Submitted by Tomáš Šalamon on Mar 15,2018
Do we have to implement opt-in to be GDPR compliant? No, GDPR requires a lot of measures, but seldom is specific in how exactly they should be reached. The consent must be proven. Simply, no one should be able e.g. to put random email addresses into your database (or you shouldn't be able to claim that it happened). Opt-in is a process, where a user enters an email address (and other personal data), and an email with a code or a backlink is sent to the recipient's address to confirm that they own the mailbox. It is perhaps the most common way how companies will verify their users, however not the only one possible.
In the offline world, you can let customers fill a paper form (but you should have there a clause where a customer claims that they are an owner of the mailbox). You can also use the data taken from various agreements or orders (don't forget to have there a clause with an explicit consent with the data processing for marketing purposes that should be approved separately). But even online you can avoid offering opt-in. For example, if a non-anonymous card payment follows.
Naturally, the question mark is how to comply if an email address (or something similar) is not a part of the processed data.
Nevertheless, don't forget that unsubscription is even more important. Your customers must always have a chance to do so and have to be informed about. Incomaker automatically solves all aspects mentioned.