Italian Data Protection Authority: double opt-in and consent for marketing purposes

The Italian Data Protection Authority (“Garante Privacy”), with Provision No. 330/2025 (web doc. 10143278, the “Provision”), recently imposed a €45,000 fine on an online car retailer for the unlawful processing of personal data for marketing purposes. In such cases, simply ticking a box is not sufficient to collect valid consent: consent must be reliably documented, so that it is possible to demonstrate who provided it and when.

The Provision is particularly important as it clarifies the requirements for obtaining valid consent for the processing of personal data for marketing purposes, focusing on the mechanism of the so-called double opt-in. Although this mechanism is not expressly required by either Regulation (EU) 2016/679 (“GDPR”) or Legislative Decree No. 196/2003, as amended by Legislative Decree No. 101/2018 (the “Privacy Code”), the Garante Privacy considers it among the minimum protective measures for both the data subject and the data controller.

 

Opt-in and double opt-in: what they mean

Opt-in consists of a positive action by the user explicitly providing consent. In a digital context, this often occurs via a form or an unchecked checkbox, or by clicking a dedicated consent confirmation button.

Double opt-in adds a second step, representing a strengthened form of the previous model. After filling out the form or ticking the checkbox, the user receives a confirmation email at the registered address, requesting a further action (e.g., clicking a confirmation link) to confirm their subscription to the mailing list and their consent to the processing of personal data for marketing purposes.

 

Double opt-in as a minimum safeguard

With this Provision, the Garante Privacy reinforces the role of double opt-in as best practice for collecting and documenting consent for the processing of personal data for marketing purposes.

While there is no explicit legal obligation to use this mechanism, one of the requirements for lawful consent is that the controller must document that the data subject has indeed provided their consent. The Garante Privacy has repeatedly emphasized (Provisions 429/2022, web doc. 9852290; 413/2021, web doc. 9737185; 437/2017, web doc. 7320903) that documenting consent through the double opt-in method provides greater guarantees and, at the current state of the art, can be considered a minimum protective measure for both the data subject and the controller.

However, double opt-in is not the only “minimum measure” of protection that controllers may adopt. The Garante Privacy also recognizes any other measures capable of providing an equivalent level of guarantee. The Provision does not explicitly list alternative mechanisms considered valid, merely referring to the consent documentation methods indicated in the Telemarketing and Teleselling Code of Conduct (Provision 148/2024), such as retaining both the IP address and timestamp when consent was provided and proof of sending a confirmation message (e.g., an SMS).

 

Conclusions

The Provision highlights the importance for data controllers of adopting mechanisms capable of demonstrating that processing has been carried out in accordance with GDPR requirements and that the data subject has validly provided consent. From this perspective, all companies intending to process personal data for marketing purposes must ensure that the mechanisms used to collect and document consent provide guarantees equivalent to those offered by the adoption of the double opt-in model.

In other words, regardless of the mechanism chosen, what matters is that the controller can verify and demonstrate the source of the data, ensuring that the consent was indeed provided by the data subject.