Data privacy laws like the GDPR and CCPA give individuals the right to opt in or out of different data processing activities.
- Opt in consent means the user takes an action to show they agree to something,
- Opt out consent is when they take an action to say no.
Knowing the difference between each method and when to use it helps with legal compliance. Learn more below.
- What Is The Difference Between Opt In vs Opt Out Consent?
- What Is The Definition of Opt In Consent?
- What Is The Definition of Opt Out Consent?
- When and How Should I Use Opt-In Consent?
- When and How Should I Use Opt-Out Consent?
- How Does Termly Help With Opt-In and Opt-Out Consent Requirements?
- Opt In vs Opt Out Consent: Frequently Asked Questions
What Is The Difference Between Opt In vs Opt Out Consent?
Below is a table comparing opt in versus opt out consent.
| Opt In Consent | Opt Out Consent | |
| Definition | When someone chooses to agree to data collection or processing by taking an active action.
It does not assume consent until consent is explicitly given. |
When an individual has the option to deny and remove themselves from data processing, typically by taking some type of action.
It assumes consent until the individual explicitly withdraws their agreement. |
| Laws That Require It |
|
|
| What It Looks Like |
|
|
What’s The Difference Between Implied Consent vs Informed Consent?
In the context of data privacy, implied consent refers to when a website assumes the user consents to a policy based on their action, behavior, or gesture, rather than asking them to take a direct action.
Informed consent means providing users with all necessary information before they decide whether to agree to a policy, such as presenting a privacy or cookie policy on a pop-up banner.
Implied consent typically forgoes opt-in consent, whereas informed consent typically relies on obtaining a user’s opt-in consent.
While these consents are different from opt-in versus opt-out consent requirements, they are intrinsically related.
What Is The Definition of Opt In Consent?
In the context of data privacy laws, opt in consent refers to when an individual chooses to agree to data collection or processing by taking an active action.
Some examples of how businesses can implement opt-in consent include asking their website visitors to:
- Select an unticked checkbox to denote agreeing to a policy, like a privacy policy or terms and conditions agreement.
- Hit the ‘Accept’ button when signing up for marketing emails or other forms of direct advertising.
- Click ‘Agree’ on a cookie consent pop-up banner before placing cookies on the user’s browser.
- Select an ‘Accept’ at the end of a survey to show they agree to having their answers interpreted and published.
Under several laws, like the GDPR, the user must also be informed for opt-in consent to be considered valid, which is why privacy and cookie policies or terms and conditions are typically included where opt-in consent is requested.
Some consumer protection laws also require opt in agreement options.
For example, if you want to send consumers SMS messages in the U.S., you’re subject to following the Telephone Consumer Protection Act (TCPA) which requires opt in consent.
Businesses can apply this by requesting interested consumers:
- Physically write and or sign a document and physically pass it in to sign up to receive phone calls, text messages, emails, or other forms of contact.
- Actively choose to include a phone number to sign up for SMS messages.
What Is The Definition of Opt Out Consent?
Opt out consent means an individual has a chance to deny and remove themselves from data processing and they typically take some type of action.
Businesses can implement opt out consent by giving users the option to:
- Click a ‘Do Not Sell or Share My Personal Data’ link and following through on their right to opt-out of this type of data processing.
- Set up an opt-out mechanism on their browser that communicates to website’s consent banners to express their desire to not have their data tracked.
- Select ‘Deny’ on a cookie consent banner asking if the user is okay with having any unnecessary cookies placed on their browser.
Some privacy laws require businesses to inform consumers of their right to opt out of certain data processing activities and provide them with directions for how to do so, including the California Consumer Privacy Act (CCPA).
It’s common for this information to be required in your privacy policy.
Businesses can also use opt out consent to meet laws like the TCPA and anti-spam legislation. For example, businesses might ask their consumer to:
- Click ‘Unsubscribe’ at the bottom of an email to opt out of receiving them.
- Leave a checkbox blank when submitting a form to denote not wanting to join, sign up for, be included in, or submit something.
When and How Should I Use Opt-In Consent?
Opt-in consent is required by specific laws and applies to specific instances, which I’ve described in full for you below.
What Laws Require Opt-In Consent?
Here’s a list of privacy and consumer protection laws that require opt in consent, and some details about the specific obligations described by the law:
- General Data Protection Regulation (GDPR): Under the GDPR, consent from a consumer is only considered valid if it is freely given, informed, active, and unambiguous, which means opt-in is required.
- California Consumer Privacy Act (CCPA): Most consumers don’t have explicit opt-in rights under the CCPA, but they do apply to minors under age 16; if the child is under 13, the opt-in consent must come from a legal guardian.
- Children’s Online Privacy Protection Act (COPPA): COPPA is a federal U.S. law that requires entities get opt in consent from children’s legal guardians before any data collection occurs.
- Brazil’s General Data Privacy Law (LGPD): Heavily based on the GDPR, the only valid form of consent under the LGPD is active, opt-in consent.
- South Africa’s Protection of Privacy Information Act (POPIA): Another law inspired in part by the GDPR, this law also requires websites get active opt-in consent from consumers to collect their data.
- Telephone Consumer Protection Act (TCPA): Opt in consent requirements aren’t new. Enacted in 1991, this federal U.S. law requires businesses to get opt-in consent from consumers before sending them cold calls.
If you fall under these laws, you must provide one or more methods for consumers to actively give their voluntary consent before performing the data processing.
What Does Opt-In Consent Look Like?
Because you can request opt in agreement from users for various purposes, I’ve found some different examples for you to look to for inspiration.
Opt In Example for Privacy Law Compliance
First, here’s a sample of what it looks like to request opt-in consent from consumers for your use of cookies in accordance with the GDPR using Termly’s Cookie Consent Banner:
It requires users to actively click on the ‘Accept’ button to express they agree to the use of cookies and the cookie policy, has a live link to the cookie policy so users are properly informed, and leads to a preference center so consumers can change their minds at any time.
Opt In Example for Newsletter Signups
Below is an example of how the news resource The Guardian compliantly requests opt it consent from their website visitors to join their newsletter.
It asks interested users to express agreement to signing up to receive the emails by selecting ‘Sign Up’, making it an “opt in” agreement.
When and How Should I Use Opt-Out Consent?
There are several moments when your business might be legally obligated to provide consumers with an opt-out option on your website.
What Data Privacy Laws Require Opt-Out Options?
Here’s a list of privacy laws that outline opt-out requirements along with some details about what the specific expectations are:
- General Data Protection Regulation (GDPR): Consumers have the right to opt out of data processing under this law, and removing consent needs to be as easy for them as providing it.
- California Consumer Privacy Act (CCPA): The CCPA explicitly gives consumers the right to opt out of targeted advertising, the selling or sharing of their data, and profiling. A requirement of the law is to post a “Do Not Sell or Share My Personal Information” link in the footer of your site.
- Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act: This federal U.S. law requires all marketing emails to include an unsubscribe option and this request must be honored.
- All Current U.S. State-Level Privacy Laws: Several U.S. states have enacted or proposed comprehensive privacy laws, many of which grant consumers opt-out rights (e.g., targeted advertising, data sales). However, these statutes vary in scope and effective date, so verify which state laws actually apply to your organization to determine specific opt-out requirements
- Children’s Online Privacy Protection Act (COPPA): Under COPPA, legal guardians must provide verifiable consent before data collection from children under 13. After consent, parents retain the right to review, delete, or halt further use of their child’s data
- Australia Privacy Act: Like other privacy laws, Australians have a right to opt out of targeted advertising.
- Brazil’s General Data Privacy Law (LGPD): Like the GDPR, consumers have the right to opt out of data processing at any time, for any reason.
- New Zealand Privacy Act: Based on the Australia Privacy Act, this law also gives consumers the right to remove themselves from targeted advertising.
- South Africa’s Protection of Privacy Information Act (POPIA): This is another privacy law that gives consumers the right to opt of of targeted advertising and to withdraw their consent to data processing at any time.
Some of these laws should look familiar to you, because they also outline opt-in consent requirements, including the GDPR, the LGPD, and the POPIA.
Most of these opt-out rights include the right for consumers to remove themselves from targeted advertising and the selling (or sharing) of their personal data.
Websites deploy internet cookies on users’ browsers to perform for these purposes, which makes the use of cookies and other trackers subject to these legal requirements. This is why most websites have cookie banners with ‘Agree’, ‘Deny’, and ‘Preference’ buttons.
If your website falls under these laws, you must provide one or more methods for consumers to easily follow through on these opt out rights.
What Does Opt-Out Consent Look Like?
Because there are different situations where you might use opt-out consent, I’ve provided a couple of relevant examples for you to look at below.
Opt Out Example for Data Privacy
First is an example of an opt-out consent from on a sign-up page, where a user is entering in their personal details to create an account.
In this scenario, the checkboxes are already pre-ticked, meaning the user has to actively unselect them to opt-out when creating their account.
CCPA Opt-Out Link Example
The following screenshot is an example of an opt-out link users can find at the bottom of Termly’s very own website that complies with the CCPA opt-out requirements.
Clicking this link leads to a form where users can easily follow through on their rights under the CCPA, including opting out of targeted advertising and the sale or sharing of their information.
Opt Out Example for Email Newsletter
Next, I provided an example of an opt-out unsubscribe link at the bottom of a marketing email from the ecommerce store, Litographs.
Adding an opt out link to the bottom of marketing emails in this manner is required by laws like CAN-SPAM.
How Does Termly Help With Opt-In and Opt-Out Consent Requirements?
Managing consumer consent is a multi-step process that can be technically difficult and time consuming to manage independently.
Termly’s Consent Management Platform helps businesses meet opt in and opt out requirements with ease.
The consent banner is easy to use and customizable, enabling you to provide opt in or opt out options for your website or app visitors, and regional consent settings are available. To fully help with privacy law requirements, it also gives your users access to a consent preference center so they can change their minds at any time.
You can schedule site scans to detect, categorize, and name cookies it uses. Then it makes a cookie policy for you, which you can present to users to ensure they’re properly informed.
It also gives you a Data Subject Access Request (DSAR) form, which you can embed on your website. Your users can use it to submit requests to follow through on their privacy rights, and you can more efficiently receive and respond to them.
Opt In vs Opt Out Consent: Frequently Asked Questions
Here are some FAQs about opt out versus opt in consent.
What’s the difference between opt in and opt out consent?
Opt in consent and opt out consent are different in the following ways:
- Opt in consent requires a user to take an action to agree to something,
- Opt out consent assumes agreement until the person takes an action to opt out.
Is opt in or opt out better?
One isn’t better than the other, but there is a time and place to use either opt in or opt out consent. For example, privacy laws outline specific requirements for when a business must use opt in consent versus opt out consent.
Under the CCPA, businesses must give users an opt out option for targeted advertising. Under the GDPR, websites must request opt in consent from users before collecting any data.
What is opt out consent?
Opt out consent is when a person has an option to take an action to remove themselves or withdraw their consent to something, like clicking a ‘Do Not Sell or Share My Personal Information” link.
It assumes consent from the person until they follow through on actively opting out.
What is the meaning of opt in consent?
Opt in consent is a legal term that refers to obtaining active agreement from a person by having them take an action, like signing their name, selecting an unmarked checkbox, or clicking on an ‘Agree’ button.
Written by Natasha Piirainen
Natasha Piirainen is a privacy writer with a Bachelor’s Degree in English and Philosophy from Wheaton College and over 10 years of professional experience in research-driven content development.
Read all posts by Natasha Piirainen
Reviewed by Masha Komnenic CIPP/E, CIPM, CIPT, FIP
Masha Komnenic is a legal counsel and Termly’s Director of Global Privacy, who received her law degree from Belgrade University. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD).
Read all posts reviewed by Masha Komnenic CIPP/E, CIPM, CIPT, FIP
