Today’s email landscape is shaped by rising subscriber expectations and evolving mailbox provider (MBP) standards designed to enhance the user experience.
In this environment, getting people’s explicit consent before sending them marketing communications isn’t just a legal necessity—it’s key to building trust and ensuring emails land where they belong. As mailbox providers like Gmail and Yahoo tighten rules to prioritize engagement and reduce unwanted messages, marketers must refine their approach to list-building and consent management to stay ahead.
Your subscriber acquisition process should provide clear disclosures and benefits of signing up for your program, set expectations, and most importantly, ask for consent (often referred to as an “opt-in”).
These best practices have been used for years by many email marketers. But more recently they’ve been written into law with legislations such as the EU’s GDPR, Brazil’s LGPD, Canada’s CPPA, and many U.S. state laws that define how customer data may be collected and processed.
With mailbox providers prioritizing engagement and user control, optimizing your signup forms is more important than ever. The following best practices will help you refine your opt-in strategy, improve deliverability, and enhance overall customer lifetime value.
The General Data Protection Regulation (GDPR) came into effect in 2018, setting the bar for how governments and corporations should collect, protect, and process people’s information. It introduced important requirements for companies to follow, which often meant changing signup pages to provide data subjects with more transparency and choices around how their data was used.
GDPR was designed to protect EU citizens’ data and therefore contains an extraterritorial effect. Companies anywhere in the world that use EU citizens’ data, whether to sell goods/services or monitor online behavior, need to comply. The same goes for Brazil’s LGPD and Canada’s CPPA, which ensure companies outside their territories obey their definitions, or else face possible sanctions and fines.
In the U.S., there is no single federal privacy law like GDPR. However, regulations such as the California Consumer Privacy Act (CCPA) and its successor, the California Privacy Rights Act (CPRA), have set strict guidelines for data collection and consumer rights.
Additionally, several other states, including Virginia, Colorado, and Connecticut, have enacted their own privacy laws, signaling a growing patchwork of state-level regulations. These laws emphasize transparency, user consent, and data protection—making clear opt-in practices increasingly critical for compliance.
Although Validity has lots of content on making the most out of your email marketing strategy and improving deliverability, we encourage you to seek specialized legal advice to ensure that your company is following relevant opt-in legislations.
Adding new subscribers to a send list is often done by presenting a webpage inviting them to provide your company with some sensitive data. You might be wondering, “Who in their right mind would do this?”
According to Forbes, while people are generally becoming more reluctant to share their personal data, most are still willing to share their email addresses. However, users are increasingly discerning, making the value exchange crucial for opt-ins. To truly encourage sign-ups, clearly articulate the unique benefits they’ll get for providing their information, like exclusive content or special offers .
The best subscribers are those that have shown interest in your brand and want to stay connected through the options offered to them. This is the underlying reason to provide opt-in mechanisms, such as providing consent in sign-up forms. There are different approaches to opt-ins, each with its own strengths and limitations.
The term “soft opt-in” describes the practice of collecting email addresses when the user makes a purchase or creates an account, often assuming you have their consent to receive marketing emails.
The advantage of this type of opt-in is that the subscriber does not need to actively subscribe to your email program, allowing you to continue mailing to existing email lists.
The biggest disadvantage is that subscribers might not be expecting messages from your brand. Messages sent using this type of opt-in are more likely to be viewed as spam, since not every message you’re sending was solicited.
Therefore, this type of opt-in is technically not considered a valid form of consent. Run from it like a marketer from a bad sender reputation.
Single opt-in is when subscribers are immediately added to your email list after signing up via a subscription form. While no confirmation is required for the initial subscription in this method, it is possible to enhance the single opt-in process by sending a welcome or “subscription confirmation” email. This notification serves to affirm their signup, welcome them to the list, and, importantly, provide readily accessible unsubscribe links.
This type of opt-in gives the subscriber some control and is considered a valid form of consent under GDPR. However, pre-checked checkboxes in a subscription form often lead to unengaged lists, and there’s no way to guarantee the email address exists and belongs to the visitor. For senders adhering to deliverability certifications like Validity Sender Certification, sending a confirmation email with unsubscribe options is a mandatory requirement, even within a single opt-in framework. This extra step helps verify email authenticity and improves list quality.
To optimize single opt-in, don’t bundle marketing consent with terms of service or privacy policy agreements. Distinct consents offer users genuine choice and transparency about exactly what they’re agreeing to. This clarity builds trust and demonstrates respect, resulting in a subscriber list composed of individuals who have truly and willingly opted in to marketing communications, enhancing engagement and long-term value.
In the following example, we see a subscription form that asks for authorization to send specific types of email messages:
Double opt-in, also known as confirmed opt-in, is when subscribers are required to confirm their request to be added to your email program twice. For example, the following message was sent immediately after the subscriber submitted the opt-in form.
The message is effective in getting the subscriber to stop everything and click on the link to confirm their request. This approach of getting consent ensures the entered email address exists and belongs to the visitor. This method also increases subscriber engagement since they need to confirm their interests before receiving emails, and typically results in fewer spam reports.
The biggest drawback of double opt-in is that it requires human confirmation. While confirmation is a good thing, the user must willingly open their mailbox, and click on a link. The numerous steps this opt-in method requires can result in smaller lists. On the plus side, the lists will be full of highly engaged subscribers.
Whichever approach your brand takes to acquiring consent, it is important to consider the benefits and drawbacks of each. There will be cases where soft or single opt-in might make sense, but double opt-in will almost always result in the most engaged lists.
Sign-up forms are often the only place where people will willingly provide their personal information. Therefore, they’re a great place for your brand to make a positive impression. Companies are often so focused on acquiring new customers that they forget to tell the visitor what they’re signing up for. Providing this information in the beginning can help build trust between you and your potential customers.
Nowadays, people are more aware of who they share their data with, how it’s used. Here, transparency is key. Setting expectations on what’s to come from your program helps subscribers look forward to receiving your email.
For example, the BBC provides their visitors with a sign-up process that demonstrates value, provides clear disclosure on what to expect from their email program, and includes an opt-in request that requires the visitor to make a conscious decision.
Providing clear benefits for subscribing, following transparent data collection practices, and setting proper expectations helps build trust and encourages meaningful engagement.
Additionally, as privacy regulations evolve and mailbox providers tighten authentication requirements, implementing strong security measures like SPF, DKIM, and DMARC are essential not just for compliance but also for maintaining email performance. By prioritizing both user experience and security, companies can drive higher-quality sign-ups and ensure long-term email marketing success.
For more expert insights on the changing world of email deliverability, watch our 30-minute webinar, “Inbox or Spam? 8 Ways to Ensure Your Emails Land in 2025.”
