Data privacy laws give individuals the right to opt in or out of different data processing activities; knowing the difference between each method and when to use it helps with legal compliance.
Below is my simple explanation of the differences between opt in versus opt out consent for businesses that collect and use consumer personal data.
Defining Opt In vs Opt Out Consent
To start, let’s go over the specific definitions of opt in and opt out consent in relation to business legal compliance.
Opt In Meaning
In the context of data privacy laws, opt in consent refers to when an individual chooses to agree to data collection or processing by taking an active action.
The businesses I work with implement opt-in consent by asking their website visitors to:
- Select an unticked checkbox to denote agreeing to a policy, like a privacy policy or terms and conditions agreement.
- Hit the ‘Accept’ button when signing up for marketing emails or other forms of direct advertising.
- Click ‘Agree’ on a cookie consent pop-up banner before placing cookies on the user’s browser.
- Select an ‘Accept’ at the end of a survey to show they agree to having their answers interpreted and published.
Under several laws, the user must also be informed for opt-in consent to be considered valid, which is why privacy and cookie policies or terms and conditions are typically included where opt-in consent is requested.
Some consumer protection laws also require opt in agreement options.
For example, if you want to send consumers SMS messages in the U.S., you’re subject to following the Telephone Consumer Protection Act (TCPA) which requires opt in consent.
I see businesses request this by requesting interested consumers:
- Physically write and or sign a document and physically pass it in to sign up to receive phone calls, text messages, emails, or other forms of contact.
- Actively choose to include a phone number to sign up for SMS messages.
Opt Out Meaning
Opt out consent means an individual has a chance to deny and remove themselves from data processing and they typically take some type of action.
I often see businesses implementing opt out consent by giving their users the option to:
- Click a ‘Do Not Sell or Share My Personal Data’ link and following through on their right to opt-out of this type of data processing.
- Set up an opt-out mechanism on their browser that communicates to website’s consent banners to express their desire to not have their data tracked.
- Select ‘Deny’ on a cookie consent banner asking if the user is okay with having any unnecessary cookies placed on their browser.
Privacy laws typically require businesses to inform consumers of their right to opt out of certain types of data processing and be provided with directions for how they can do so. It’s common for this information to be required in your privacy policy.
But once again, I see opt out consent being requested to meet laws like the TCPA and anti-spam legislation. For example, businesses might ask their consumer to:
- Click ‘Unsubscribe’ at the bottom of an email to opt out of receiving them.
- Leave a checkbox blank when submitting a form to denote not wanting to join, sign up for, be included in, or submit something.
When and How To Use Opt-In Consent
Opt-in consent is required by specific laws and applies to specific instances, which I’ve described in full for you below.
Laws that Require Opt-In Consent
Here’s a list of privacy and consumer protection laws that require opt in consent, and some details about the specific obligations described by the law:
- General Data Protection Regulation (GDPR): Under the GDPR, consent from a consumer is only considered valid if it is freely given, informed, active, and unambiguous, which means opt-in is required.
- California Consumer Privacy Act (CCPA): Most consumers don’t have explicit opt-in rights under the CCPA, but they do apply to minors under age 16; if the child is under 13, the opt-in consent must come from a legal guardian.
- Children’s Online Privacy Protection Act (COPPA): COPPA is a federal U.S. law that requires entities get opt in consent from children’s legal guardians before any data collection occurs.
- Brazil’s General Data Privacy Law (LGPD): Heavily based on the GDPR, the only valid form of consent under the LGPD is active, opt-in consent.
- South Africa’s Protection of Privacy Information Act (POPIA): Another law inspired in part by the GDPR, this law also requires websites get active opt-in consent from consumers to collect their data.
- Telephone Consumer Protection Act (TCPA): Opt in consent requirements aren’t new. Enacted in 1991, this federal U.S. law requires businesses to get opt-in consent from consumers before sending them cold calls.
If you fall under these laws, you must provide one or more methods for consumers to actively give their voluntary consent before performing the data processing.
What Does Opt-In Consent Look Like?
Because you can request opt in agreement from users for various purposes, I’ve found some different examples for you to look to for inspiration.
Opt In Example for Privacy Law Compliance
First, here’s a sample of what it looks like to request opt-in consent from consumers for your use of cookies in accordance with the GDPR using Termly’s Cookie Consent Banner:
It requires users to actively click on the ‘Accept’ button to express they agree to the use of cookies and the cookie policy, has a live link to the cookie policy so users are properly informed, and leads to a preference center so consumers can change their minds at any time.
Opt In Example for Newsletter Signups
Below is an example of how the news resource The Guardian compliantly requests opt it consent from their website visitors to join their newsletter.
It asks interested users to express agreement to signing up to receive the emails by selecting ‘Sign Up’, making it an “opt in” agreement.
When and How To Use Opt-Out Consent
There are several moments when your business might be legally obligated to provide consumers with an opt-out option on your website.
Data Privacy Laws That Require Opt-Out Options
Here’s a list of privacy laws that outline opt-out requirements along with some details about what the specific expectations are:
- General Data Protection Regulation (GDPR): Consumers have the right to opt out of data processing under this law, and removing consent needs to be as easy for them as providing it.
- California Consumer Privacy Act (CCPA): The CCPA explicitly gives consumers the right to opt out of targeted advertising, the selling or sharing of their data, and profiling. A requirement of the law is to post a “Do Not Sell or Share My Personal Information” link in the footer of your site.
- Controlling the Assault of Non-Solicited Pornography and Marketing (CAN-SPAM) Act: This federal U.S. law requires all marketing emails to include an unsubscribe option and this request must be honored.
- All Current U.S. State-Level Privacy Laws: Several U.S. states have enacted or proposed comprehensive privacy laws, many of which grant consumers opt-out rights (e.g., targeted advertising, data sales). However, these statutes vary in scope and effective date, so verify which state laws actually apply to your organization to determine specific opt-out requirements
- Children’s Online Privacy Protection Act (COPPA): Under COPPA, legal guardians must provide verifiable consent before data collection from children under 13. After consent, parents retain the right to review, delete, or halt further use of their child’s data
- Australia Privacy Act: Like other privacy laws, Australians have a right to opt out of targeted advertising.
- Brazil’s General Data Privacy Law (LGPD): Like the GDPR, consumers have the right to opt out of data processing at any time, for any reason.
- New Zealand Privacy Act: Based on the Australia Privacy Act, this law also gives consumers the right to remove themselves from targeted advertising.
- South Africa’s Protection of Privacy Information Act (POPIA): This is another privacy law that gives consumers the right to opt of of targeted advertising and to withdraw their consent to data processing at any time.
Some of these laws should look familiar to you, because they also outlined opt-in consent requirements, including the GDPR, the LGPD, and the POPIA.
Most of these opt-out rights include the right for consumers to remove themselves from targeted advertising and the selling (or sharing) of their personal data.
Websites deploy internet cookies on users’ browsers to perform for these purposes, which makes the use of cookies and other trackers subject to these legal requirements. This is why most websites have cookie banners with ‘Agree’, ‘Deny’, and ‘Preference’ buttons.
If your website falls under these laws, you must provide one or more methods for consumers to easily follow through on these opt out rights.
What Does Opt-Out Consent Look Like
Because there are different situations where you might use opt-out consent, I’ve provided a couple of relevant examples for you to look at below.
Opt Out Example for Data Privacy
First is an example of an opt-out consent from on a sign-up page, where a user is entering in their personal details to create an account.
In this scenario, the checkboxes are already pre-ticked, meaning the user has to actively unselect them to opt-out when creating their account.
CCPA Opt-Out Link Example
The following screenshot is an example of an opt-out link users can find at the bottom of Termly’s very own website that complies with the CCPA opt-out requirements.
Clicking this link leads to a form where users can easily follow through on their rights under the CCPA, including opting out of targeted advertising and the sale or sharing of their information.
Opt Out Example for Email Newsletter
Next, I provided an example of an opt-out unsubscribe link at the bottom of a marketing email from the ecommerce store, Litographs.
Adding an opt out link to the bottom of marketing emails in this manner is required by laws like CAN-SPAM.
How Termly Helps with Opt-In and Opt-Out Consent Requirements
Managing consumer consent is a multi-step process that can be technically difficult and time consuming to manage independently.
Termly’s Consent Management Platform helps businesses meet opt in and opt out requirements with ease.
The consent banner is easy to use and customizable, enabling you to provide opt in or opt out options for your website or app visitors, and regional consent settings are available. To fully help with privacy law requirements, it also gives your users access to a consent preference center so they can change their minds at any time.
You can schedule site scans to detect, categorize, and name cookies it uses. Then it makes a cookie policy for you, which you can present to users to ensure they’re properly informed.
It also gives you a Data Subject Access Request (DSAR) form, which you can embed on your website. Your users can use it to submit requests to follow through on their privacy rights, and you can more efficiently receive and respond to them.
Summary
Due to data privacy laws, consumer protection laws, and third-party platform requirements, most websites need to utilize both opt-in and opt-out consent mechanics.
Opt-in consent is particularly important if consent is your legal basis and you’re subject to following the GDPR.
Opt-out consent is required if you fall under privacy laws that mandate you give users a chance to opt out of targeted advertising and the sharing or selling of their data.
Resources like Termly’s CMP help make it easy to manage both your users’ opt-in and opt-out consent preferences.
More about the author
Written by Masha Komnenic CIPP/E, CIPM, CIPT, FIP
Masha is an Information Security and Data Privacy Specialist and a Certified Data Protection Officer. She has been a Data Protection Officer for the past six years, helping small and medium-sized enterprises achieve legal compliance. She has also been a privacy compliance mentor to many international business accelerators. She specializes in implementing, monitoring, and auditing business compliance with privacy regulations (HIPAA, PIPEDA, ePrivacy Directive, GDPR, CCPA, POPIA, LGPD). Masha studied Law at Belgrade University, and she passed the Bar examination in 2016. More about the author
