Implement Double-Opt-In

[wmnnd]

This PR implements #141 and adds a double-opt-in feature that can be configured for every signup form.

[tcurdt]

Very nice - but for compliance the IP and time of the consent must be saved.

[wmnnd]

Hey, thanks for your feedback. The time when the double-opt in is confirmed is already saved. You can see it when you click on a contact in your contact list.

I haven’t seen anything in German/European regulations that suggests, storing the IP address is in any way necessary. I know it’s considered legal to store IP addresses during the DOI process, but not mandatory.

In fact, you might argue that the way Keila handles DOI is much more in line with the spirit of the law: Keila does not create an entry in your contact list at all before DOI has been completed. The proof that a user has consented to receiving your newsletter ultimately comes from the fact that they have used the personalized opt-in link that was sent to their email.

[wmnnd]

@tcurdt You might find this useful reading (in German): https://socialmediarecht.wordpress.com/2012/12/05/das-urteil-des-olg-munchen-az-29-u-168212-zum-double-opt-in-verandert-nichts/

[tcurdt]

That would be great but it sure sounds mandatory here:

https://www.e-recht24.de/artikel/ecommerce/6534-newsletter-rechtssicher-erstellen-und-versenden.html

I guess there are two different interpretations that would need to be tested in courts. What a mess.

[wmnnd]

Seems like the lawyers disagree here, but as far as I’m aware there has been no decision by a court or even a memo from a regulatory body that suggests collecting IP addresses would be required or even useful. Because of this, I’d err on the side of caution and try to collect as little data as possible :blush:

[tcurdt]

...but does the time of the confirmation get stored? I didn't see that either yet.

[wmnnd]

Yep, the UTC timestamp is stored in a dedicated field double_opt_in_at for the contact.