Opt-Out and Opt-In Consent Explained
Opt-Out and Opt-In Consent Models
Modern privacy laws grant individuals rights to make informed decisions about the collection, use and disclosure of their information. Consent has become a common way for businesses to legitimize many of their data practices, and so has become a pervasive aspect of our digital experience. From terms of service to newsletter subscriptions to cookie usage, we are regularly asked to make a choice.
Businesses must note that although specific requirements can vary across regulations and engagement contexts, consent tends to fall into these two camps:
|United States||European Union|
|Consent Model||Notice and Opt-Out||Notice and Opt-In|
|What it means||You are informed about privacy-invasive data practices and given the opportunity to broadly object||You are informed upfront about privacy-invasive data practices and asked to expressly consent to each|
|Default assumption||You automatically agree until you say otherwise||You do not agree until you actually do|
|Cultural driver||Stronger emphasis on the freedom of individuals and companies to contract and exchange information.||Stronger emphasis on protecting individual’s privacy rights and freedoms.|
Below, we’ll explore these opt-out and opt-in models and how they may apply to your business in more detail.
Opt-Out and Opt-In Consent Explained
If your business collects, uses and discloses personal data, you are generally required to provide individuals with notice and some form of choice to be exercised immediately or at a later time.
What is Opt-In?
In data privacy, opt-in user consent means consumers acknowledge the proposed data activity, understand the purposes for collection, and agree to have their data collected, processed, and stored by businesses or other such data controllers. Generally, no data activities should ever proceed without opt-in user consent from consumers.
For instance, the European Union’s (EU) General Data Protection Regulation (GDPR) requires businesses to notify consumers of their right to opt-in to their data being processed. And businesses subject to the GDPR may not collect or process a consumer’s data without their consent.
But businesses do not need to wait for the law to follow the opt-in model – it is a best practice where consent is meaningful.
A common example is a food delivery app asking to use your precise location.
Another is a business inviting subscriptions to its email newsletter.
In both cases individuals can choose to withhold their information and therefore their permission. (Withholding consent is also a privacy right.)
What is Opt-Out?
On the other hand, opt-out consent means individuals can decide not to have their personal data processed by businesses or third parties associated with those businesses (or to stop existing data activities they previously consented to). The right to opt-out of data processing activities is common across most privacy regulations within the United States (e.g., CCPA, VCDPA, CPA) and the GDPR.
Depending on the specific privacy regulation, businesses may be required to notify the consumers about the processing activities their personal data will be subjected to, after which the consumers can decide to opt-out of their personal data being processed.
A common example is individuals being offered a clear way to unsubscribe from email newsletters and marketing offers.
Beyond giving individuals choice where it matters, opt-out mechanisms are also a enforceable safety net for activities policymakers (and voters) view as being more privacy-invasive. For example, California’s Consumer Privacy Act grants Californians to opt out of their data being “shared” with adtech providers, and to restrict the use of precise location and other sensitive information for extraneous business activities. These rights can be accessed from a consolidated link on a business’s website.
What are the Differences Between Opt-In vs. Opt-Out?
The main difference between opt-out vs. opt-in is who makes the initial choice – the business or the individual.
With the opt-in model, a business simply makes their case and waits for the individual to grant or to withhold their consent. The US Telephone Consumer Protection Act is an interesting contrast to the US CAN-SPAM Act in this regard. The TCPA requires businesses to collect prior “written” consent from individuals to send them text messages that they can request to stop at any time. Whereas CAN-SPAM permits unsolicited commercial emails until a person requests that they stop.
When it comes to opt-in consent, the GDPR sets the global standard. Consent must be freely given, informed in simple terms, specific to each use purpose, and unambiguously given. Consent may not be forced through terms of service, bundled together with unrelated use purposes, presumed through pre-ticked checkboxes. Nor can it be implied through incidental actions like opening an email, continuing to browse a website or closing out a cookie banner.
With the opt-out model, a business presumes individuals consent based on reasonable expectations and societal norms. A online clothing retailer may reasonably assume their regular customers would like to receive weekly newsletters with personalized offers. Consent is presumed through the transactional relationship and the understanding that customers generally welcome a personalized experience.
Opt-Out Requirements Under Amended CCPA
The California Consumer Privacy Act, as amended by CPRA, allows consumers to request businesses to stop selling or sharing their personal information with third parties. Californians also have the right to restrict the use and disclosure of their sensitive personal information under certain circumstances.
What Does the CCPA Opt-Out Mean For Businesses?
To comply with the CCPA opt-out requirements, businesses that handle the personal data of California consumers must:
- Inform consumers if their personal data may be sold or shared with third parties and provide notice of the opt-out right to the consumers.
- Provide a clearly labeled link that enables consumers to opt-out of their data being processed or used by third parties.
- Provide a clearly labeled link that enables consumers to opt-out of their sensitive data being used or disclosed.
- Respect opt-out requests exercised using universal opt-out preference signals like Global Privacy Control.
Although CCPA is primarily a notice and opt-out law, there are circumstances under which explicit opt-in is required.
- Not sell or share the personal information of teenagers under the age of 16 without their consent, or the data of chidren under the age of 13 without parental consent.
- If a business offers financial incentives, including loyalty rewards, for selling, sharing, or retaining Californians’ personal data, they are required to provide enhanced notice with information on how a consumer can opt-in.
Additionally, after receiving a valid opt-out or limit request, a business needs to wait at least 12 months before asking the consumer to change their mind. Consent to override a prior opt-out must be freely-given, informed, specific and unambiguous.
Similar Opt-Out Requirements Across Privacy Regulations in the US
Like the CCPA, the privacy laws currently implemented by other states require opt-out consent:
- Virginia’s Consumer Data Protection Act provides consumers the right to opt-out of data processing activities that involve targeted advertising, data sales, or automated profiling. Businesses must also notify consumers of their right to opt-out of these data processing activities.
- Colorado’s Privacy Act also allows consumers to opt-out of data processing activities if their personal data will be used for targeted advertising, data sales, or automated profiling. However, consumers can also designate an authorized party to act on their behalf when exercising these opt-out requests.
- Connecticut’s Data Privacy Act provides similar requirements to those in Virginia’s and Colorado’s privacy laws. Businesses must also clearly display the option for consumers to exercise their opt-out rights on their websites.
- Utah’s Consumer Privacy Act also has similar opt-out provisions to the privacy laws established by other states.
Compliance with the opt-out requirements listed in the CCPA and other regulations will help protect the privacy of your consumers’ data.
Role of Opt-In Consent Under European Privacy Law
Under the GDPR consent is one of six co-equal legal bases for processing personal data. This is because consent may not always be the most appropriate way to legitimize data processing. For example, a clothing retail does not need to seek consent from a customer to disclose the customer’s shipping address to a package delivery service.
Other processing activities do require consent to the GDPR’s high opt-in bar. Notably, the 2009 EU ePrivacy “Cookie” Directive (ePD) required website operators to provide “informed consent” for companies to store and access “non-essential” cookies on consumers’ devices. “Informed consent” was ambiguously defined and each EU member country implementing the Cookie Directive into national law interpreted it in different ways. In 2018 the GDPR clarified that consent for cookies must be freely-given, informed, specific and unambiguous.
When it comes to business practices, compliance with the GDPR requirements means that:
- Businesses ensure consumers have opted in for their personal data to be processed if the said processing is based on consumer opt-in consent.
- Consumer opt-in requests are to be expressed to businesses clearly, intelligibly, and in an easily accessible manner.
- Consumers can choose to opt-out of their data being processed by businesses anytime, and the processes to do so must remain just as easy as those for opting in.
- Businesses only engage in data processing activities for which consumers have provided opt-in consent, as described in the business contracts signed by consumers.
When businesses request consumers to electronically opt-in to or opt-out of data processing activities (e.g., via business websites), the consumers should be provided with options that clearly explain how the businesses are obtaining such consent. Possible options may include providing a checkbox for consumers to click when choosing to opt-in or opt-out or offering the option for the consumers to change their desired opt-in or opt-out settings.
Since consumers have the right to opt-out of data processing activities at any time, businesses should also provide electronic opt-out options on their websites or email communications, where email marketing is used.
Build Consumer Trust
Make it easy for consumers to opt-out of data selling, data collection, and data sharing without explicit consent. It’s the right thing to do — and it’s required in California, Colorado, Virginia, other U.S. states and abroad.
Honor and manage Do Not Sell or Share requests with DataGrail. Learn more here.
- 5 Things to Know: CPRA, Cookies, and Consent
- Do Not Sell or Share Opt-Out Signal (GPC) Setup Guide
- CPRA is here, now what? (Webinar)
California Legislative Information. California Privacy Rights Act of 2020. https://leginfo.legislature.ca.gov/faces/codes_displayText.xhtml?division=3.&part=4.&lawCode=CIV&title=1.81.5
Colorado General Assembly. Colorado Privacy Act. https://leg.colorado.gov/sites/default/files/2021a_190_signed.pdf
EU GDPR. Article 4. https://gdpr.eu/article-4-definitions/
EU GDPR. Article 7. https://gdpr-info.eu/art-7-gdpr/
EU GDPR. Recital 32 Conditions for Consent. https://gdpr-info.eu/recitals/no-32/
State of Connecticut. Connecticut Data Privacy Act. https://www.cga.ct.gov/2022/act/Pa/pdf/2022PA-00015-R00SB-00006-PA.PDF
Utah State Legislature. Utah Consumer Privacy Act. https://le.utah.gov/~2022/bills/static/SB0227.html
Virginia’s Legislative Information System. Code of Viriginia. Chapter 53. Consumer Data Protection Act. https://law.lis.virginia.gov/vacodefull/title59.1/chapter53/