What are Opt-Out and Opt-In Consent Models?
The concept of user consent is an essential component of data privacy and protection. When users interact with websites, applications, or other online services, they are sharing personal information that may be used for various purposes, such as marketing, analytics, or research. Opt-in and opt-out are two consent models that are commonly used to obtain user consent for data processing.
Opt-in refers to the process of asking users for explicit consent before collecting, processing, or sharing their personal information. This means that users must actively indicate their willingness to participate, usually by checking a box or clicking a button. Opt-in is considered the gold standard for user consent as it ensures that users have a clear understanding of what they are agreeing to and have control over their data.
Opt-out, on the other hand, assumes that users have already given their consent unless they explicitly indicate otherwise. This means that users must actively deselect a checkbox or click a button to opt-out of data processing. Opt-out is often used for less sensitive data or when user consent is assumed, such as for basic website functionality or cookie usage.
Consent has become a common way for businesses to legitimize many of their data practices, and so has become a pervasive aspect of our digital experience. From terms of service to newsletter subscriptions to cookie usage, we are regularly asked to make a choice.Businesses must note that although specific requirements can vary across regulations and engagement contexts, consent tends to fall into these two camps:
If your business collects, uses and discloses personal data, you are generally required to provide individuals with notice and some form of choice to be exercised immediately or at a later time.
What are the Differences Between Opt-In vs. Opt-Out?
The main difference between opt-out vs. opt-in is who makes the initial choice – the business or the individual.
When it comes to opt-in consent, the GDPR sets the global standard. Consent must be freely given, informed in simple terms, specific to each use purpose, and unambiguously given. Consent may not be forced through terms of service, bundled together with unrelated use purposes, presumed through pre-ticked checkboxes. Nor can it be implied through incidental actions like opening an email, continuing to browse a website or closing out a cookie banner.
With the opt-out model, a business presumes individuals consent based on reasonable expectations and societal norms. A online clothing retailer may reasonably assume their regular customers would like to receive weekly newsletters with personalized offers. Consent is presumed through the transactional relationship and the understanding that customers generally welcome a personalized experience.
Opt-Out Requirements Under Amended CCPA
The California Consumer Privacy Act, as amended by CPRA, allows consumers to request businesses to stop selling or sharing their personal information with third parties. Californians also have the right to restrict the use and disclosure of their sensitive personal information under certain circumstances.
What Does the CCPA Opt-Out Mean For Businesses?
To comply with the CCPA opt-out requirements, businesses that handle the personal data of California consumers must:
- Inform consumers if their personal data may be sold or shared with third parties and provide notice of the opt-out right to the consumers.
- Provide a clearly labeled link that enables consumers to opt-out of their data being processed or used by third parties.
- Provide a clearly labeled link that enables consumers to opt-out of their sensitive data being used or disclosed.
- Respect opt-out requests exercised using universal opt-out preference signals like Global Privacy Control.
Although CCPA is primarily a notice and opt-out law, there are circumstances under which explicit opt-in is required.
- Not sell or share the personal information of teenagers under the age of 16 without their consent, or the data of children under the age of 13 without parental consent.
- If a business offers financial incentives, including loyalty rewards, for selling, sharing, or retaining Californians’ personal data, they are required to provide enhanced notice with information on how a consumer can opt-in.
Additionally, after receiving a valid opt-out or limit request, a business needs to wait at least 12 months before asking the consumer to change their mind. Consent to override a prior opt-out must be freely-given, informed, specific and unambiguous.
Similar Opt-Out Requirements Across Privacy Regulations in the US
- Like the CCPA, the privacy laws currently implemented by other states require opt-out consent:
- Virginia’s Consumer Data Protection Act provides consumers the right to opt-out of data processing activities that involve targeted advertising, data sales, or automated profiling. Businesses must also notify consumers of their right to opt-out of these data processing activities.
- Colorado’s Privacy Act also allows consumers to opt-out of data processing activities if their personal data will be used for targeted advertising, data sales, or automated profiling. However, consumers can also designate an authorized party to act on their behalf when exercising these opt-out requests.
- Connecticut’s Data Privacy Act provides similar requirements to those in Virginia’s and Colorado’s privacy laws. Businesses must also clearly display the option for consumers to exercise their opt-out rights on their websites.
- Utah’s Consumer Privacy Act also has similar opt-out provisions to the privacy laws established by other states.
Compliance with the opt-out requirements listed in the CCPA and other regulations will help protect the privacy of your consumers’ data.
Role of Opt-In Consent Under European Privacy Law
Under the GDPR consent is one of six co-equal legal bases for processing personal data. This is because consent may not always be the most appropriate way to legitimize data processing. For example, a clothing retail does not need to seek consent from a customer to disclose the customer’s shipping address to a package delivery service.
When it comes to business practices, compliance with the GDPR requirements means that:
- Businesses ensure consumers have opted in for their personal data to be processed if the said processing is based on consumer opt-in consent.
- Consumer opt-in requests are to be expressed to businesses clearly, intelligibly, and in an easily accessible manner.
- Consumers can choose to opt-out of their data being processed by businesses anytime, and the processes to do so must remain just as easy as those for opting in.
- Businesses only engage in data processing activities for which consumers have provided opt-in consent, as described in the business contracts signed by consumers.
When businesses request consumers to electronically opt-in to or opt-out of data processing activities (e.g., via business websites), the consumers should be provided with options that clearly explain how the businesses are obtaining such consent. Possible options may include providing a checkbox for consumers to click when choosing to opt-in or opt-out or offering the option for the consumers to change their desired opt-in or opt-out settings.
Since consumers have the right to opt-out of data processing activities at any time, businesses should also provide electronic opt-out options on their websites or email communications, where email marketing is used.
