Strictly, no — single opt-in can be lawful if the consent is freely given, specific, informed, and unambiguous (GDPR Art. 4(11)). But double opt-in (send a confirmation email, require a click) is the safer default because:
- It proves intent to a challenging regulator.
- It filters out typo'd addresses and spambot signups.
- German case law and several DPAs treat it as the de facto standard.
Meet Your Fan uses double opt-in for its own newsletter subscriptions. For campaign-owner broadcasts (influencer → entrants), entrants opt in once at the moment of entry. That single opt-in is scoped to that specific campaign — it does not grant the influencer permission to contact the entrant outside of that campaign.