Is it ethical to keep information gained through unconfirmed subscriptions?

Nope Indeedy! If you state they need to activate their pending confirmation to gain membership then you should definetly not use their email address for future contact/profitable gain.

Personally I would give them 14 days to activate their confirmation. I woulnd't send a reminder, but maybe list on the subscriptions box that they may need to check their junk mail folder for their activation email.

I agree with you: two weeks seems reasonable. The reminder to whitelist/check spam folder seems pretty standard too these days. I still think a reminder after a week could work within the ethos of double opt-in. But then again, who *just forgets* to confirm? Hmm.

You might get away with a second email to them. The second email, after two weeks, says something like:

"I am sorry that you did not finalize your desire to join us. We will now remove your from the opt-in list in the next 48 hours becasue we sent you a confirmation email which you did not confirm. If it was an issue on our part and you did not recieve the original opt-in email then the confirmation link was XXXX but if not then you need do nothing and this link will not work 48 hours from now."

I've been running mail lists for over 10 years and discovered a few things by experience. In the early days it was pretty relaxed (before spam) after spam I changed subscriptions to double opt-in. For about six months after that change I tried to notify those who had not completed the process. Most of the time I received a thank you. Sometimes I got an angry email "I didn't opt in!" etc.

I now let incomplete opt-ins sit in the opt-in queue for seven days then delete. If they really want to join they will try again. Or write to you directly.

This works for me by reducing any maintainence for the subscriber lists, avoids the possible prank subscribes (somebody subbing someone else), and prevents anyone from turning my list in for sending unsolicited mail.

People are very sensitive these days about getting email from strangers, even strangers with the best intentions.

So, I personally do nothing on failed opt-ins. There's always more fish in the sea!

Very helpful comments, thank you. It's important that subscribers/potential subscribers know what they're signing up for - I guess a reminder could be seen as an indicator of things to come: "are these people just going to continue sending me nagging emails regardless?". Good idea not to get on their bad side from the offset. I guess that they have all the information they need, and if they don't confirm, well, they can always resub.

Is it ethical to keep information gained through unconfirmed subscriptions?

Well, it's kinda required to at least keep their email address around for a while, so you can deny further requests to subscribe directed at that email address. Otherwise, your website is available to any random angry CS student for mailbomb attacks. When there's a human or bot-gone-bad attack, it can be awfully handy to have the IP address of the submitter around as well (though you presumably are maintaining a timestamp in the pending file, via which you could probably get the IP address out of the raw web server logs).

>> Well, it's kinda required to at least keep their email address around for a while, so you can deny further requests to subscribe directed at that email address.

If you're running a CRM behind the mailshots though, you can let the CRM do the duplicate checking on the email address. Anyone trying to use an expired confirmation email could be treated as re-initiating the double opt-in from scratch.