Stats
Actions
Tags
Guides double opt-in email consent implementation compliant with ePrivacy Directive, CAN-SPAM, and CASL. Covers workflows, token expiration, record-keeping, and suppression lists.
How this skill is triggered — by the user, by Claude, or both
Slash command
/privacy-skills-complete:double-opt-in-emailThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
Double opt-in (DOI) is the gold standard for email marketing consent. It requires two steps: (1) the user submits their email address and indicates interest, and (2) the user clicks a confirmation link in a verification email. This creates a verifiable consent record that satisfies GDPR Article 7(1) (demonstrability), ePrivacy Directive Article 13 (prior consent for electronic marketing), and G...
Double opt-in (DOI) is the gold standard for email marketing consent. It requires two steps: (1) the user submits their email address and indicates interest, and (2) the user clicks a confirmation link in a verification email. This creates a verifiable consent record that satisfies GDPR Article 7(1) (demonstrability), ePrivacy Directive Article 13 (prior consent for electronic marketing), and German Federal Court of Justice (BGH) rulings that have established DOI as the expected standard in Germany.
START: User enters email on CloudVault SaaS Inc. sign-up or newsletter form
│
├─► Step 1: Initial Opt-In Request
│ ├─ User enters email address
│ ├─ User ticks unticked checkbox: "Send me product updates and news"
│ ├─ Validate email format (RFC 5322)
│ ├─ Check suppression list — if email is suppressed, do NOT send confirmation
│ └─ Display: "Check your email to confirm your subscription."
│
├─► Step 2: Generate Confirmation Token
│ ├─ Create cryptographically random token (256-bit, URL-safe base64)
│ ├─ Associate token with: email address, purpose, timestamp, IP, user agent
│ ├─ Set expiration: 48 hours from generation
│ └─ Store pending subscription record (status: "pending_confirmation")
│
├─► Step 3: Send Confirmation Email
│ ├─ From: [email protected]
│ ├─ Subject: "Confirm your CloudVault newsletter subscription"
│ ├─ Body:
│ │ ├─ "You requested to receive product updates from CloudVault SaaS Inc."
│ │ ├─ "Click below to confirm:"
│ │ ├─ [Confirm Subscription] button → confirmation URL with token
│ │ ├─ "If you didn't request this, you can ignore this email."
│ │ ├─ "This link expires in 48 hours."
│ │ └─ Controller details: CloudVault SaaS Inc., 42 Innovation Drive, Dublin
│ ├─ Headers:
│ │ ├─ List-Unsubscribe: <mailto:[email protected]>
│ │ └─ List-Unsubscribe-Post: List-Unsubscribe=One-Click
│ └─ Note: This confirmation email is NOT marketing — it is transactional
│
├─► Step 4: User Clicks Confirmation Link
│ ├─ Validate token: exists, not expired, not already used
│ ├─ If valid:
│ │ ├─ Update subscription status: "confirmed"
│ │ ├─ Record consent with full audit trail:
│ │ │ ├─ Initial request: timestamp, IP, user agent
│ │ │ ├─ Confirmation: timestamp, IP, user agent
│ │ │ └─ Consent text version hash
│ │ ├─ Add email to active marketing list
│ │ └─ Display: "Subscription confirmed! You'll receive updates from CloudVault."
│ │
│ ├─ If expired:
│ │ ├─ Display: "This link has expired. Please subscribe again."
│ │ └─ Delete pending record
│ │
│ └─ If already used:
│ └─ Display: "You're already subscribed."
│
└─► Step 5: Ongoing Management
├─ Every marketing email includes one-click unsubscribe (RFC 8058)
├─ Unsubscribe adds to suppression list (permanent)
├─ Consent records retained for demonstration per Art. 7(1)
└─ Re-consent requested after 24 months of inactivity
| Scenario | Action | Reasoning |
|---|---|---|
| Token expires (48 hours) | Delete pending record, do not send reminders | Avoid spam risk; user can re-subscribe |
| User requests twice | Do not send second confirmation if one is pending | Prevent email flooding |
| Email bounces | Mark pending record as "bounced", do not retry | Invalid email address |
| Token used twice | Show "already subscribed" page | Prevent duplicate records |
The suppression list is critical for compliance with CAN-SPAM Act Section 7704(a)(3)(A) (10-day unsubscribe processing) and GDPR Article 17(3)(c) (retention for legal obligation compliance):
| Requirement | GDPR + ePrivacy | CAN-SPAM (US) | CASL (Canada) |
|---|---|---|---|
| Consent type | Prior opt-in (DOI recommended) | Opt-out (but DOI is best practice) | Express consent (implied consent limited) |
| Unsubscribe | Art. 7(3) — as easy as giving | 10 business days to process | 10 business days to process |
| Sender identification | Art. 13(1)(a) | Physical postal address required | Contact information required |
| Record-keeping | Art. 7(1) — demonstrate consent | Maintain opt-out requests 3 years | Maintain consent records |
| Penalties | Up to EUR 20M or 4% global turnover | Up to $51,744 per email | Up to CAD 10M per violation |
npx claudepluginhub mukul975/privacy-data-protection-skills --plugin privacy-skills-completeGuides double opt-in email consent implementation compliant with ePrivacy Directive, CAN-SPAM, and CASL. Covers workflows, token expiration, record-keeping, and suppression lists.
Reviews marketing data flows for consent capture, lawful basis, preference center coverage, suppression list integrity, subscriber-key collision risk, deliverability authentication (SPF, DKIM, DMARC), and unsubscribe link integrity. Covers Marketing Cloud, Account Engagement, and Data Cloud.
Guides building deliverable, compliant, and accessible emails. Covers SPF/DKIM/DMARC, email capture, double opt-in, transactional vs marketing, webhooks, retry logic, and list hygiene.