Opt In vs. Opt Out

Privacy laws like the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA) revolve around requirements mandating that businesses get users to opt in or opt out of certain data collection and processing activities.

In this article, you’ll find an easy-to-understand opt in and opt out meaning, as well as everything you need to know about how to implement each method to keep your business on the right side of the law.

Table of Contents

1. Opt In, Opt Out: What’s the Difference?
2. When & How to Use Opt-In
3. When & How to Use Opt-Out
4. Conclusion

1. Opt In, Opt Out: What’s the Difference?

In order to understand when to install opt-in measures and when to install opt-out measures, you need to first understand the difference between opt in vs. opt out and what each method seeks to accomplish.

Opt In Meaning

Opting in means that a user will take an affirmative action to offer their consent.

The most common way businesses implement opt-in methods is through checkboxes. When presented with a checkbox, the user must take action to check the box, which denotes their consent.

Opting in can be used in a variety of situations, including subscribing to email and newsletter mailing lists, accepting cookie use, and agreeing to legal policies.

Example of Opt In

In the example below, you can see an opt-in mechanism in action:

Here, when a user registers for an account, they have the opportunity to opt in to receiving emails as well as to agree to the terms of use and privacy policy. When users first arrive on this page, both boxes are unchecked, allowing them to take direct action to indicate their preferences.

Opt Out Meaning

Opting out means a user takes action to withdraw their consent.

There are two main ways to offer opt-outs to users.

The first way is a pre-emptive opt-out in which users can uncheck a marked box — or otherwise undo a confirmation — in order to indicate that they are not interested in the activity you’re presenting them.

Opt Out Meaning Example

In this example, assume that the two boxes at the bottom of the form were already checked when the user accessed the page. The user then has the opportunity to opt out, meaning they uncheck the boxes in order to withdraw their consent.

Another form of opt-out is consent withdrawal.

Consent withdrawal is when you offer users a way to withdraw their permission or change their preferences after the original point of consent.

Consider the example email below:

In this email from Invision, the company notifies users that they may opt out of receiving future marketing contact by directing them to a preference manager via the opt-out link.

An even more common method of opt out that you’re probably familiar with — and may even employ yourself — is the “unsubscribe” link.

As seen in this email for MarTechExec, unsubscribe links are often contained in the footer of an email. They direct users to a page or form that allows them to opt out of receiving further outreach from the company.

If you send any form of commercial email to U.S. residents, including an unsubscribe option is particularly important. The practice is mandated by the rules of the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003, or the CAN-SPAM Act.

2. When & How to Use Opt-In

Now that you know the difference between opt-in and opt-out mechanisms, it’s time to figure out when and where to use them. Each strategy has its function in particular situations, and each one is necessary for certain aspects of privacy law compliance.

You should use opt-in if:

You Outline Data Collection in Your Privacy Policy

As mentioned earlier, it’s always a good idea to get consent to legal policies — like privacy policies and terms and conditions — through user opt-in.

Laws like the GDPR mandate businesses receive user consent to their privacy policies through an affirmative action before collecting personal data.

One method of drawing attention to your privacy policy and allowing users to opt in to the practices outlined within is through a consent banner. Such banners appear when a user first visits a site, directs them to the privacy policy, and asks them to take an action (like checking an unchecked box) to note consent.

You Collect Data from EU Citizens

If you collect information from citizens or residents of the European Union (EU), you’re probably already aware of the GDPR and its stringent guidelines for user consent. It applies to all businesses that receive traffic from EU citizens, even if the business isn’t located in the EU.

Under this regulation, businesses that collect the data of EU citizens must base that data collection on one of the following bases:

• User consent
• Legitimate interests
• Contractual necessity
• Vital interest of the user
• Legal obligation
• Public interest

Most businesses will collect and process data on the grounds of GDPR legitimate interest or user consent. However, if you collect one of several special categories of personal data, you must fulfill additional conditions for lawful processing as found in Article 9 of the GDPR. These categories include:

As part of the conditions listed in Article 9, processing sensitive personal information is prohibited unless explicit user consent is given or at least one of the requirements for a handful of exceptions is met.

Under the GDPR’s guidelines for data processing on the basis of user consent, that consent must be given through a clear and affirmative action.

If you want to process data lawfully under the GDPR and are relying on consent as the lawful basis for that processing, you must implement opt-in methods to get user consent to data collection. Failure to appropriately do so may result in hefty penalties, like the Amazon GDPR fine of 746 million euros issued in July of 2021.

Since there are so many ways to install opt-in mechanisms for data collection, read our comprehensive GDPR consent requirements guide to learn which methods best suit your company’s compliance needs.

You Sell the Data of California Minors

Following the institution of the GDPR, another privacy law entered the ring. In June of 2018, the California Consumer Privacy Act of 2018 (CCPA) was signed into law. It came into effect in January of 2020.

While the GDPR applies to those who collect data from EU citizens, the CCPA affects businesses with Californian residents, whether they are present in the state or not.

Among the provisions in the law, one is dedicated to the rights of minors regarding the sale of their data.

Section 1798.120 (c) of the CCPA states:

[…] a business shall not sell or share the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers at least 13 years of age and less than 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale or sharing of the consumer’s personal information.

To get users under the age of 16 to “affirmatively authorize” the sale of their data, you’ll need to implement opt-in measures at the entry point of your data collection.

One way to make the opt-in meaning clear is to add a popup to your sign-up page that is triggered if a user enters their age as under 16 years old.

The popup should have an unchecked box where users can offer their consent to having their information sold — if that’s something you could potentially do with their personal data.

Violating the CCPA — even unintentionally — can get you a fine of up to $2,500 per unintentional violation and $7,500 per intentional violation.

Starting on January 1, 2023, the California Privacy Rights Act (CPRA), a significant amendment to the CCPA passed in 2020, will come fully into effect. Among its provisions, it will increase the penalty for each unintentional violation from $2,500 to $7,500.

You Use Cookies & Market to EU Citizens

Written into its provisions on data collection, the GDPR establishes guidelines for how to properly obtain consent to the use of cookies.

One element to consider when establishing this form of opt-in is that users should be given the opportunity to consent to specific categories of cookies.

For example, if you use advertising cookies as well as analytics cookies, you should have opt-in checkboxes for each category.

Where should you install these cookie opt-ins on your site?

The best place to get the consent you need for cookie use is through a cookie banner. This banner will appear at the bottom, top, or on either side of your website when a user accesses it. It will remain there until they’ve taken action to opt in or manage their cookie preferences. This banner should give users the opportunity to set their cookie preferences, and also direct them to your cookie policy.

Nike is one of many sites that includes a GDPR cookie consent popup. A popup can also give users the chance to opt in to the use of cookies or get more information. If users click “More Information,” they’re shown a new popup that allows them to customize their cookie preferences by category.

You Want More Targeted Emailing Lists

While installing opt-ins may be a big part of legal compliance, that doesn’t mean that opt-ins aren’t a great business and marketing strategy as well.

Users that opt in to receive emails have already expressed an interest in your site and your product. This makes it easier for you to gauge your audience and target your email campaigns accordingly.

As for how to install email marketing opt-ins, Neil Patel lists some of the best spots on your site to include an email marketing opt-in form:

• Below your posts
• At the site footer
• Within the article body
• On your “About” page

3. When & How to Use Opt-Out

While the option to opt-in is required by the CCPA and GDPR, users may also need to have the option to opt out, meaning you may also need to provide methods of doing so on your site. You should offer users ways to opt-out if:

You Sell the Data of California Residents

The CCPA specifically grants Californian users the “right to opt out” of the sale of their personal data.

Section 1798.120 (a) of the CCPA reads:

A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer’s personal information. This right may be referred to as the right to opt out.

The CCPA further specifies that this opt-out should be made available to users through a clear and conspicuous link on your homepage and in your privacy policy that reads: “Do Not Sell My Personal Information”. The opt-out process must be simple and clear without misdirecting users or impairing their choice to opt out.

You Send Marketing Emails

As mentioned earlier, if you send marketing emails to promote or advertise a commercial service or product, you need to include an opt-out link in every email — ideally through an “unsubscribe” link. This is required under the CAN-SPAM Act and is enforced by the Federal Trade Commission (FTC) in the United States.

To comply with CAN-SPAM, your marketing emails must have:

• An easily noticeable and visible unsubscribe mechanism that works

• Relevant and accurate “from” lines and subject lines

• A visible physical address

All three of these elements are visible in the Compose.ly sample above. If a user sends you an unsubscribe request, you must unsubscribe them within 10 days.

While it’s absolutely necessary to offer forms of opting out, it’s also advisable for you to offer users avenues of opting in. Getting explicit user consent for direct marketing purposes is always the safest route when it comes to keeping compliant and building trust with consumers.

You Send Remarketing Emails

You also need to give users the ability to opt out if you send remarketing emails. Also known as retargeting, remarketing refers to a form of digital marketing that targets users based on their previous internet behavior.

Remarketing platforms like AdRoll and Google AdWords have policies that require users to inform users that remarketing is taking place. These policies must provide a way for users to opt out of remarketing if they want.

For example, Google specifies that your privacy policy must include the following if you use AdWords for your company:

You Use Analytics Platforms

If you use analytics tracking platforms such as Google Analytics on your website, you need to include an opt out method in your privacy policy for users who don’t want their information collected. This is required by the California Online Privacy Protection Act (CalOPPA) in the U.S. and the Data Protection Directive in Europe. Many other countries and regions have similar requirements.

Google Analytics, for instance, states in its Terms of Service that you need to post a privacy policy that explains to your users how you will use cookies to collect data for analytics. You must disclose your use of Google Analytics and how you’ll be collecting and processing data by including a prominent link to a page explaining how Google uses data it collects.

You Use Other Third-Party Platforms or Tools

If you use any kind of third-party plugin, platform, or tool that lets other businesses collect and use personal information, look at your tool’s terms and conditions or privacy policy. It will likely require you to include an opt-out method and a privacy policy of your own.

4. Conclusion

While there are situations to use opt-in and situations to use opt-out, any business that wishes to remain compliant with the law and appease their customers will need to employ both methods. Wherever there’s an opt-in, there needs to be an opt-out so users can withdraw their consent at any time.

With the growing number of laws and user demand for greater transparency and control when it comes to data, implementing opt-in and opt-out mechanisms is more important than ever.

More about the author

Written by KJ Dearie

KJ Dearie is a product specialist and privacy consultant for Termly, where she advises small business owners on how to comply with the latest data privacy laws and trends. She's been published in Business News Daily, Omnisend, ITProToday, MarTechExec, and more. More about the author