Last updated on 01 July 2022 by William Blesch (Legal and data protection research writer at TermsFeed)
It's all about giving or withholding consent, isn't it? Most major privacy laws worldwide, such as California's Consumer Privacy Act (CCPA) or Europe's General Data Protection Regulation (GDPR), now demand that companies ensure that customers either opt-in or opt-out of specific data collection and processing efforts.
It's important to note that practices regarding both opt-ins and opt-outs have changed over time. For instance, it used to be acceptable to gain consent from a customer through opt-out consent.
In other words, as long as your customer didn't actively decline to, say, accept your marketing communications, then your company was free to assume that you had the customer's permission to send them emails, newsletters, etc.
You still had to provide a means of opting out, such as an unsubscribe link, but the customer didn't have to opt in explicitly.
Now, however, in the EU, courts have ruled that companies cannot assume that they have gained consent just because a customer hasn't opted out. Thus, opt-outs are no longer a valid means of acquiring consent.
Instead, customers must use an active, affirmative action or "opt-in" to signify their acceptance of marketing communications and other activities, such as data collection.
With that said, privacy requirements in different geographic areas vary. Yet, keeping your business compliant with major legislation is essential.
In this article, we'll discuss opt-in and opt-out specifics. We'll go over their differences, when and how to use them, and what you should implement to ensure your company remains legally compliant.
Before taking steps to install either an opt-in or an opt-out modality, you have to understand the difference between them. You also need to know what each aims to achieve.
The Merriam-Webster dictionary's definition of opt-in is "to choose to do or be involved in something." For our purposes, it means that your customers choose to give their consent through affirmative action.
One typical way that companies use to acquire customer consent or get them to opt in is through the use of checkboxes, such as on a clickwrap agreement. When customers are presented with the agreement, they must choose whether or not to give consent by taking action. They must tick the checkbox, which signifies their consent.
As you can see in the case that follows, when the customer first sees the form and the clickwrap agreement, the boxes are not checked. This allows your customers to make a conscious choice as to whether they will opt-in or not.
Common situations where companies need to provide customers with the option to opt-in include cookie use, legal policy agreements, and newsletter/email mailing lists.
Here's an example of an opt-in from Turn2Us that has separate opt-in boxes for each different method of communication:
Yet another type of opt-in is a cookie consent banner. There are several different kinds, such as footer banners, header banners, corner boxes, and persistent pop-ups. These banners usually appear the first time a customer visits your website.
The user is then given the option to click that they agree, in which case they will continue to use your website, and you can put cookies on their computer. If they click "No, take me to settings" or something similarly showing they are not consenting to the cookies, then they'll be taken to a page where they can specify which cookies they'll allow, if any.
Here's how Adidas UK uses a pop-up opt-in banner to gain explicit consent.
Here is a list of all typical opt-in methods:
The Merriam-Webster dictionary's definition of opt-out is "to choose not to participate in something." For our purposes, it means an action your customers can take to withdraw their consent.
There are two primary methods to offer your customers a way to choose not to participate in your data collection activities. The first is by providing a clickwrap agreement that has its box already checked.
By unchecking that box, your customers indicate that they are withdrawing their consent from your data collection efforts (or whatever other activity you've put before them).
The second method of presenting an opt-out to your customers is to give them an opt-out link. That link takes them to a preference manager where they can indicate that they don't consent to whatever activity you're informing them about.
For example, your customers might be taken to a preferences manager where they can choose to click an unsubscribe link, which would then automatically remove them from your system.
Here's how Entrepreneurs HQ Limited allows customers to opt-out of further email communications:
As you can see, the company places the unsubscribe link in the footer of the email. This is a common practice in email marketing today.
Now, obviously, the most significant difference between opt-ins and opt-outs is that one allows your customers to signify acceptance and consent. At the same time, the other denotes explicit rejection of whatever it is you're asking from them.
You need to know when and where to use these mechanisms. Various situations call for different strategies, and each of these mechanisms has its place when it comes to privacy law adherence.
That's true even if you don't do business in Europe, which still has the strictest privacy law to date. The EU's GDPR requires companies to get explicit consent to their Privacy Policies before those businesses can begin collecting private, personal data in some cases.
For example, if you collect the personal information of EU residents, it has to be done on a specific legal basis, one of which is consent:
Now, some businesses might argue that they have a legitimate interest when it comes to data collection and user consent isn't necessary. However, there are some categories of personal information for which you must absolutely gain explicit user consent.
If you collect any of the following types of personal data, gaining explicit consent to do so is required by the GDPR:
The best option for doing that is by providing the user with an opt-in method. If you fail to do that, you could be found liable and have to pay significant fees. As Computer Weekly reported, France imposed gigantic penalties on Google in 2019 for "failure to obtain valid consent."
While it's not considered quite as exacting as the GDPR, California's CCPA requires explicit consent for the sale of personal information that belongs to a California minor.
Specifically, in section 1798.120 (d) of the CCPA states:
"A business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, [...], has affirmatively authorized the sale of the consumer's personal information."
Here too, the best way to get customers under 16 years of age to "affirmatively authorize" or give explicit consent for you to sell their data is through the use of a user opt-in at the data collection point of entry.
An example of this might be a pop-up notice that appears on a company's sign-up page if a user indicates they're under 16 years old by entering their age on a form. On the pop-up, as with clickwrap agreements, there should be an unchecked box.
The users can provide explicit consent by checking that box.
You should offer your customers the choice to opt out if they reside in California. One of the things the CCPA grants is the right of California residents to opt-out of having their data sold.
Specifically, the CCPA states:
"A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer's personal information. This right may be referred to as the right to opt-out."
The link must read as follows: "Do Not Sell My Personal Information."
Just as you have to acquire explicit consent from customers in the EU before collecting their data, you also have to provide them with a means of withdrawing that consent.
Remember that your customers have the right to say "no" to having their data collected at any time, even if they explicitly gave you permission in the past.
You can give them a way to opt out by providing them with a link where they can submit an opt-out request or by giving them a contact point.
As previously mentioned, a common way of allowing customers to opt-out of your marketing communications is through the use of an unsubscribe link in the footer of all emails.
Actually, the truth is that when it comes to email communications, it's considered a best practice to acquire consent through the use of an opt-in method and to also provide recipients with a way to opt-out any time they wish, through the use of an opt-out (unsubscribe) link.
Using both an opt-in and an opt-out method covers most bases.
As previously mentioned, cookie consent banners are the most common method used to allow opt-outs in this situation.
Here's another quick example from The Guardian that has a banner which allows users to opt out by clicking a button to manage cookie preferences:
There are circumstances where using an opt-in method is more appropriate than using an opt-out method, and vice versa. However, because privacy laws aren't the same everywhere, it's a best practice to adhere as much as possible with the strictest legislation out there. By default, in most cases, you'll be complying with the others.
It's not just about complying with the law, though. It's also about respecting your customers by giving them more control over the privacy of their personal information.
What it all means for your company is that if you want to respect your customers and follow the law as closely as possible, you should employ both opt-ins and opt-outs in every situation where they may apply.
It's not overly complicated. Just remember that if you provide your customers with the choice to give consent, you must also give them a way to withdraw it.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
01 July 2022