That article seems to say that it's sufficient to identify (but not authenticate) yourself as the subscriber who wants to cancel. So anyone can cancel any other subscribers they want? OK, German lawmakers, whatever you say...
> If sufficient data to identify the subscription to be cancelled
> is entered by the consumer, the submission of the form will itself
> be a valid cancellation, the effect of which cannot be made subject
> to further steps such as logins or second factor (e.g., email, app)
“we got a request to cancel your subscription. We did that, but if it wasn’t you who made that request, or you accidentally unsubscribed, click here to revert that cancellation within X days”.
And if you're unlucky, you're going to get one of these every day for every one of your subscriptions. All it takes is someone who doesn't like you and who knows your email.
True, you'd be in for some more clicks. I'd still prefer to take that risk, as it is way more work to find out cancellation procedures for the ever-growing list of paid/subscription services, employing more and more dark patterns to extract "value" out of you.
> If sufficient data to identify the subscription to be cancelled
> is entered by the consumer, the submission of the form will itself
> be a valid cancellation, the effect of which cannot be made subject
> to further steps such as logins or second factor (e.g., email, app)
> confirmations.