Consent Opt-In/Opt-Out Best Practices and Compliance

Last updated on 01 July 2022 by William Blesch (Legal and data protection research writer at TermsFeed)

Consent Opt-In/Opt-Out Best Practices and Compliance

Ever since the adoption of the EU's General Data Protection Regulation (GDPR) in 2016, businesses worldwide have been scrambling to comply with new data privacy laws.

Today, few companies would say that their goal was to do the bare minimum when it comes to respecting the data privacy of their customers. Instead, most executive teams understand the importance of getting ahead of the curve as more privacy laws are passed on a global scale.

Companies need to be seen as privacy champions in their respective industries in the current corporate and political climate. Strong privacy fosters trust.

For a business to succeed, trust is essential.

If you don't believe that, consider that three quarters of consumers place brand trust above price when making purchasing decisions. Respecting privacy is a significant pillar in gaining and retaining customer trust and loyalty.

Part of respecting privacy is gaining consent and allowing consent to be withdrawn through the use of data collection and processing opt-ins and opt-outs. But, what does that even mean?

What laws require opt-ins and opt-outs? What kind of companies must comply with them? How can companies ensure they comply?

We'll answer all these questions and more in this article.

Start generating the necessary legal agreements for your website or app in minutes with TermsFeed.

We also offer different solutions and tools for your website or app:

Before we get into the different methods of obtaining user consent, it is essential to understand the legal requirements. Consent is required in data privacy laws around the world. When users provide consent to a business, it must be freely given, informed, and specific.

In other words, you should properly educate users about the information processing activities to which they consent. Invalid consent would be any consent obtained through coercion or ambiguous, vague terms.

Keep in mind that privacy violations can be incredibly costly. To push that point home, remember that six of the 14 highest GDPR fines, ranging from January 2020 to January 2021, were for consent violations.

For example, Amazon paid a fee of $877 million, Google paid out $56.6 million, and the telecom company Wind paid a fee of $20 million, all for consent violations.

What is Opt-In Consent?

Opting in is a process that describes a positive action taken by a business's customer or website visitor, which that individual must take before the company is legally allowed to collect and process that person's data.

Under European Union and Canadian privacy laws, opting in is the process most often required to gain user consent. Today, checkboxes as part of a clickwrap agreement are one of the most popular ways to obtain it.

Here's an example of an opt-in from the social media platform MeWe's registration screen:

MeWe registration form with checkboxes highlighted

However, note that EU law (both the GDPR as well as the Cookie Law/ePrivacy) allows people to opt out of consent even after they've given it. Therefore, you must be aware of what various privacy laws require and allow within the geographic regions in which you do business.

What is an Opt-Out?

What is an Opt-Out?

Opting out is when a user takes action in order to withdraw their consent. As previously stated, the GDPR and Cookie Law/ePrivacy specifically allow people to opt-out after they've already opted-in.

Now, you can use two main methods to provide opt-outs for users.

A pre-emptive opt out is the first. Users can uncheck a box (as in a clickwrap agreement) or undo confirmation to indicate their disinterest in the activity being presented.

Consent withdrawal is another form of opting out as stated in the GDPR text seen above. When you give users the option to withdraw consent or modify their preferences, it is called consent withdrawal.

Finally, you may be familiar with the "unsubscribe" link, which is a more common way to opt out.

Take a look at the following example email from Social Media Examiner:

Social Media Examiner email with opt-out section highlighted

This is a commonly used, adequate way to allow opting out after a user has opted in to receiving marketing emails.

Which Laws Require Opt-In/Opt-Out

Which Laws Require Opt-In and Opt-Out

Although opt-in laws in the US differ from those in the EU, the intention is the same. These laws are designed to protect an organization's customers from unwanted marketing communications.

The EU has adopted GDPR legislation. This is more extensive than the US regulations. The US doesn't require opt-ins to email marketing. This is one of the most significant legal differences between the two continents.

Nevertheless, many businesses across the United States implement opt-ins for email marketing in North America to provide their customers with better transparency when it comes to email marketing.

With that said, here's a list of the major privacy laws that require opt-ins and opt-outs in one way
or another:

United States of America

Let's take a look at the specifics of each law.

SPAM Act 2003

Australia's Spam Act of 2003 regulates the sending of commercial electronic messages via email or SMS. The Communications Council encourages best practices in eMarketing.

It has collaborated with regulators and industry to create the Australian eMarketing code of conduct. This Code was developed under Section 112(1)A of the Telecommunications Act. The Privacy Act 1988 should also be considered when considering the Code.

This Code outlines the requirements for sending promotional or marketing messages via email or other non-voice mobile communication channels. The Code defines eMarketers as:

  • Companies that use mobile or email communications to market their products or services as their primary method of communication, and
  • Third-party organizations that use mobile or email communications to market products or services for clients

The point is, all companies doing business in Australia should bear in mind that express consent through an opt-in is required unless "the sender has obtained the recipient's email address through a prior commercial relationship."

Canadian Anti-Spam Legislation

CASL, like its U.S. counterpart, covers commercial email (and electronic messages). It also includes text messages. CASL explicitly includes non-profit organizations where emails are intended to encourage participation in commercial activities.

Before an email can go out, a company must have acquired explicit consent through an opt-in. In practice, you must obtain this consent before any emails are sent.

A few exceptions to express prior permission include messages from political parties, charities, family members, people with personal relationships, as well as persons within and between organizations.

General Data Protection Regulation (GDPR)

The GDPR requires all organizations to obtain opt-ins if they process the personal data of EU residents. It doesn't matter where the organization is based.

All opt-ins must be specific, clear, freely given, and documented. Organizations must also provide a means for users to withdraw consent even if they've already given it. Additionally, under the GDPR, a business must obtain consent for every specific channel through which they intend to collect and process data.

In other words, the GDPR doesn't permit organizations to obtain one "all-encompassing" blanket consent.

Learn more about this in the GDPR's Recital 42 and our article about Consent Under the GDPR.

ePrivacy Directive

This EU directive regulates all direct email marketing messages, including political and charitable messages. Opt-ins are also required for SMS marketing.

The Cookie Law started as an EU directive. In May 2011, it was adopted by all EU countries. The law requires businesses to gain consent from visitors to store or retrieve any information on a tablet, smartphone, or computer.

The EU directive in question gave people the right to refuse the use of cookies on their devices. Each EU country eventually updated its own laws to bring itself into compliance with the directive. In the United Kingdom, relevant authorities updated its Privacy and Electronic Communications Regulations.

The directive gave individuals rights to refuse the use of cookies that reduce their online privacy. Each country then revised its own laws to comply.


The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act) covers all commercial marketing and advertisement messages intended to promote products or services.

Instead of demanding that businesses obtain an explicit opt-in, The CAN-SPAM Act requires users to explicitly request that marketing messages stop. In other words, users have to opt out if they don't want to receive marketing and advertising emails from a particular organization.

The Telephone Consumer Protection Act (TCPA)

This act limits telephone solicitations. The law explicitly covers fax machines, SMS text messages, and pre-recorded voice messages. For instance, it's prohibited to deliver messages without express consent.

The California Consumer Privacy Act (CCPA)

The CCPA doesn't demand that organizations acquire consent the way the GDPR does. In fact, there are only a few specific circumstances under which businesses must get users to opt in before collecting and processing personal data.

Those circumstances are:

  • When an organization wants to sell the personal information of a minor (anyone under the age of 1)
  • When an organization wants to sell data of an individual who has explicitly opted out

Note the precise text below:

(c) Notwithstanding subdivision (a), a business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers between 13 and 16 years of age, or the consumer's parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer's personal information. A business that willfully disregards the consumer's age shall be deemed to have had actual knowledge of the consumer's age. This right may be referred to as the "right to opt-in."

How to Comply with Opt-In/Opt-Out Requirements

How to Comply with Opt-In/Opt-Out Requirements

Now that you understand a little about what opt-ins and opt-outs are and the laws that require them, how do you bring your business into compliance? The trick is knowing how and when to use them.

Let's look at opt-ins first.

When to Use Opt-Ins

Always use opt-ins if you do business in the European Union. There is no sense in risking the huge fines that the EU could levy against your company if you violate GDPR rules.

Additionally, if you outline your data collection practices in your Privacy Policy, you should use an opt-in. If the truth were told, you should work to get explicit consent for every legal policy you use on your website. That includes your Terms and Conditions and the Privacy Policy just mentioned.

Now, if you collect the personal data of EU residents, it has to be done on a specific legal basis, one of which is consent. The others are:

  • Public interest
  • Legal obligation
  • Vital interest of the user
  • Contractual necessity
  • Legitimate interests

Some businesses may argue that they have a legitimate interest when it comes to data collection and user consent isn't necessary. However, there are some categories of personal data for which you must absolutely gain explicit user consent.

If you collect any of the following types of personal information, the GDPR requires explicit consent to do so:

  • Political opinions
  • Racial or ethnic origins
  • Religious or philosophical beliefs
  • Genetic data
  • Biometric data
  • Health data
  • Sexual orientation
  • Trade union membership

The best option for doing that is by providing the user with an opt-in method. Even if you don't do business in the EU, you should make obtaining explicit and specific consent a part of your practices as laws in the United States, Canada, and elsewhere are constantly being updated with regulations that are more and more like those of the GDPR.

When Using Cookies to Market in the EU

If you use cookies when marketing in EU countries, you should use specific opt-in forms that allow users to consent to different categories of cookies. For example, users may be totally fine with the use of some cookies, but not all.

Under the Cookie Law, you must provide them with options.

When Selling the Data of Minors

None of the privacy laws in the United States come close to the requirements placed on organizations by the GDPR. However, as previously stated, California's CCPA demands that you obtain explicit consent if you intend to sell the personal data of a minor in that state.

Specifically, in section 1798.120 (d) of the CCPA states:

"A business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, [...], has affirmatively authorized the sale of the consumer's personal information."

To gain explicit consent from a user or have them "affirmatively authorize" your ability to collect and process data, you can use an opt-in at the data collection point of entry.

For instance, you might use a pop-up notice, which appears on a sign-up page if the user indicates they're younger than 16 years of age (e.g., the user enters their age in a form, and if it's less than 16, then a pop-up appears).

You can then use clickwrap agreements with an unchecked box. If the user checks the box, explicit consent has then been given.

When to Use Opt-Outs

Remember that when you provide users in the EU with a means to opt in, you must also give them a way to withdraw consent. That means allowing them to opt-out of data collection and processing even if they've already opted in.

The right to say "no" to data collection is enshrined in EU law.

You can provide a means of opting out by giving users a link to submit an opt-out request or by giving them a way to contact you to submit such a request.

When Using Cookies to Market

Under the GDPR, you have to provide users with a way to opt out of cookie use or to withdraw previously given permission.

When Sending Marketing Emails

The GDPR also demands that you provide users with a way to opt out of receiving marketing email communications. Again, that's true even if the user has previously given explicit consent.

One of the best ways to ensure compliance with the GDPR when it comes to consent is to always provide users with an opt-in form, usually in the form of a clickwrap agreement, and with a means to opt-out, such as an unsubscribe link.


In the end, while there are certain situations to use opt-ins and others where it makes sense for an organization to go with an opt-out method, any business that wishes to remain compliant with ever-increasingly strict privacy laws should use both.

However, keep in mind that providing your customers with opt-ins and opt-outs isn't just about compliance with the law. It's about showing your customers that you respect them by giving them more control over their personal data.

Remember, companies that respect customers' privacy will have happier customers, fewer legal problems, and stronger customer relationships.

Create Privacy Policy, Terms & Conditions and other legal agreements in a few minutes. Free to use, free to download.

Get started today ⇢

Screenshot of TermsFeed Generator

William Blesch

William Blesch

Legal and data protection research writer at TermsFeed

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.