March 9, 2022

What’s the Difference: Opt-In vs. Opt-Out

Users can take action to either offer (opt-in) or withdraw (opt-out) their consent. Find out the differences here.

Opt-in and opt-out are some of the most common expressions used in data protection. But what exactly do they mean? To start, they come in many forms and with multiple meanings.

Opt-in and opt-out are approaches to data privacy by which the two main trends in data protection laws are based on. They describe actions taken by internet users in relation to their personal data when accessing a website or an app— such as accepting cookies, requesting to be forgotten, and so on.

This may sound abstract— and it is— but let’s break it down so you can better understand the terms ‘opt-in’ and ‘opt-out,’ and what these mean for your business.

First, we will explain the differences between the two approaches to data protection. This will help us understand the importance of opt-in and opt-out in your business's everyday operations. 

Opt-In vs. Opt-Out as Data Protection Approaches

You need to comply with the data protection laws of the country where your business is located and the data protection laws where your users come from. That’s why most online businesses need to comply with more than one data privacy law— they never know where the next user may come from.

What is the Opt-In Approach?

In a legal sense, opt-in means that the user needs to take affirmative action to opt-in to your processing of their data. If the user doesn’t opt to provide their data for your processing purposes, you must not process it. If the user consents to the data processing (Take a look at our Data Processing Agreement Guide), then you may proceed, otherwise, you must not collect or process their data.

This is the approach followed by the EU GDPR, Brazilian LGPD, Thai PDPA, and many others that follow the trend set by the GDPR. This involves most of the data protection laws that have been introduced since the introduction of the GDPR. Read the key differences between PDPA and GDPR. and the latests blog posts about the PDPA.

The only exception is the US— they take the opt-out approach.

What is the Opt-Out Approach?

The opt-out approach is to collect and process users’ personal data until the user chooses to opt out of the processing by taking affirmative action.

This means that internet users’ personal data can be collected at any time, by anyone, and by any means, and can be processed freely until the user reaches out and tells them they want to restrict or prevent the further processing of their personal information. 

There is no need to ask for cookie consent or any other type of consent for data processing. That is not required. All that is required is to stop processing data if the user wants to.

This concept is present in the Californian CCPA and CPRA (CCPA 2.0) and in the upcoming Colorado CPA and Virginia CDPA. Read more about CPRA and how it differs from CCPA. These are the only three US states that have passed any data protection law so far, and they all take the opt-out approach.

Opt-In vs. Opt-Out in Your Everyday Business Operations

In your everyday business operations, opt-in and opt-out are expressions that have a slightly different meaning.

What is an Opt-In?

Opt-in is an affirmative action the user takes to allow you to process their personal data. The user opts in when they clearly indicate that they agree to have their data processed by you.

In the case of the GDPR, LGPD, and similar laws, this mostly comes in the form of cookie consent. The business puts a cookie banner on the website asking for consent, and the user can freely choose whether to opt-in or not.

Clicking an ACCEPT COOKIES button means a successful opt-in. Clicking a REFUSE COOKIES button means that the user does not accept cookies; hence it is neither opt-in nor opt-out.

Moreover, the opt-in has to be valid. It is valid if it meets the requirements set by the law. In the case of obtaining consent according to the GDPR, it has to be given freely, specific, informed, and unambiguous. Otherwise, it doesn’t count as an opt-in.

Aside from interacting with the cookie banner, users can opt-in in other ways too. Sometimes users leave their personal information to have a product delivered to their home, sometimes they want to be contacted by customer support, sometimes they want to receive a freebie from the business.

There are many ways to opt-in, but one thing is always common for all - the business must not use any personal data before the opt-in.

What is an Opt-Out?

Opt-out is the user’s act of indicating that they don’t want their data processed anymore. The opt-out assumes that you process some of their data, and they tell you that they don’t want you to do it in the future.

That may include restriction of processing, withdrawal of previously given consent, deletion of personal data, prevention of sales of personal data, or any other action that prevents the data controller, i.e., the business from doing anything with the personal data they have collected or processed previously.

The concept of opting-out is present in all the data protection laws worldwide, even in those that rely on the opt-in principle. Whenever a business processes some personal data, they have to provide the user with opt-out options.

It is present in the GDPR, CCPA, LGPD, and many others.

Opt-In vs. Opt-Out: GDPR vs. CCPA

The GDPR vs. CCPA comparison is the best way to understand the differences between the opt-in and opt-out approaches.

GDPR is the typical law that relies on opt-in. CCPA is the typical one for the opt-out approach.

However, both contain opt-in and opt-out elements in themselves.

GDPR requires opting in for any use of online trackers. In most cases, compliance with the GDPR requires you to ask the user for consent to process their data.

In addition, they can opt out at any time by withdrawing the previously given consent. They can also opt-out of the processing either fully or partially, by restricting or objecting to the processing, or by requesting erasure of their personal data. Users can also move their data from your records to another business’ records, which means they opt-out from the processing and then opt-in again.

CCPA relies on the opt-out approach, but there are two exceptions to the rule: opt-in is required for 1) collection and processing of children’s data, and 2) in cases when the user has opted out before and now wants to opt-in again.

Users can opt-out at any time by requesting deletion of their personal information, and opt-out of the sales of their data and from any incentives program.

How to Get Users to Opt-In?

The way you get users to opt-in depends on your specific situation, but that will be through asking for consent in most cases.

GDPR strictly prescribes how to obtain users’ consent for data processing. You can read in length about that here.

Opting-in for children under the CCPA requires opting-in by the parent or guardian. In many cases, you may need to confirm the parent or guardian’s presence by talking to them over a toll-free phone or a video call.

What to Do When a User Opts-Out

When a user indicates they want to opt-out, you need to fulfill their request, no questions asked.

When you receive a request that means opting-out, you need to do any of the following:

GDPR only

Withdraw consent. Consent withdrawal has to be made as easy as giving consent. Once a user withdraws consent, you must not process their data anymore.

Object or restrict the processing. It depends on the request. The user decides how to object or restrict the processing. You need to comply with their request, so you need to adjust your data processing as per their request.

GDPR and CCPA

Delete personal data. Both laws prescribe that when a user requests deletion of their data, you need to remove their personal information from your records.

CCPA only

Opt out of sales or financial incentives. US laws allow sales of personal information, but CCPA empowers users with the right to opt out of the sale of their personal data by a business that has it.

Users can also opt out of any financial incentives program in relation to their personal information. If you receive such a request, you simply need to remove the user’s data from the program records.

Opt-In and Opt-Out with Secure Privacy

GDPR is the synonym for the opt-in principle, and the CCPA is the synonym for the opt-out approach. However, it is not all black and white.

They both prescribe in what cases you must rely on the user’s opt-in to the processing and when you can just wait for them to opt-out. That’s why you need to learn how to act in every situation that may arise.

If you don’t want to bother with that, Secure Privacy’s solution ensures effortless compliance with users’ opting in and out. You don’t have to think about asking for consent or how to delete personal data. It is all embedded in the software.