The Difference Between Opt-In and Opt-Out Principles In Data Privacy: What You Need To Know

If you have read anything about data protection, you must have heard about the opt-in and opt-out principles. If you still wonder what these principles mean, this article will explain everything in detail.

To start, remember that these principles determine your data collection practices, including how you can use cookies, how your cookie consent banner should look to comply with cookie laws, and so on.

What’s the Difference: Opt-In vs. Opt-Out

Users can take action to either offer (opt-in) or withdraw (opt-out) their consent. Find out the differences here.

Opt-in and opt-out are some of the most common expressions used in data protection. But what exactly do they mean? To start, they come in many forms and with multiple meanings.

Opt-in and opt-out are approaches to data privacy on which the two main trends in data protection laws are based. They describe internet users’ actions concerning their personal data when accessing a website or an app— such as accepting cookies, requesting to be forgotten, and so on.

This may sound abstract, but let’s break it down so you can better understand the terms ‘opt-in’ and ‘opt-out’ and what these mean for your business.

First, we will explain the differences between the two approaches to data protection. This will help us understand the importance of opt-in and opt-out in your business’s everyday operations. 

You need to comply with the data protection laws of the country where your business is located and the data protection laws where your users come from. That’s why most online businesses need to comply with more than one data privacy law — they never know where the next user may come from.

What is the Opt-In Approach?

In a legal sense, opt-in means that the user needs to take affirmative action to opt into your processing of their data. If the user doesn’t opt to provide their data for processing purposes, you must not process it. If the user consents to the data processing (Take a look at our Data Processing Agreement Guide), you may proceed. Otherwise, you must not collect or process their data.

For example, when you use cookies on your website, including functionality or advertising cookies that collect personal data, the opt-in approach requires you to ask for consent before firing the cookies. Usually, that will be when a user lands on your website for the first time.

When you do email marketing, opt-in means that the data subject has agreed to receive your newsletter. You cannot send them emails to the user account if they haven’t opted in to receive emails.

Even Google Analytics cookies require opt-in in many jurisdictions. If that is the case, you must not use GA before obtaining consent from the user, i.e., they opt-in using Google Analytics cookies.

This is the approach followed by the EU General Data Protection Regulation (GDPR), Brazilian LGPD, Thai PDPA, and many others that follow the trend set by the GDPR. This involves most of the data protection laws introduced since the introduction of the GDPR. Read the key differences between PDPA and GDPR and the latest blog posts about PDPA.

The only significant exception is the US— they take the opt-out approach.

What is the Opt-Out Approach?

The opt-out approach is to collect and process users’ personal data until the user chooses to opt out of the processing by taking affirmative action.

Opt-out means that internet users’ personal data can be collected at any time, by anyone, and by any means, and can be processed freely until the user reaches out and tells them they want to restrict or prevent the further processing of their personal information. 

There is no need to ask for cookie consent or any other type of consent for data processing. That is not required. All that is required is to stop processing data if the user wants to.

This concept is present in the Californian CCPA and CPRA (CCPA 2.0), the upcoming Colorado CPA, Virginia CDPA, Utah CPA, and Connecticut DPA. Read more about CPRA and how it differs from CCPA. These are the only five US states that have passed any data protection law, and they all take the opt-out approach.

Opt-In vs. Opt-Out in Your Everyday Business Operations

In your everyday business operations, opt-in and opt-out are expressions that have slightly different meanings.

What is an Opt-In?

Opt-in is an affirmative action the user takes to allow you to process their personal data. The user opts in when they indicate that they agree to have their data processed by you.

In the case of the GDPR, LGPD, and similar laws, this mostly comes from cookie consent. The business puts a cookie banner on the website asking for consent, and the user can freely choose whether to opt-in or not.

Clicking an ACCEPT COOKIES button means a successful opt-in. Clicking a REFUSE COOKIES button means that the user does not accept cookies; hence it is neither opt-in nor opt-out.

Moreover, the opt-in has to be valid. It is valid if it meets the requirements set by the law. In the case of obtaining consent according to the GDPR, it has to be given freely, specific, informed, and unambiguous. Otherwise, it doesn’t count as an opt-in.

Aside from interacting with the cookie banner, users can opt-in in other ways too. Some common opt-in methods include cookie consent banners, checkboxes for receiving emails, opt-in boxes, and others. Sometimes users leave their personal information to have a product delivered to their home; sometimes they want to be contacted by customer support, sometimes, they want to receive a freebie from the business.

There are many ways to opt in, but one thing is always common for all - the business must not use personal data before the opt-in.

What is an Opt-Out?

Opt-out is the user’s act of indicating that they don’t want their data processed anymore. The opt-out assumes that you process some of their data, and they tell you that they don’t want you to do it in the future.

That may include restriction of processing, withdrawal of previously given consent, deletion of personal data, prevention of sales of personal data, or any other action that prevents the data controller, i.e., the business, from doing anything with the personal data they have collected or processed previously.

Opting out is present in all the data protection laws worldwide, even those that rely on the opt-in principle. Whenever a business processes some personal data, they have to provide the user with opt-out request options. Sometimes businesses rely on legitimate interests, others do direct marketing in compliant ways, and it is allowed to process some personal data without opt-in. However, they have to provide data subjects with an opportunity to submit opt-out requests, such as an unsubscribe link or another method.

It is present in the GDPR, CCPA, LGPD, and many others.

Opt-In vs. Opt-Out: GDPR vs. CCPA

The GDPR vs. CCPA comparison is the best way to understand the differences between the opt-in and opt-out approaches.

GDPR is the typical law that relies on opt-in. CCPA is the typical one for the opt-out approach.

However, both contain opt-in and opt-out elements in themselves.

GDPR requires opting in for any use of online trackers. In most cases, compliance with the GDPR requires asking the user for consent to process their data.

In addition, they can opt out at any time by withdrawing the previously given consent. They can also opt out of the processing, either fully or partially, by restricting or objecting to the processing or requesting the erasure of their personal data. Users can also move their data from your records to another business’ records, which means they opt out of the processing and then opt in again.

CCPA relies on the opt-out approach, but there are two exceptions to the rule: opt-in is required for 1) collection and processing of children’s data and 2) in cases when the user has opted out before and now want to opt in again.

Users can opt out at any time by requesting the deletion of their personal information and opt-out of the sales of their data and from any incentives program.

How to Get Users to Opt-In?

Getting users to opt-in depends on your situation, but that will be through asking for consent in most cases.

GDPR strictly prescribes how to obtain users’ consent for data processing. According to its legal requirements, opting in must always be an informed decision. You can read in length about that here.

Opting-in for minors under the California Consumer Privacy Act (CCPA) requires opting-in by the parent or guardian. In many cases, you may need to confirm the parent or guardian’s presence by talking to them over a toll-free phone or a video call.

What to Do When a User Opts-Out

When a user indicates they want to opt-out, you must fulfill their request, no questions asked.

When you receive a request that means opting out, you need to do any of the following:

GDPR only

Withdraw consent. Consent withdrawal has to be made as easy as giving consent. Once a user withdraws consent, you must not process their data anymore.

Object or restrict the processing. It depends on the request. The user decides how to object to or restrict the processing. You need to comply with their request, so you need to adjust your data processing as per their request.

GDPR and CCPA/CPRA

Delete personal data. Both laws prescribe that when a user requests deletion of their data, you need to remove their personal information from your records.

CCPA/CPRA only

Opt out of sales or financial incentives, or targeted advertising. US laws allow the sale of personal information. Still, CCPA empowers California residents with the right to opt out of the sale of their personal data by a business that has it.

In the US, it is common for companies to sell personal data. This includes companies that handle sensitive personal information, such as data related to the use of credit cards, financial data, health data, purchase behavior, and so on.

Users can also opt out of any financial incentives program in relation to their personal information. If you receive such a request, you must remove the user’s data from the program records.

Opt-In and Opt-Out with Secure Privacy

GDPR is the synonym for the opt-in principle, and the CCPA is the synonym for the opt-out approach. However, it is not all black and white.

They both prescribe in what cases you must rely on the user’s opt-in to the processing and when you can just wait for them to opt out. That’s why you need to learn how to act in every situation.

If you don’t want to bother with that, Secure Privacy’s consent management solution ensures effortless compliance with users’ opting in and out. You don’t have to think about asking for consent or how to delete personal data. It is all embedded in the software.