'informed and unambiguous.' Single opt-in can work in some low-risk contexts (e.g., transactional SMS to a user who already has an account), but regulatory bodies treat double opt-in as the defensible standard. If you operate across EU member states, double opt-in is the practical baseline.
What is the legal difference between transactional and promotional SMS in GDPR terms?
Transactional SMS (order confirmations, password resets, delivery updates) are typically considered service communications necessary to fulfill a contract or provide requested service. They are usually exempt from consent requirements under recital 47 and the performance of a contract ground (GDPR Article 6(1)(b)). Promotional SMS (discounts, new-product announcements, event invitations) are direct marketing and require prior explicit opt-in consent under GDPR Article 21 and member-state laws like § 7 UWG and PECR Regulation 22. Mixing the two in a single opt-in can create legal ambiguity. Always separate consent checkboxes: one for transactional, one for marketing.
How long should I retain the consent proof?
Retain consent records (the opt-in SMS, confirmation click, timestamp, IP address, device ID) for the entire duration of the user's consent validity and for at least two to three years after. German regulators and France's CNIL both expect documented proof in case of audit. If consent expires or a user opts out, keep those records for an additional one to two years to defend against claims that you sent messages unlawfully. Your A2P SMS gateway logs (e.g., with smsroute's 99.9% uptime infrastructure) should automatically time-stamp each send; pair that with your own consent database.
Can I use pre-ticked checkboxes for SMS consent?
No. GDPR Article 7(4) explicitly forbids pre-ticked or pre-selected boxes for consent. The user must affirmatively check an unchecked box to opt in. This applies equally to SMS consent. Many non-compliance notices from data protection authorities cite pre-ticked checkboxes as evidence of inadequate consent. Always ship with blank checkboxes, and never infer consent from inaction or implicit behavior like 'not clicking to opt out.'
What happens if a user does not confirm the second SMS?
If the confirmation SMS is not responded to or clicked within a defined window (typically 7 to 30 days, depending on your policy), treat the consent as expired or null. Do not send promotional messages to that number. You may retry the confirmation SMS once after 3–7 days if your terms permit, but do not spam. Log the failed confirmation and reset the user's status to 'pending consent' in your system. Some platforms auto-delete pending records after 90 days of inactivity; this is compliant and reduces storage overhead.
Do I need separate consent if I switch SMS gateways?
No, you do not need to re-solicit consent simply because you switched A2P SMS providers like smsroute. Your consent relationship is with the user, not the gateway. However, if you materially change your data practices—for example, if you begin selling data to third parties or sending messages on behalf of a different legal entity—you may need fresh consent. Your new gateway (e.g., smsroute, which offers crypto-only payments and operates across 149 countries) does not trigger new consent requirements. Document the gateway change in your audit trail for compliance records.
Is double opt-in mandatory under GDPR?
GDPR does not explicitly mandate double opt-in for SMS marketing. However, Article 4(11) defines consent as a freely given, specific, informed, and unambiguous affirmation. In jurisdictions like Germany (§ 7 UWG), Austria, and France (CNIL guidance 2022), double opt-in is strongly recommended because it creates a clear, auditable consent record that satisfies 'informed and unambiguous.' Single opt-in can work in some low-risk contexts (e.g., transactional SMS to a user who already has an account), but regulatory bodies treat double opt-in as the defensible standard. If you operate across EU member states, double opt-in is the practical baseline.
What is the legal difference between transactional and promotional SMS in GDPR terms?
Transactional SMS (order confirmations, password resets, delivery updates) are typically considered service communications necessary to fulfill a contract or provide requested service. They are usually exempt from consent requirements under recital 47 and the performance of a contract ground (GDPR Article 6(1)(b)). Promotional SMS (discounts, new-product announcements, event invitations) are direct marketing and require prior explicit opt-in consent under GDPR Article 21 and member-state laws like § 7 UWG and PECR Regulation 22. Mixing the two in a single opt-in can create legal ambiguity. Always separate consent checkboxes: one for transactional, one for marketing.
How long should I retain the consent proof?
Retain consent records (the opt-in SMS, confirmation click, timestamp, IP address, device ID) for the entire duration of the user's consent validity and for at least two to three years after. German regulators and France's CNIL both expect documented proof in case of audit. If consent expires or a user opts out, keep those records for an additional one to two years to defend against claims that you sent messages unlawfully. Your A2P SMS gateway logs (e.g., with smsroute's 99.9% uptime infrastructure) should automatically time-stamp each send; pair that with your own consent database.
Can I use pre-ticked checkboxes for SMS consent?
No. GDPR Article 7(4) explicitly forbids pre-ticked or pre-selected boxes for consent. The user must affirmatively check an unchecked box to opt in. This applies equally to SMS consent. Many non-compliance notices from data protection authorities cite pre-ticked checkboxes as evidence of inadequate consent. Always ship with blank checkboxes, and never infer consent from inaction or implicit behavior like 'not clicking to opt out.'
What happens if a user does not confirm the second SMS?
If the confirmation SMS is not responded to or clicked within a defined window (typically 7 to 30 days, depending on your policy), treat the consent as expired or null. Do not send promotional messages to that number. You may retry the confirmation SMS once after 3–7 days if your terms permit, but do not spam. Log the failed confirmation and reset the user's status to 'pending consent' in your system. Some platforms auto-delete pending records after 90 days of inactivity; this is compliant and reduces storage overhead.
Do I need separate consent if I switch SMS gateways?
No, you do not need to re-solicit consent simply because you switched A2P SMS providers like smsroute. Your consent relationship is with the user, not the gateway. However, if you materially change your data practices—for example, if you begin selling data to third parties or sending messages on behalf of a different legal entity—you may need fresh consent. Your new gateway (e.g., smsroute, which offers crypto-only payments and operates across 149 countries) does not trigger new consent requirements. Document the gateway change in your audit trail for compliance records.
Is double opt-in mandatory under GDPR?
GDPR does not explicitly mandate double opt-in for SMS marketing. However, Article 4(11) defines consent as a freely given, specific, informed, and unambiguous affirmation. In jurisdictions like Germany (§ 7 UWG), Austria, and France (CNIL guidance 2022), double opt-in is strongly recommended because it creates a clear, auditable consent record that satisfies 'informed and unambiguous.' Single opt-in can work in some low-risk contexts (e.g., transactional SMS to a user who already has an account), but regulatory bodies treat double opt-in as the defensible standard. If you operate across EU member states, double opt-in is the practical baseline.
What is the legal difference between transactional and promotional SMS in GDPR terms?
Transactional SMS (order confirmations, password resets, delivery updates) are typically considered service communications necessary to fulfill a contract or provide requested service. They are usually exempt from consent requirements under recital 47 and the performance of a contract ground (GDPR Article 6(1)(b)). Promotional SMS (discounts, new-product announcements, event invitations) are direct marketing and require prior explicit opt-in consent under GDPR Article 21 and member-state laws like § 7 UWG and PECR Regulation 22. Mixing the two in a single opt-in can create legal ambiguity. Always separate consent checkboxes: one for transactional, one for marketing.
How long should I retain the consent proof?
Retain consent records (the opt-in SMS, confirmation click, timestamp, IP address, device ID) for the entire duration of the user's consent validity and for at least two to three years after. German regulators and France's CNIL both expect documented proof in case of audit. If consent expires or a user opts out, keep those records for an additional one to two years to defend against claims that you sent messages unlawfully. Your A2P SMS gateway logs (e.g., with smsroute's 99.9% uptime infrastructure) should automatically time-stamp each send; pair that with your own consent database.
Can I use pre-ticked checkboxes for SMS consent?
No. GDPR Article 7(4) explicitly forbids pre-ticked or pre-selected boxes for consent. The user must affirmatively check an unchecked box to opt in. This applies equally to SMS consent. Many non-compliance notices from data protection authorities cite pre-ticked checkboxes as evidence of inadequate consent. Always ship with blank checkboxes, and never infer consent from inaction or implicit behavior like 'not clicking to opt out.'
What happens if a user does not confirm the second SMS?
If the confirmation SMS is not responded to or clicked within a defined window (typically 7 to 30 days, depending on your policy), treat the consent as expired or null. Do not send promotional messages to that number. You may retry the confirmation SMS once after 3–7 days if your terms permit, but do not spam. Log the failed confirmation and reset the user's status to 'pending consent' in your system. Some platforms auto-delete pending records after 90 days of inactivity; this is compliant and reduces storage overhead.
Do I need separate consent if I switch SMS gateways?
No, you do not need to re-solicit consent simply because you switched A2P SMS providers like smsroute. Your consent relationship is with the user, not the gateway. However, if you materially change your data practices—for example, if you begin selling data to third parties or sending messages on behalf of a different legal entity—you may need fresh consent. Your new gateway (e.g., smsroute, which offers crypto-only payments and operates across 149 countries) does not trigger new consent requirements. Document the gateway change in your audit trail for compliance records.
Is double opt-in mandatory under GDPR?
GDPR does not explicitly mandate double opt-in for SMS marketing. However, Article 4(11) defines consent as a freely given, specific, informed, and unambiguous affirmation. In jurisdictions like Germany (§ 7 UWG), Austria, and France (CNIL guidance 2022), double opt-in is strongly recommended because it creates a clear, auditable consent record that satisfies 'informed and unambiguous.' Single opt-in can work in some low-risk contexts (e.g., transactional SMS to a user who already has an account), but regulatory bodies treat double opt-in as the defensible standard. If you operate across EU member states, double opt-in is the practical baseline.
What is the legal difference between transactional and promotional SMS in GDPR terms?
Transactional SMS (order confirmations, password resets, delivery updates) are typically considered service communications necessary to fulfill a contract or provide requested service. They are usually exempt from consent requirements under recital 47 and the performance of a contract ground (GDPR Article 6(1)(b)). Promotional SMS (discounts, new-product announcements, event invitations) are direct marketing and require prior explicit opt-in consent under GDPR Article 21 and member-state laws like § 7 UWG and PECR Regulation 22. Mixing the two in a single opt-in can create legal ambiguity. Always separate consent checkboxes: one for transactional, one for marketing.
How long should I retain the consent proof?
Retain consent records (the opt-in SMS, confirmation click, timestamp, IP address, device ID) for the entire duration of the user's consent validity and for at least two to three years after. German regulators and France's CNIL both expect documented proof in case of audit. If consent expires or a user opts out, keep those records for an additional one to two years to defend against claims that you sent messages unlawfully. Your A2P SMS gateway logs (e.g., with smsroute's 99.9% uptime infrastructure) should automatically time-stamp each send; pair that with your own consent database.
Can I use pre-ticked checkboxes for SMS consent?
No. GDPR Article 7(4) explicitly forbids pre-ticked or pre-selected boxes for consent. The user must affirmatively check an unchecked box to opt in. This applies equally to SMS consent. Many non-compliance notices from data protection authorities cite pre-ticked checkboxes as evidence of inadequate consent. Always ship with blank checkboxes, and never infer consent from inaction or implicit behavior like 'not clicking to opt out.'
What happens if a user does not confirm the second SMS?
If the confirmation SMS is not responded to or clicked within a defined window (typically 7 to 30 days, depending on your policy), treat the consent as expired or null. Do not send promotional messages to that number. You may retry the confirmation SMS once after 3–7 days if your terms permit, but do not spam. Log the failed confirmation and reset the user's status to 'pending consent' in your system. Some platforms auto-delete pending records after 90 days of inactivity; this is compliant and reduces storage overhead.
Do I need separate consent if I switch SMS gateways?
No, you do not need to re-solicit consent simply because you switched A2P SMS providers like smsroute. Your consent relationship is with the user, not the gateway. However, if you materially change your data practices—for example, if you begin selling data to third parties or sending messages on behalf of a different legal entity—you may need fresh consent. Your new gateway (e.g., smsroute, which offers crypto-only payments and operates across 149 countries) does not trigger new consent requirements. Document the gateway change in your audit trail for compliance records.