Privacy laws like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) revolve around requirements which mandate that businesses get users to opt in or opt out of certain data collection and processing activities.
In this article, you’ll find out everything you need to know about opting in and opting out, as well as how to implement each method to keep your business on the right side of the law.
1. Opt In Opt Out: What’s the Difference?
In order to understand when to install opt-in measures and when to install opt-out measures, you need to first understand the difference between the two, and what each method seeks to accomplish.
Opt In Meaning
Opting in means that a user will take an affirmative action to offer their consent.
The most common way we see opt-in methods implemented is through checkboxes. When presented with a checkbox, the user must take action to check the box – which denotes their consent.
Opting in can be used in a variety of situations, including email and newsletter mailing lists, cookie use, and legal policy agreement.
Example of Opt In
In the example below, you can see opt-in mechanisms in action:
Opt Out Meaning
Opting out means a user will take action to withdraw their consent.
There are two main ways to offer opt-outs to users.
The first way is a pre-emptive opt-out, in which users can uncheck a marked box – or otherwise undo a confirmation – in order to indicate that they are not interested in the activity you’re presenting them.
Example of Opt Out
In this example, assume that the user entered this page and the boxes were already checked. The user then has the opportunity to uncheck the boxes in order to withdraw their consent – or opt out.
Another form of opt-out is consent withdrawal.
This is when you offer users a way to withdraw their permission or change their preferences after the original point of consent.
Take for instance the example email below:
In this email from Invision, they note users’ ability to opt out of receiving future marketing contact by directing them to a preference manager via the opt out link.
An even more common method of opt-out that you’re probably familiar with – and may even employ yourself – is the famous “unsubscribe” link.
Like we see in this email for MarTechExec, unsubscribe links are often contained in the footer of an email, and direct users to a page or form that allows them to opt out of receiving further outreach from that company.
If you send any form of commercial email to U.S. residents, having including an unsubscribe option is particularly important as it’s mandated by the rules of the CAN-SPAM Act.
2. When & How to Use Opt-In
Now that we know the difference between opt-in and opt-out mechanisms, it’s time to figure out when and where to use them. Each strategy has its function in particular situations, and each one is necessary for certain aspects of privacy law compliance.
You should use opt-in if…
As we mentioned earlier, it’s always a good idea to get consent to legal policies – like privacy policies and terms and conditions – through user opt-in.
Laws like the GDPR mandate businesses receive user consent to their privacy policies through an affirmative action before collecting personal data.
You Collect Data from EU Citizens
If you collect information from citizens or residents of the EU, you’re probably already aware of the GDPR and its stringent guidelines for user consent.
Under this new regulation, businesses that collect the data of EU citizens must base that data collection on one of the following bases:
- User Consent
- Legitimate Interests
- Contractual Necessity
- Vital Interest of the User
- Legal Obligation
- Public Interest
Most businesses will collect and process data on the grounds of GDPR legitimate interest or user consent. However, if you collect one of the following special categories of personal data, you must fulfill additional conditions for lawful processing as found in Article 9 of the GDPR:
- racial or ethnic origin
- political opinions
- religious or philosophical beliefs
- trade union membership
- genetic data
- biometric data
- health data
- sex life or sexual orientation
Of the conditions listed in Article 9, processing sensitive personal information is prohibited unless explicit user consent is given, or one or more of the other provisions is met.
Under the GDPR’s guidelines for data processing on the basis of user consent, that consent must be given through a clear and affirmative action.
In other words, if you want to process data lawfully under the GDPR and are relying on consent as the lawful basis for that processing, you need to implement opt-in methods to get user consent to data collection. Failure to appropriately do so may result in hefty penalties, like the Google GDPR fine of 50 million euros issued in January of 2019.
Since there are so many ways to install opt-in mechanisms for data collection, read our comprehensive GDPR consent requirements guide to learn which methods best suit your company’s compliance needs.
You Sell the Data of California Minors
Quickly following the May 2018 institution of the GDPR, another privacy law entered the ring. On June 28th, 2018, Governor Jerry Brown signed the California Consumer Privacy Act of 2018 (CCPA) into effect.
While the GDPR applies to those who collect data from EU citizens, the CCPA affects businesses with Californian users.
The law boasts a provision dedicated to the rights of consumers under the age of 16, regarding the sale of their data.
Section 1798.120 (d) of the CCPA states:
A business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, […], has affirmatively authorized the sale of the consumer’s personal information.
To get users under the age of 16 to “affirmatively authorize” the sale of their data, you’ll need to implement opt-in measures at the entry-point of your data collection.
For example, add a popup to your sign-up page that’s triggered if a user enters their age or birthday and is under 16 years old.
That popup should have an unchecked box where users can offer their consent to having their information sold – if that’s something you could potentially do with their personal data.
One element to consider when establishing this form of opt-in is that users should be given the opportunity to consent to specific categories of cookies.
For example, if you use advertising cookies as well as analytics cookies, you should have opt-in checkboxes for each category.
Where should you install these cookie opt-ins on your site?
You Want More Targeted Emailing Lists
While installing opt-ins may be a big part of legal compliance, that doesn’t mean that opt-ins aren’t a great business and marketing strategy as well.
Users that opt in to receive emails have already expressed an interest in your site and your product. This makes it easier for you to gauge your audience and target your email campaigns accordingly.
As for how to install email marketing opt-ins, Neil Patel lists some of the best spots on your site to include an email marketing opt-in form:
- Below your single posts
- At the site footer
- Within the article body, using the content upgrade strategy
- On your “about” page
3. When & How to Use Opt-Out
You should offer users methods of opting out if…
You Sell the Data of California Residents
Going back to the recently-passed CCPA, the law specifically grants Californian users the “right to opt out” of the sale of their personal data.
Of this development, the text of the CCPA reads:
A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt out.
You Send Marketing Emails
As we mentioned earlier, if you send marketing emails, you need to include an opt-out link in every email – ideally through an “unsubscribe” link.
While it’s absolutely necessary to offer forms of opting out in the two scenarios outlined above, it’s also advisable for you to offer users avenues of opting in to both activities. Getting explicit user consent for direct marketing purposes is always the safest route when it comes to keeping compliant and building trust with your consumers.
While there are situations to use opt-in and situations to use opt-out, any business that wishes to remain compliant with the law and appease their customers will need to employ both methods.
Also keep in mind, that wherever there’s an opt-in, there needs to be an opt-out, so users can withdraw their consent at any time.
With all the recent laws and user demand for greater transparency and control when it comes to data, implementing opt-in and opt-out mechanisms are more important than ever.