The global hunger for data collection is increasing exponentially. With businesses starting to collect more and more personal data, a rapid emergence in data privacy laws and regulations can be observed worldwide.
The opt in consent model requires a user to perform an affirmative action before they can be sent any marketing emails. Alternatively, opt out consent model has the users signed up to receive marketing emails by default and require an action from the user to opt out of receiving such mails.
Today, most international data privacy laws require organizations to rely on the users’ consent and respect their choices for collecting and processing their data online. With the world becoming more digital, consent requirements are only expected to become stricter.
When relying on the user’s consent as a lawful basis for data processing, most global privacy laws can be classified as either opt-in or opt-out consent regimes.
Let’s dive deeper into opt-in and opt-out measures to understand the difference between the two and what they aim to achieve.
An opt-in process requires the user to actively subscribe to receive emails or newsletters by providing their email address and sometimes their name and other personal information. 'Opt-in' consent means that you ask for someone's consent or permission before you use their data for marketing.
Here, whenever users visit a website, they can manually opt in to retain their online activity for various purposes. When a user first arrives on this page, all boxes are unchecked. The user can choose to opt-in to any box of their choice or select them all, indicating the website of their preferences.
An opt-in consent can be successfully implemented as follows:
Learn how you can leverage Securiti’s Data Command Center to address data security, privacy, governance, and compliance.
An opt-out process requires the user to take action to unsubscribe if they no longer want to receive emails or newsletters. Opt-out is when they add you to their mailing list and give you the option not to receive their emails.
There are two main ways through which opt-out options are offered to the consumer:
An opt-out consent can be successfully implemented as follows:
The CCPA is based on an opt-out consent practice. Even though countries are increasingly becoming opt-in consent regimes due to users’ growing privacy concerns, countries like the United States, Australia, Hong Kong, and Switzerland still have opt-out consent requirements.
Cookie laws, primarily after the introduction of the e-Privacy Directive in the EU have brought forward strict regulations around cookies, enabling opt-in and opt-out cookie consent banners as two of the most significant measures for compliance.
Opt-in and opt-out for cookies typically come in the shape of cookie banners/pop-ups. As witnessed in the examples above, opt-in regimes require websites to obtain explicit consent from users. On the other hand, opt-out in cookies are marked consent by default, unless the user rejects the request or withdraws the consent later.
This means non-essential cookies are already activated on a webpage and can get deactivated once a user opts-out. As a matter of best practice, organizations must let users acknowledge the opt-out cookie consent banner first and then drop the cookies even in an opt-out cookie consent regime.
Most data protection and cookie laws demand websites to provide crystal clear and accurate information regarding their cookie policy (including the necessary ones) and their intended purpose to collect cookies. The aim is to empower users to make an informed decision both in the case of opt-in or opt-out consent regimes.
Let’s take a detailed look at when to use opt-in and opt-out under prominent data protection laws such as CCPA, GDPR, and LGPD.
The California Consumer Privacy Act, typically referred to as CCPA, provides consumers with the right to opt-out and stop businesses from selling their personal information.
Companies complying with CCPA must have clearly defined policies and adequate procedures in place to facilitate consumers with their right to opt-out of the sale of personal information. The CCPA requires businesses to have a button or a link stating “Do Not Sell My Personal Information” as a mandatory requirement.
Opt-out applies to California consumers ages 16 or older. Businesses must honor the consumer’s right to opt-out unless the consumer willingly decides to opt-in to the sale of their personal information.
The CCPA only applies to businesses having:
Businesses that fall under the CCPA criteria and deal with California residents have to comply with the CCPA that grants Californian users the “right to opt-out” of selling their personal data (Section 1798.120 (a) of CCPA.
The CCPA requires businesses to have opt-out banners visibly clear on the website’s homepage. Additionally, the company’s privacy policy must have a “Do Not Sell My Personal Information” section and functionality.
Section 1798.120 (c) of the CCPA states:
[…] a business shall not sell or share the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers at least 13 years of age and less than 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale or sharing of the consumer’s personal information.
Businesses need to implement special opt-in measures when processing the data of those under 16 years of age. The popup consent banner must have an unchecked box by default.
GDPR has widespread implications for all businesses that receive traffic from EU citizens, even if these businesses are located outside the EU.
GDPR requires that users must be given the option to enable cookies out of their free will. Since there are various types of cookies serving different purposes, such as advertising cookies and analytics cookies, the user must have separate opt-in checkboxes for different cookie categories based on their purposes. In short, the GDPR requires consent to be opt-in.
GDPR defines consent as “freely given, specific, informed and unambiguous” given by a “clear affirmative action.” It is not acceptable to assign consent through the data subject’s silence or by supplying “pre-ticked boxes.”
The information on a cookie banner must be clear, plain and understandable by an average person. This means a message should be easily understandable for the average person and not only for lawyers and organisations must avoid using statements full of legal jargon.
Opt-in under the GDPR applies to any organization operating within the EU and any organizations outside of the EU that offer goods or services to customers in the EU. That ultimately means that almost every major corporation in the world to whom the GDPR applies needs to embed an opt-in mechanism.
Cookie banners are an ingenious way to obtain consent from the user. They can be placed at the bottom, top, or on either side of the website. However, the information presented must be easily accessible to the user and as a matter of user interface practice, it should not disrupt the user’s navigation experience. The cookie banner should be designed so that it does not disrupt a user’s navigation experience as well as be easily accessible to the user.
Since the GDPR applies to all businesses and organizations established inside and outside the EU, regardless of whether the data processing takes place in the EU or not, the opt-in mechanism automatically applies to them.
GDPR requires businesses to write clear privacy notices for children to understand what will happen to their personal data and be aware of their rights. Information needs to be concise, transparent and easily accessible form, using clear and plain language, addressed specifically to a child. Businesses must respect the consumer’s right to opt-in unless the consumer willingly decides to opt-out later on.
For children under 13 years of age, businesses need to get consent from whoever holds parental responsibility for the child - unless the business’s online service is preventive or counseling. Member states can provide by law a lower age, but the age cannot be below 13 years.
GDPR requires businesses to write clear privacy notices for children to understand what will happen to their personal data and be aware of their rights. Information needs to be concise, transparent and easily accessible form, using clear and plain language, addressed specifically to a child.
The Brazilian General Data Protection Law, Lei Geral de Proteção de Dados Pessoais, commonly known as LGPD, regulates how personal data of individuals located in Brazil can be collected, used, and processed. Under the LGPD, consent must be free, informed, and unambiguous.
The LGPD impacts Brazilian companies and any business that targets Brazilian individuals or collects, uses, or processes the personal data of Brazilian individuals regardless of where the business is located.
The LGPD requires businesses to:
For consent to be valid under the LGPD, a consumer must actively confirm their consent by ticking an unchecked opt-in box.
Regarding consent for children, the LGPD does not explicitly provide for any age. The age for contractual capacity is 18 years old in Brazil. As per the Law No. 8069 for the Statute of Children and Adolescents and Other Measures and the Brazilian Civil Code, consent might be given by a 12 to 18 year old natural person as long as the processing is in his/her best interests.
Opt-in emails are required when a business sends emails to a consumer after they willingly provide their email address for email marketing purposes.
Most countries, including New Zealand, Canada, Australia, Hong Kong, Singapore, the United Kingdom, and all European Union countries, require you to obtain explicit opt-in consent from individuals before sending them marketing communications. This requires you to ensure the following steps:
Marketing emails are a great way to reach a target audience, but they’re a nuisance for users who do not wish to receive them. As a matter of good practice, marketing emails should include an opt-out link in every email. An example of this is ‘unsubscribe me from the list.’
Organisations operating in the United States have to comply with the CAN-SPAM Act in relation to their direct marketing practices. The CAN-SPAM Act creates the following major rules for organizations:
In countries where opt-out consent is applicable, businesses must allow users to opt-out if they send remarketing emails. Retargeting emails are a form of digital marketing strategy that deliberately targets users based on their previous choices.
Most users and businesses use multiple third-party tools, plugins, and extensions that share users’ personal data with these tools. The tool’s terms and conditions and its privacy policy can determine what type of personal data is being collected and shared with multiple parties.
As such, in countries where opt-out consent is applicable, businesses must have built-in opt-out functionality that provides users with an option to opt-out/unsubscribe from having their personal data broadcasted to third parties.
All consent rules related to collecting and processing personal data apply to cookies and similar tracking and identification technologies as well as where consent is used as a lawful basis such as for direct marketing purposes.
Therefore, organizations must consider consent principles as per their respective consent regime before installing any tracking technology on the user’s terminal equipment and collecting users’ personal data.
Comply with consent requirements of global data privacy laws and regulations, with ease.
