Is Double Opt-in Required in the Netherlands?
Steven | TrustYourWebsite · 28 May 2026 · Last updated: May 2026
If you run a Dutch business and want to know the legal minimum: single opt-in with a logged checkbox is enough under Telecommunicatiewet Article 11.7 and AVG (Algemene Verordening Gegevensbescherming, the Dutch implementation of the GDPR) Article 7. Double opt-in is best practice because it creates stronger proof of consent, not because Dutch law demands it.
The answer changes the moment you have subscribers in Germany. German courts place the burden of proving consent entirely on the sender, and the practical way to meet that burden is a logged confirmation click. Not sure what your signup forms are actually doing right now? Run a free scan and get a result in under a minute.
What the law says in the Netherlands
Two rules govern marketing email consent for Dutch businesses.
Telecommunicatiewet Article 11.7 covers unsolicited commercial electronic communication. It requires prior consent from the recipient before you send a marketing email. The Autoriteit Consument en Markt (ACM) enforces this rule.
AVG Article 7 (matching GDPR Article 7) adds the demonstrability requirement: you must be able to show that the person consented. The Autoriteit Persoonsgegevens (AP) enforces this.
Neither statute mentions double opt-in by name. What both require is consent that is freely given, specific, informed and unambiguous (AVG Article 4(11)), and that you can prove it exists (AVG Article 7(1)).
A non-pre-ticked checkbox with clear labelling meets the consent standard. A server-side log of when the form was submitted, with an IP address and timestamp, provides the proof. That combination satisfies Dutch law without a confirmation email.
Why double opt-in is still the smarter choice
Even though it is not required, most Dutch email marketers worth their salt use double opt-in. Here is why.
Stronger consent proof. A single database row showing an email address was added on a certain date is weak evidence if someone complains to the AP. A confirmation record with a second timestamp, a different IP address and a clicked link is much harder to argue against. The AP's accountability standard under AVG Article 5(2) rewards better documentation.
Cleaner lists. People mistype addresses. Bots fill in forms. A confirmation step filters both out before they reach your list. Your open rates reflect real interest and your bounce rates stay low.
Better deliverability. Gmail and Outlook monitor spam complaints. If people who never signed up mark your emails as spam, your sender reputation drops. Emails from a low-reputation sender land in junk for everyone, including subscribers who genuinely want to hear from you.
Lower unsubscribe rates. A subscriber who confirmed their intent is far less likely to hit the unsubscribe button after the first email.
The Germany exception that affects Dutch businesses
Germany is a special case in Europe, and Dutch businesses that sell to German customers need to know about it.
No German statute explicitly says "you must use double opt-in." But the Bundesgerichtshof (Federal Court of Justice) ruled in BGH I ZR 164/09 of 10 February 2011 that the sender bears the full burden of proving valid prior consent for every marketing email sent. Court decisions are searchable on the BGH website by case reference. A single opt-in record is routinely found insufficient.
Without double opt-in, German competitors or consumer protection associations can send you an Abmahnung: a formal cease-and-desist letter under UWG §7 (Gesetz gegen den unlauteren Wettbewerb, the Act Against Unfair Competition). Legal fees start around €1,000 per incident and rise quickly if the case escalates. German courts consistently side against businesses that cannot produce a confirmation record.
The rule applies per subscriber location, not per business location. If you have a Dutch webshop and 200 subscribers in Germany, those 200 need a confirmed opt-in even if every other subscriber is in the Netherlands.
Country comparison
| Country | Double opt-in required? | Governing law | Regulator | Main risk if skipped |
|---|---|---|---|---|
| Netherlands | No | Telecommunicatiewet Art. 11.7, AVG Art. 7 | AP, ACM | Weak consent proof if AP investigates |
| Germany | De facto yes | UWG §7, GDPR Art. 6(1)(a) and 7 | BfDI + civil courts | Abmahnungen from €1,000 per incident |
| Belgium | No | Code of Economic Law Art. XII.13, GDPR Art. 7 | GBA/APD | Weak consent proof if GBA investigates |
| United Kingdom | No (soft opt-in allowed) | PECR 2003 Reg. 22, UK GDPR Art. 7 | ICO | Regulatory notice for missing consent |
| Austria | Strongly recommended | TKG, GDPR Art. 7 | DSB | Civil challenge citing BGH-derived standards |
Single opt-in vs double opt-in
Single opt-in means someone fills in your signup form and is immediately added to your list. One step, done.
Double opt-in adds a second step. After the form is submitted, the subscriber receives a confirmation email. They are only added to your list after clicking the link in that email.
The second step matters because it produces a record that the person who owns that email address actively chose to sign up. Without it, anyone could enter a stranger's address and that stranger would start receiving emails they never requested.
How to enable double opt-in
The three tools most commonly used by Dutch email marketers all support double opt-in with a toggle.
| Tool | Where to find the setting |
|---|---|
| Mailchimp | Audience > Settings > Audience name and defaults > Form Settings > Enable double opt-in |
| Brevo (formerly Sendinblue) | Form builder > Settings tab > Double confirmation |
| MailerLite | Sites > Forms > form settings > Double opt-in toggle |
Keep the confirmation email short. One sentence explaining what the subscriber is confirming and one button to click is enough. Do not add promotional content or extra links. Most tools remove unconfirmed signups automatically after 48 to 72 hours, which handles cases where someone mistyped their address or changed their mind.
What if you already have a single opt-in list?
You do not need to re-confirm your existing subscribers. The change applies to new signups going forward. Your existing subscribers signed up under whatever process you used at the time.
If you want to clean up an older list, a re-engagement campaign is the practical approach. Ask inactive subscribers whether they still want to hear from you. Remove anyone who does not respond after two attempts. This is not a legal requirement under Dutch law, but it improves deliverability and reduces the risk that disengaged contacts mark your emails as spam.
Check whether your signup forms meet the standard
The free website scan looks at your newsletter signup forms, checks for pre-ticked boxes, missing privacy policy links and consent language that does not meet AVG standards. It reports what it finds with specific fix instructions.
For the broader picture of what GDPR requires on your website, the GDPR compliance checklist covers forms, cookies, privacy policies and contact pages. If you are trying to understand what the AP requires for your privacy policy, the privacy policy requirements guide lays out each element.
FAQ
Is double opt-in required in the Netherlands?
No. Telecommunicatiewet Article 11.7 and AVG Article 7 require provable consent but do not mandate a confirmation click. A clearly worded, non-pre-ticked checkbox with a server-side log is enough under Dutch law. Double opt-in is best practice because it generates stronger proof.
Which Dutch regulators enforce email consent rules?
The Autoriteit Persoonsgegevens (AP) enforces AVG consent requirements. The Autoriteit Consument en Markt (ACM) enforces the commercial-email consent rule in Telecommunicatiewet Article 11.7. A complaint can reach either body.
Does Germany's double opt-in rule apply to Dutch businesses?
It applies per subscriber location. If any of your subscribers live in Germany, German courts and the UWG §7 standard apply to those emails. Use double opt-in for German subscribers regardless of where your business is registered.
Can I get fined for skipping double opt-in in the Netherlands?
The AP can investigate a complaint and take enforcement action if consent cannot be demonstrated. Documented single opt-in with a clear checkbox and a server-side log has not been the basis for Dutch enforcement action in practice. The risk rises sharply if a complaint arrives and you have no consent record at all.
Do I need double opt-in for transactional emails?
No. Order confirmations, shipping updates and password resets are sent as part of fulfilling a contract. Double opt-in only applies to newsletters and marketing emails.
Sources
- Telecommunicatiewet, Article 11.7 (wetten.overheid.nl)
- Regulation (EU) 2016/679 - General Data Protection Regulation (eur-lex.europa.eu)
- Directive 2002/58/EC - ePrivacy Directive (eur-lex.europa.eu)
- Autoriteit Persoonsgegevens (autoriteitpersoonsgegevens.nl)
- Autoriteit Consument en Markt (acm.nl)
- Gesetz gegen den unlauteren Wettbewerb (UWG) §7 (gesetze-im-internet.de)
- Bundesgerichtshof - case law search (bundesgerichtshof.de)
Website Guides
Newsletter Signup Forms: GDPR Requirements
Your newsletter signup form needs more than a checkbox. Here are the GDPR rules for email consent, what to store and how to avoid common mistakes.
Email Marketing Consent Rules in the Netherlands
Email marketing consent rules for Dutch senders: AVG, Telecommunicatiewet Art. 11.7, ACM vs AP enforcement, plus a country-by-country comparison table.
Soft Opt-in Netherlands: Email Customers Without Consent
The soft opt-in exception in Dutch law lets webshops email existing customers without consent. Learn the four conditions under Telecommunicatiewet Art. 11.7.
Pre-checked Checkbox Illegal Under GDPR (Netherlands)
Pre-checked checkboxes are not valid consent under GDPR in the Netherlands. The Planet49 ruling and AVG Articles 4(11) and 7 settle it. Here is what to fix.