10 min read
Opt-in and opt-out consent models are essential to understand when trying to ensure compliance with different data privacy regulations like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). As the demand for data collection grows, such regulations ensure responsible and consensual data handling practices.
Read further and we’ll explain what is opt-in and opt-out with examples and how to use them to make sure your business complies with the relative laws.
7-day free trialCustomizable bannerMeaning of opt-in and opt-out
To understand the difference between opt-in and opt-out, you first need to comprehend what each of them is. Let’s review their definitions.
Opt-in consent model
Opt-in consent refers to the requirement for website visitors to provide active and explicit consent for personal data collection, processing, or sharing. This means providing users with an “accept” button as soon as they enter a website and delaying data collection practices until consent is given.
Opt-out consent model
The opt-out consent model refers to the process when a user isn’t actively asked for consent for data collection and processing. Instead, users can withdraw consent or opt out of data collection practices at any time.
Examples of opt-in and opt-out
Opt-in and opt-out aren’t just used by websites that use cookies. Let’s review the examples of opt-in and opt-out consent models in different scenarios.
Opt-in consent
Opt-in consent models can be used for multiple reasons but they all must constitute an affirmative action. Here are a few examples:
- Data privacy law compliance. Regulations like the GDPR require obtaining explicit consent. This means that a compliant cookie banner must include an “accept” button. You can see how an opt-in consent banner looks below.
- Newsletters. When you’re browsing a website and you’re offered to subscribe to a newsletter, you most likely get asked to check a confirmation box. This is considered an explicit agreement to receive emails from the company.
- Marketing emails. Similar to a newsletter, you may be asked to opt into promotional emails when you’re completing a purchase and provide your email address.
- App permission. Some apps on your device may request access to your camera, microphone, contacts, or location. However, they can’t proceed without your explicit consent, which is usually an “allow” button.
Opt-out consent
Opt-out consent, unlike opt-in, provides a consent withdrawal option but doesn’t push to request consent in the first place. Here are a few examples of the ways it’s used:
- Data privacy law compliance. Some regulations, like the CCPA, don’t require acquiring consent for data collection or processing (except for minors). However, companies must still provide users with an option to opt out with a button like “Do not sell or share my personal information.” You can see an example of how it looks in the Disney website footer below.
- Marketing campaigns. While some services may ask your permission to send you emails and offers, others may sign you up automatically as soon as you create a new account. To disable this, you have to change your account settings, therefore it’s considered an opt-out consent.
- App permissions. Some large companies use your data to improve their services. For example, Facebook tracks you across sites, while Amazon saves voice recordings received through Alexa devices. All of this can be disabled in your account settings.
Opt-in and opt-out consent for cookies
Whether to use opt-in or opt-out consent models for cookies depends on the target audience of a business. An important EU cookie law that influenced several other regulations and laws in the US is the ePrivacy Directive. It set strict regulations regarding cookie usage and management, requiring businesses to obtain consent before cookies are deployed.
That’s why when users visit a website from a location in the EU, they usually see a cookie banner like this:
However, if a company uses essential cookies only, consent isn’t required because such cookies are necessary for the site’s functionality.
The ePrivacy Directive also influenced laws and regulations in the US. For example, organizations that have to comply with the CCPA can enroll users in data collection practices (except for minors) by default but an opt-out method must be present.
Meanwhile, the California Privacy Rights Act (CPRA) adds a requirement to honor Global Privacy Control (GPC) signals, otherwise known as “do not track” requests.
No matter what cookie laws or regulations you must comply with, they usually require providing clear, understandable, and transparent information. Plus, you must adopt a cookie policy or add a section about cookies in your privacy policy where you can state the legitimate basis for processing.
When and how to use opt-in
Depending on your business activities and target audience, you may need to use the opt-in consent model. Let’s review the popular use cases and how to comply:
1. When collecting EU user data
The European Union (EU) users are protected under the ePrivacy Directive and the GDPR. Both of these regulations require getting active opt-in consent.
For example, according to the ePrivacy Directive (17), consent must be a “freely given specific and informed indication of the user's wishes.”
The GDPR Article 7 also adds that informing users is obligatory, and it has to be done “in an intelligible and easily accessible form, using clear and plain language.” In many cases, this involves adding a privacy notice on your website. You can see an example of it below.
2. When using cookies and targeting EU citizens
If you’re targeting EU citizens and use cookies, you’ll need to adopt an opt-in cookie banner to comply with the GDPR and the ePrivacy Directive. Cookies help remember user preferences to create a seamless user experience but they’re also used for cross-site tracking.
Essential cookies are necessary for the website to function properly and don’t require user consent. Meanwhile, different types of cookies, like performance or advertising cookies, are not strictly necessary and can’t be enabled until consent is granted.
Usually, consent is gathered using a consent banner. You can get it by investing in a consent management platform. If you’re a Shopify user, you can benefit from TinyCookie and get a customizable banner in just one click.
3. When covering data collection practices in the privacy policy
Your privacy policy is a legal document and binding agreement regarding data collection, processing, and sharing activities. Under the GDPR, companies must acquire user consent to their privacy policy through affirmative action.
Asking to agree to a privacy policy can be done during sign-up by simply allowing users to check a box. Here’s an example of how it could look like:
Alternatively, some companies use banners to gather consent as soon as the user visits the site. This can also be done by adding an “I agree” button or a check box.
4. When selling the data of California minors
Although the CCPA doesn’t require gathering explicit consent for the collection of California citizen data, minors are an exception. Here are the requirements based on the minor’s age according to the CCPA (FAQ B.2):
- Under the age of 16 – you need to get affirmative authorization (opt-in consent) to sell the minor’s personal data.
- Under the age of 13 – you must get opt-in consent from the minor’s parent or guardian.
- Over 13 but under the age of 16 – the opt-in consent can be given by the child.
To get valid consent from minors, you’ll need to add a popup, banner, or another element that would help authorize consent. For example, you could make it a requirement for users to insert their birth year upon signup.
Keep in mind that CCPA fines vary from $2,500 for each non-intentional and $7,000 for each intentional violation, so you want to ensure you don’t overlook the user rights of minors.
When and how to use opt-out
Some regulations require providing opt-out methods when users are automatically enrolled in data collection. Plus, most regulations also require providing opt-out methods even if users have already consented. Here are some examples of opt-out use cases:
1. When selling California citizen data
Although the CCPA doesn’t require obtaining affirmative consent, it’s still obligatory to give Californian users an option to opt out of personal data selling.
As the CCPA (FAQ B.3) states:
“Businesses that sell personal information are subject to the CCPA's requirement to provide a clear and conspicuous “Do Not Sell or Share My Personal Information” link on their website that allows you to submit an opt-out request.”
Plus, when a user wants to opt out, companies must exercise that user’s right without making any identification requests.
You can add the “Do Not Sell or Share My Personal Information” link to your homepage or in the privacy policy. It’s important that the link is easily accessible or users could report you to the Attorney General for non-compliance.
Alternatively, users may submit an opt-out request via GPC signals. However, in such cases, you must adopt the measures needed to honor those signals. This can be a consent banner that supports them, like TinyCookie on Shopify.
2. When doing email marketing
When you send emails to your users regarding promotions or advertisements, you must include an opt-out link in each email. This is usually done via an “unsubscribe” link. You can see an example below.
Here are the requirements based on the countries and their regulations:
- US CAN-SPAM Act: According to the CAN-SPAM Act compliance guide by the Federal Trade Commission (FTC) website, you must inform users on how to opt out of receiving marketing emails from you. It must be presented in clear and easy-to-understand instructions. You can allow users to opt out of specific types of emails, but an option to stop all marketing emails must still be present.
- EU’s GDPR: the GDPR Article 21 states that data subjects have the right to object to data processing for direct marketing purposes. As soon as the user withdraws consent, the company must cease sending marketing emails.
3. When using analytics
When you use third-party analytics platforms, like Hotjar or Google Analytics (GA), you need to state that in your privacy policy. This involves explaining the opt-out method for people who refuse to participate in data collection for analytics purposes.
Creating a method to opt out of analytics tracking is a requirement under the CCPA if you share or sell data.
Additionally, third-party analytics tools, like Hotjar and GA, state in their Terms of Service that you must disclose how you’ll use user data through these services. For example, by agreeing to the Hotjar Terms of Service (9.2), you agree to have a privacy policy that discloses your personal data collection and use practices.
The same is true with Google Analytics – you must disclose your data collection practices and the use of the platform.
Frequently asked questions
Whether you should use an opt-in or opt-out consent model depends on where you operate and who you sell to:
- If your company has to comply with a regulation that requires explicit and active consent, such as the GDPR, you’re obliged to ensure opt-in consent.
- If the regulation you have to comply with does not require explicit consent, like the CCPA, you must use opt-out consent.
The CCPA is an opt-out law – it doesn’t require obtaining active consent for the company’s data handling practices. However, businesses must ensure that users are informed and there is an easy way to opt out.
It’s better to use an opt-in consent model because it ensures transparent data handling practices and provides users with a level of control. Meanwhile, the opt-out model enrolls users to data collection automatically and only then provides an option to opt out.
An example of opt-in consent would be ticking a checkbox on a website during sign-up, which constitutes affirmative, explicit, and informed consent. Meanwhile, an example of opt-out consent would be a website offering a “Do not sell or share my personal information” button to reject data handling practices that the user didn’t have to consent to.
