Modern privacy laws grant individuals rights to make informed decisions about the collection, use and disclosure of their information. Consent has become a common way for businesses to legitimize many of their data practices, and so has become a pervasive aspect of our digital experience. From terms of service to newsletter subscriptions to cookie usage, we are regularly asked to make a choice.
Businesses must note that although specific requirements can vary across regulations and engagement contexts, consent tends to fall into these two camps:
Below, we’ll explore these opt-out and opt-in models and how they may apply to your business in more detail.
If your business collects, uses and discloses personal data, you are generally required to provide individuals with notice and some form of choice to be exercised immediately or at a later time.
In data privacy, opt-in user consent means consumers acknowledge the proposed data activity, understand the purposes for collection, and agree to have their data collected, processed, and stored by businesses or other such data controllers. Generally, no data activities should ever proceed without opt-in user consent from consumers.
For instance, the European Union’s (EU) General Data Protection Regulation (GDPR) requires businesses to notify consumers of their right to opt-in to their data being processed. And businesses subject to the GDPR may not collect or process a consumer’s data without their consent.
But businesses do not need to wait for the law to follow the opt-in model – it is a best practice where consent is meaningful.
A common example is a food delivery app asking to use your precise location.
Another is a business inviting subscriptions to its email newsletter.
Opt In Example: Newsletter Subscription" width="1600" height="692" />
In both cases individuals can choose to withhold their information and therefore their permission. (Withholding consent is also a privacy right.)
On the other hand, opt-out consent means individuals can decide not to have their personal data processed by businesses or third parties associated with those businesses (or to stop existing data activities they previously consented to). The right to opt-out of data processing activities is common across most privacy regulations within the United States (e.g., CCPA, VCDPA, CPA) and the GDPR.
Depending on the specific privacy regulation, businesses may be required to notify the consumers about the processing activities their personal data will be subjected to, after which the consumers can decide to opt-out of their personal data being processed.
A common example is individuals being offered a clear way to unsubscribe from email newsletters and marketing offers.
Beyond giving individuals choice where it matters, opt-out mechanisms are also a enforceable safety net for activities policymakers (and voters) view as being more privacy-invasive. For example, California’s Consumer Privacy Act grants Californians to opt out of their data being “shared” with adtech providers, and to restrict the use of precise location and other sensitive information for extraneous business activities. These rights can be accessed from a consolidated link on a business’s website.
The main difference between opt-out vs. opt-in is who makes the initial choice – the business or the individual.
With the opt-in model, a business simply makes their case and waits for the individual to grant or to withhold their consent. The US Telephone Consumer Protection Act is an interesting contrast to the US CAN-SPAM Act in this regard. The TCPA requires businesses to collect prior “written” consent from individuals to send them text messages that they can request to stop at any time. Whereas CAN-SPAM permits unsolicited commercial emails until a person requests that they stop.
When it comes to opt-in consent, the GDPR sets the global standard. Consent must be freely given, informed in simple terms, specific to each use purpose, and unambiguously given. Consent may not be forced through terms of service, bundled together with unrelated use purposes, presumed through pre-ticked checkboxes. Nor can it be implied through incidental actions like opening an email, continuing to browse a website or closing out a cookie banner.
With the opt-out model, a business presumes individuals consent based on reasonable expectations and societal norms. A online clothing retailer may reasonably assume their regular customers would like to receive weekly newsletters with personalized offers. Consent is presumed through the transactional relationship and the understanding that customers generally welcome a personalized experience.
The California Consumer Privacy Act, as amended by CPRA, allows consumers to request businesses to stop selling or sharing their personal information with third parties. Californians also have the right to restrict the use and disclosure of their sensitive personal information under certain circumstances.
To comply with the CCPA opt-out requirements, businesses that handle the personal data of California consumers must:
Although CCPA is primarily a notice and opt-out law, there are circumstances under which explicit opt-in is required.
Additionally, after receiving a valid opt-out or limit request, a business needs to wait at least 12 months before asking the consumer to change their mind. Consent to override a prior opt-out must be freely-given, informed, specific and unambiguous.
Like the CCPA, the privacy laws currently implemented by other states require opt-out consent:
Compliance with the opt-out requirements listed in the CCPA and other regulations will help protect the privacy of your consumers’ data.
Under the GDPR consent is one of six co-equal legal bases for processing personal data. This is because consent may not always be the most appropriate way to legitimize data processing. For example, a clothing retail does not need to seek consent from a customer to disclose the customer’s shipping address to a package delivery service.
Other processing activities do require consent to the GDPR’s high opt-in bar. Notably, the 2009 EU ePrivacy “Cookie” Directive (ePD) required website operators to provide “informed consent” for companies to store and access “non-essential” cookies on consumers’ devices. “Informed consent” was ambiguously defined and each EU member country implementing the Cookie Directive into national law interpreted it in different ways. In 2018 the GDPR clarified that consent for cookies must be freely-given, informed, specific and unambiguous.
When it comes to business practices, compliance with the GDPR requirements means that:
When businesses request consumers to electronically opt-in to or opt-out of data processing activities (e.g., via business websites), the consumers should be provided with options that clearly explain how the businesses are obtaining such consent. Possible options may include providing a checkbox for consumers to click when choosing to opt-in or opt-out or offering the option for the consumers to change their desired opt-in or opt-out settings.
Since consumers have the right to opt-out of data processing activities at any time, businesses should also provide electronic opt-out options on their websites or email communications, where email marketing is used.
Make it easy for consumers to opt-out of data selling, data collection, and data sharing without explicit consent. It’s the right thing to do — and it’s required in California, Colorado, Virginia, other U.S. states and abroad.
Honor and manage Do Not Sell or Share requests with DataGrail. Learn more here .
