Obtaining consent to carry out data-driven activities has never been more important in today's privacy-conscious era. When it comes to consent, most data protection laws fall into one of two categories: opt-in or opt-out regimes.
Whether you run a website, a mobile app, an ecommerce platform, or a similar business model, you must observe the specific rules of consent in your legal jurisdiction or risk facing significant penalties.
This article will walk you through opt-in and opt-out consent systems, how they differ, which laws require them, and best practices for implementing them under various business models, as well as under modern privacy legislation.
Use our Cookie Consent all-in-one solution (Privacy Consent) for cookies management to comply with GDPR & CCPA/CPRA and other privacy laws:
- For GDPR, CCPA/CPRA and other privacy laws
- Apply privacy requirements based on user location
- Get consent prior to third-party scripts loading
- Works for desktop, tables and mobile devices
- Customize the appearance to match your brand style
Create your Cookie Consent banner today to comply with GDPR, CCPA/CPRA and other privacy laws:
Start the Privacy Consent wizard to create the Cookie Consent code by adding your website information.
At Step 2, add in information about your business.
At Step 3, select a plan for the Cookie Consent.
You're done! Your Cookie Consent Banner is ready. Install the Cookie Consent banner on your website:
Display the Cookie Consent banner on your website by copy-paste the installation code in the
</head>section of your website. Instructions how to add in the code for specific platforms (WordPress, Shopify, Wix and more) are available on the Install page.
- 1. Consent Fundamentals: An Overview
- 2. Opt-In vs. Opt-out Consent Models
- 2.1. What Does "Opt-In" Consent Mean?
- 2.2. What Does "Opt-Out" Consent Mean?
- 3. Why Do You Need to Observe Opt-In and Opt-Out Consent Requirements?
- 4. Which Laws Require Opt-In/Opt-out Consent?
- 4.1. SPAM Act 2003
- 4.2. Canadian Anti-Spam Legislation
- 4.3. General Data Protection Regulation (GDPR)
- 4.4. ePrivacy Directive
- 4.5. The Cookie Law
- 4.6. The CAN-SPAM Act
- 4.7. The Telephone Consumer Protection Act (TCPA)
- 4.8. The California Consumer Privacy Act (CCPA/CPRA)
- 5. How to Comply with Opt-In/Opt-Out Requirements
- 5.1. When to Use Opt-Ins
- 5.1.1. When Using Cookies to Market in the EU
- 5.1.2. When Selling the Data of Minors in California
- 5.2. When to Use Opt-Outs
- 5.2.1. When Using Cookies to Market
- 5.2.2. When Sending Marketing Emails
- 6. Opt-In/Opt-Out for Mobile Apps
- 7. Opt-In/Opt-Out for Ecommerce Stores
- 8. Opt-In/Opt-Out for Cookies and Similar Trackers
- 9. Opt-In/Opt-Out Consent Under the GDPR
- 10. Opt-In/Opt-Out Consent Under the CCPA/CPRA
- 11. Summary
Consent Fundamentals: An Overview
Consent is an integral part of modern data privacy. Many international privacy laws require businesses to obtain consumer consent in order to collect, use, or share their personal information.
While the specific standards may vary depending on privacy laws, the consensus is that consent must be "freely given, specific, informed, and unambiguous." In other words, consent mustn't be obtained through compulsion, dark patterns, or complicated processes.
With increasingly high standards for data protection today, businesses must take a proactive approach to fulfill their privacy obligations. And obtaining valid consent to use personal information is a crucial step in meeting these obligations.
In practice, you'll need to place your consent request mechanism at key decision points in your service. Customers can then choose whether or not to consent to each specific activity.
Typical instances include when:
- Registering users on your website or mobile app
- Placing cookies and similar trackers on users' devices
- Getting users to accept your legal policies
- Asking users to subscribe to marketing/promotional emails
It's important to note that consent isn't always required to use an individual's personal information. For instance, Europe's GDPR sets out five other lawful bases aside from consent for businesses to collect and use personal information.
That said, let's get into the specifics of obtaining consent under opt-in and opt-out regimes.
Opt-In vs. Opt-out Consent Models
As a business owner, your consent collection method will depend on the following factors:
- The privacy laws that apply to your business,
- The location of your users, and
- The type of personal information your business collects or uses
Now, let's explore what exactly opt-in and opt-out entails and how they differ.
What Does "Opt-In" Consent Mean?
The term "opt-in" describes a consent model where individuals actively choose to allow the collection, use, or sharing of their personal information. In other words, individuals must take affirmative action before you can use their personal information.
Remember: personal information is any information that can identify a natural person, such as names, email addresses, phone numbers, social media handles, credit card details, etc.
The opt-in mechanism ensures that users have voluntarily agreed to a data processing activity, making it generally considered the most secure method of obtaining consent.
Common situations where companies need to provide customers with the option to opt in include cookie use, legal policy agreements, and newsletter/email mailing lists.
Opt-in is typically implemented through clickwrap agreements where individuals must check an empty "I Agree" checkbox or click a prominently labeled "I Agree" button to show their acceptance of a data processing activity.
Here's an example of an opt-in from Turn2Us that has separate opt-in boxes for each different method of communication a user opts in to:
Alternatively, the opt-in mechanism can be implemented through a form. Customers can then provide their details (e.g., names, email addresses, contact information, etc.) and submit the form to accept the terms of the agreement.
Dropbox, for example, implements the opt-in model on its sign-up page by requiring users to click an empty checkbox that indicates agreement to its terms:
Similarly, SeedInvest requests that users agree to its legal policies and subscribe to promotional emails by ticking separate, empty checkboxes:
Another common place where opt-in consent is seen is a cookie consent banner. There are several different kinds, such as footer banners, header banners, corner boxes, and persistent pop-ups. These banners usually appear the first time a customer visits your website.
The user is then given the option to click that they agree, in which case they will continue to use your website, and you can put cookies on their computer. If they click "No, take me to settings" or something similarly showing they are not consenting to the cookies, then they'll be taken to a page where they can specify which cookies they'll allow, if any.
Here's how Adidas UK uses a pop-up opt-in banner to gain explicit consent:
Here is a list of all typical opt-in methods:
- Oral consent requests
- Paper forms
- Digital forms
- Opt-In boxes
- Opt-In links or buttons
- Yes/No options
- Preference dashboard settings
- Clickwrap agreements
- Consent banners
- Consent popups
- Consent corner boxes
What Does "Opt-Out" Consent Mean?
Opt-out describes a consent model where individuals must take action to stop the collection, use, or sharing of their personal information.
There are two different variations of this consent method. They are as follows:
This opt-out method assumes that users are fine with a data processing activity unless they take action to stop it. It is otherwise known as passive consent.
Typical examples of pre-emptive opt-out include when users:
- Uncheck a checkbox that is checked by default
- Unsubscribe from email newsletters they never signed up for
- Decline cookies and similar trackers that are automatically placed on their devices
Upwork uses the pre-emptive opt-out method to send promotional emails to new users. As you can see, the checkbox is checked by default, and users must uncheck it if they don't wish to receive such emails:
Consent withdrawal is simply when users change their minds about a data processing activity and withdraw their consent. This opt-out mechanism is an extension of the opt-in method.
Essentially, users who have previously given their consent ("opted-in") to a particular activity can withdraw that consent ("opt-out") anytime they wish.
A typical example is the "unsubscribe" link or button you've likely seen at the bottom of email newsletters you previously subscribed to.
Here's an example from Entrepreneurs HQ:
Now that we've covered what these different consent mechanisms are, let's explore more of why they matter, and why you need to implement them appropriately.
Why Do You Need to Observe Opt-In and Opt-Out Consent Requirements?
As noted earlier, opt-in and opt-out consent systems are expressly mandated by many data privacy laws across the world.
The European Union, per the General Data Protection Regulation (GDPR), is an excellent example of an opt-in consent regime. Other opt-in regimes include but aren't limited to Canada, the United Kingdom, Brazil, South Korea, Japan, Columbia, Chile, Morocco, India, Malaysia, and South Africa.
In contrast, the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) in the United States is a prime example of an opt-out consent regime. Hong Kong, Switzerland, and Australia are other notable examples of opt-out regimes.
It's important to note that privacy law violations can be incredibly costly. To push that point home, remember that six of the 14 highest GDPR fines, ranging from January 2020 to January 2021, were for consent violations.
For example, Amazon paid a fee of $877 million, Google paid out $56.6 million, and the telecom company Wind paid a fee of $20 million, all for consent violations.
Nowadays, obtaining consent is not only a requirement imposed by privacy laws but also an ethical responsibility that demonstrates respect for personal privacy. Moreover, it promotes transparency and can ultimately contribute to building a positive reputation for any business.
Which Laws Require Opt-In/Opt-out Consent?
Although opt-in laws in the U.S. differ from those in the EU, the intention is the same. These laws are designed to protect an organization's customers from unwanted marketing communications.
The EU has adopted GDPR legislation. This is more extensive than U.S. regulations. The U.S. doesn't require opt-ins to email marketing. This is one of the most significant legal differences between the two continents. (Note however that opt-in consent is required in the U.S. for SMS or text messaging marketing.)
Nevertheless, many businesses across the United States implement opt-ins for email marketing in North America to provide their customers with better transparency when it comes to email marketing.
Let's take a look at the specifics of some of these laws.
SPAM Act 2003
Australia's Spam Act of 2003 regulates the sending of commercial electronic messages via email or SMS. The Communications Council encourages best practices in eMarketing.
It has collaborated with regulators and industry to create the Australian eMarketing code of conduct. This Code was developed under Section 112(1)A of the Telecommunications Act. The Privacy Act 1988 should also be considered when considering the Code.
This Code outlines the requirements for sending promotional or marketing messages via email or other non-voice mobile communication channels. The Code defines eMarketers as:
- Companies that use mobile or email communications to market their products or services as their primary method of communication, and
- Third-party organizations that use mobile or email communications to market products or services for clients
The point is, all companies doing business in Australia should bear in mind that express consent through an opt-in is required unless "the sender has obtained the recipient's email address through a prior commercial relationship."
Canadian Anti-Spam Legislation
CASL, like its U.S. counterpart, covers commercial email (and electronic messages). It also includes text messages. CASL explicitly includes non-profit organizations where emails are intended to encourage participation in commercial activities.
Before an email can go out, a company must have acquired explicit consent through an opt-in. In practice, you must obtain this consent before any emails are sent.
A few exceptions to express prior permission include messages from political parties, charities, family members, people with personal relationships, as well as persons within and between organizations.
General Data Protection Regulation (GDPR)
The GDPR requires that when consent is necessary, it be at a high opt-in standard. The GDPR applies to businesses if they process the personal data of EU residents. It doesn't matter where the business itself is based.
All opt-ins must be specific, clear, freely given, and documented. Organizations must also provide a means for users to withdraw consent even if they've already given it. Additionally, under the GDPR, a business must obtain consent for every specific channel through which they intend to collect and process data.
In other words, the GDPR doesn't permit organizations to obtain one "all-encompassing" blanket consent.
You can skip to more GDPR-specific information later in this article here.
This EU directive regulates all direct email marketing messages, including political and charitable messages. Opt-ins are also required for SMS marketing.
The Cookie Law
The Cookie Law started as an EU directive. In May 2011, it was adopted by all EU countries. The law requires businesses to gain consent from visitors to store or retrieve any information on a tablet, smartphone, or computer.
The CAN-SPAM Act
The Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003 (CAN-SPAM Act) covers all commercial marketing and advertisement messages intended to promote products or services.
Instead of demanding that businesses obtain an explicit opt-in, The CAN-SPAM Act requires users to explicitly request that marketing messages stop. In other words, users have to opt out if they don't want to receive marketing and advertising emails from a particular organization.
The Telephone Consumer Protection Act (TCPA)
This act limits telephone solicitations. The law explicitly covers fax machines, SMS text messages, and pre-recorded voice messages. For instance, it's prohibited to deliver messages without express consent.
The California Consumer Privacy Act (CCPA/CPRA)
The CCPA (CPRA) doesn't demand that organizations acquire consent the way the GDPR does. In fact, there are only a few specific circumstances under which businesses must get users to opt in before collecting and processing personal data.
Those circumstances are:
- When an organization wants to sell the personal information of a minor (anyone under the age of 1)
- When an organization wants to sell data of an individual who has explicitly opted out
Note the precise text below:
(c) Notwithstanding subdivision (a), a business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers between 13 and 16 years of age, or the consumer's parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale of the consumer's personal information. A business that willfully disregards the consumer's age shall be deemed to have had actual knowledge of the consumer's age. This right may be referred to as the "right to opt-in."
You can skip to more detailed information about the CCPA and CPRA later in this article here.
How to Comply with Opt-In/Opt-Out Requirements
Now that you understand a little about what opt-ins and opt-outs are and the laws that require them, how do you bring your business into compliance? The trick is knowing how and when to use them.
Let's look at opt-ins first.
When to Use Opt-Ins
Always use opt-ins if you do business in the European Union. There is no sense in risking the huge fines that the EU could levy against your company if you violate GDPR rules.
Even if you don't do business in the EU, you should make obtaining explicit and specific consent a part of your practices as laws in the United States, Canada, and elsewhere are constantly being updated with regulations that are more and more like those of the GDPR.
Now, if you collect the personal data of EU residents, it has to be done on a specific legal basis, one of which is consent. The others are:
- Public interest
- Legal obligation
- Vital interest of the user
- Contractual necessity
- Legitimate interests
Some businesses may argue that they have a legitimate interest when it comes to data collection and user consent isn't necessary. However, there are some categories of personal data for which you must absolutely gain explicit user consent.
If you collect any of the following types of what's known as sensitive personal information, the GDPR requires explicit consent to do so:
- Political opinions
- Racial or ethnic origins
- Religious or philosophical beliefs
- Genetic data
- Biometric data
- Health data
- Sexual orientation
- Trade union membership
The best option for doing that is by providing the user with an opt-in method.
When Using Cookies to Market in the EU
Under the Cookie Law, you must provide them with options.
When Selling the Data of Minors in California
None of the privacy laws in the United States come close to the requirements placed on organizations by the GDPR. However, as previously stated, California's CCPA (CPRA) demands that you obtain explicit consent if you intend to sell the personal data of a minor in that state.
Specifically, in section 1798.120 (d) of the CCPA (CPRA) states:
"A business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, [...], has affirmatively authorized the sale of the consumer's personal information."
To gain explicit consent from a user or have them "affirmatively authorize" your ability to collect and process data, you can use an opt-in at the data collection point of entry.
For instance, you might use a pop-up notice, which appears on a sign-up page if the user indicates they're younger than 16 years of age (e.g., the user enters their age in a form, and if it's less than 16, then a pop-up appears).
You can then use clickwrap agreements with an unchecked box. If the user checks the box, explicit consent has then been given.
When to Use Opt-Outs
Remember that when you provide users in the EU with a means to opt in, you must also give them a way to withdraw consent. That means allowing them to opt-out of data collection and processing even if they've already opted in.
The right to say "no" to data collection is enshrined in EU law.
You can provide a means of opting out by giving users a link to submit an opt-out request or by giving them a way to contact you to submit such a request.
When Using Cookies to Market
Under the GDPR and a number of other privacy laws, you have to provide users with a way to opt out of cookie use or to withdraw previously given permission. In fact, everyone who requests consent should make it equally as easy to withdraw consent.
When Sending Marketing Emails
The GDPR also demands that you provide users with a way to opt out of receiving marketing email communications. Again, that's true even if the user has previously given explicit consent.
One of the best ways to ensure compliance with the GDPR when it comes to consent is to always provide users with an opt-in form, usually in the form of a clickwrap agreement, and with a means to opt-out, such as an unsubscribe link.
Opt-In/Opt-Out for Mobile Apps
Like any other online business, mobile apps must observe the rules of opt-in and opt-out consent to legally collect and use personal information.
As a mobile app developer, you'll likely need to obtain user consent to carry out various data processing operations. Typical instances include when:
- Collecting a user's location data
- Accessing images and other files saved on a user's device
- Obtaining a user's social networking login credentials
It's important to note that your consent collection method depends entirely on the consent regime in your jurisdiction, irrespective of your business model.
For instance, if you have users in the EU, your mobile app must use the opt-in consent mechanism to invite or register users for any data processing activity. Remember that users must be able to withdraw their consent for that activity at any time.
Under an opt-in consent regime, empty checkboxes are the best way to obtain consent. Users must check these boxes before you can legally collect or use their information for any data processing activity on your app.
Another option is the use of a form and a button instead of an empty checkbox to request user consent. While this is not the best option, it's nonetheless a valid method to get opt-in consent.
Here's how the LinkedIn mobile app uses a form and button on its sign-up page to get users to agree to its legal policies:
Under an opt-out consent regime, however, your mobile app can automatically collect, use, or share users' personal information until they stop it from doing so.
Opt-In/Opt-Out for Ecommerce Stores
Like mobile apps, ecommerce stores also collect and handle a wide range of personal information to facilitate their operations.
As an ecommerce retailer, you'll likely collect, use, or share personal information to:
- Offer customers personalized ads
- Ship products to customers
- Process payments for purchases
- Retarget customers
Under most privacy regulations, conducting any of the activities above will require some form of user consent.
Remember: The specific consent mechanism you implement will depend on the consent regime in your legal jurisdiction.
Under an opt-in consent regime, you must obtain consent through affirmative action before collecting, using, or sharing personal information for your ecommerce needs.
For instance, here's how Coca-Cola implements the opt-in mechanism through separate empty checkboxes to get user consent for its legal policies and offer them email subscriptions:
Conversely, under an opt-out consent regime, your ecommerce store can adopt the pre-emptive opt-out mechanism like Costco does here:
Note how the checkbox is checked by default, which means customers must uncheck it if they don't wish to receive marketing emails.
Opt-In/Opt-Out for Cookies and Similar Trackers
Cookies are small pieces of data stored on users' devices when they visit a website. These trackers are generally used to remember users' preferences and monitor their browsing behavior.
To obtain cookie consent, you'll need to set up a cookie banner that pops up when a user first visits your platform. As always, the precise consent collection method depends on the consent regime of applicable privacy laws.
Under an opt-in regime (e.g., the EU), you must provide prominent "Accept all" and "Reject all" buttons to allow users to accept or decline your cookies from the get-go.
Importantly, you must also set up separate opt-in checkboxes/toggle buttons that allow users to consent to specific categories of cookies and similar trackers.
For example, here's how EY displays a prominent accept and decline button on its platform, making sure to mention that users can withdraw their consent whenever they wish:
Once users click the customize cookies link, EY directs them to a cookie settings page where they can select which cookie categories they wish to accept. Note how the checkboxes for each cookie category are unchecked by default in compliance with opt-in standards:
Under an opt-out consent regime, cookies are placed automatically on users' devices, and they must take action if they wish to decline each cookie category.
Here's an example of an opt-out consent system from Upwork with the toggle buttons for each cookie category turned on by default. Users can then adjust their cookie preferences accordingly:
Now let's look at some specifics under the most commonly applied privacy laws: The GDPR in the EU, and the CCPA (CPRA) in the United States.
Opt-In/Opt-Out Consent Under the GDPR
The EU's General Data Protection Regulation (GDPR) is considered the gold standard of data privacy laws worldwide. It applies to businesses (even beyond the EU) that offer products or services to EU residents or monitor their behavior.
When it comes to consent, businesses must implement the opt-in mechanism to comply with the GDPR.
According to the GDPR, consent is:
"any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her"
Remember: Consent is just one of the GDPR's six lawful bases for processing personal data. The others are as follows:
- Public interest
- Legal obligation
- Vital interests
- Contractual obligation
- Legitimate interests
The implication here is that consent isn't always required if you can rely on any other lawful basis identified above.
That being said, explicit user consent is mandatory if you collect any of the special categories of data identified under the GDPR. They include:
- Genetic information
- Biometric information
- Racial/ethnic origin
- Political views
- Philosophical/religious beliefs
- Health information
- Trade union membership
- Sexual orientation
It's important to note that after users have opted-in to a data processing activity, they must be able to withdraw their consent (i.e., opt out) for that activity at any time.
For example, here's how Yelp uses the opt-in consent mechanism to seek consent for its legal policies and offer email subscriptions to its users. Note how Yelp indicates that users can withdraw their consent (i.e., "unsubscribe") whenever they wish:
Gorman also uses the opt-in consent mechanism to send SMS subscriptions to its users. Users can accept or reject this subscription request by clicking the appropriate button provided. They can also unsubscribe anytime they wish, as shown below:
In short, businesses must implement both the opt-in and opt-out mechanisms to be GDPR-compliant. This entails getting consent through affirmative action before collecting, using, or sharing personal information and allowing users to easily withdraw their consent whenever they wish.
For more information, check out our article: Consent Under the GDPR.
Opt-In/Opt-Out Consent Under the CCPA/CPRA
The California Consumer Privacy Act (CCPA) is a U.S. state privacy law designed to enhance data privacy standards in California. One of the first modern privacy laws in the U.S., the CCPA brings GDPR-like data protection to California residents.
However, unlike the GDPR, the CCPA primarily adopts an opt-out system when it comes to consent collection.
While the CCPA doesn't explicitly define consent, its updated version, the California Privacy Rights Act (CPRA), does. The CPRA amended and expanded the CCPA in a number of ways, including the issue of consent.
Under the CCPA (CPRA), consent is:
"any freely given, specific, informed and unambiguous indication of the consumer's wishes by which the consumer or the consumer's legal guardian signifies agreement to the processing of personal information relating to the consumer for a narrowly defined particular purpose."
The CCPA (CPRA) supports the opt-out consent system. This means you can automatically collect and use the personal information of California residents until they take action to stop it.
However, there are a few important exceptions to note.
The CCPA (CPRA) expressly grants consumers the right to opt out of the sale or sharing of their personal information.
Here's how Coca-Cola displays this link in the footer section of its homepage:
The pre-emptive opt-out system is unacceptable when it comes to selling the personal information of California minors under the age of 16.
Instead, you must obtain opt-in consent from minors (under 16) or their legal guardians (for minors under 13) before selling their personal information.
A best practice here is to include a popup on your homepage that appears upon a user's first visit to your platform. You can then take appropriate actions depending on the user's age.
Here's an example from BBC:
In sum, the CCPA (CPRA) has an opt-out consent regime. However, businesses must use the opt-in mechanism when it comes to selling the personal information of minors.
Furthermore, a prominent "Do Not Sell or Share My Personal Information" link is required to allow consumers to opt out of the sale or sharing of their personal information.
Implementing appropriate consent systems is critical to building trust and credibility for your business. If that isn't incentive enough, it's also necessary to avoid significant penalties for violating data privacy laws.
To recap, there are two distinct ways to obtain consent under modern data privacy laws: opt-in and opt-out.
Opt-in means that a person voluntarily agrees to have their personal information collected, used, or shared. On the other hand, opt-out means that a person's information is collected, used, or shared by default unless they take steps to prevent it.
In some cases, an opt-in method is preferable to an opt-out method, and vice versa. However, because the consent requirements of privacy laws differ by location, it's a best practice to follow the most stringent method (i.e., opt-in). Generally speaking, you'll be complying with the others by default.
Remember: The EU's GDPR is an opt-in consent regime, while the CCPA (CPRA) in the U.S. is an opt-out consent regime.
In sum, the opt-in system is more protective of privacy rights, as it allows users to actively agree to share their information. In contrast, the opt-out system is less protective, as it presumes that users are okay with their data being collected until they take action to stop it.