Opt-in versus Opt-out

Last updated on 25 May 2022 by William Blesch (Legal and data protection research writer at TermsFeed)

Opt-in versus Opt-out

It's all about giving or withholding consent, isn't it? Most major privacy laws worldwide, such as California's Consumer Privacy Act (CCPA) or Europe's General Data Protection Regulation (GDPR), now demand that companies ensure that customers either opt-in or opt-out of specific data collection and processing efforts.

It's important to note that practices regarding both opt-ins and opt-outs have changed over time. For instance, it used to be acceptable to gain consent from a customer through opt-out consent.

In other words, as long as your customer didn't actively decline to, say, accept your marketing communications, then your company was free to assume that you had the customer's permission to send them emails, newsletters, etc.

You still had to provide a means of opting out, such as an unsubscribe link, but the customer didn't have to opt in explicitly.

Now, however, in the EU, courts have ruled that companies cannot assume that they have gained consent just because a customer hasn't opted out. Thus, opt-outs are no longer a valid means of acquiring consent.

Instead, customers must use an active, affirmative action or "opt-in" to signify their acceptance of marketing communications and other activities, such as data collection.

With that said, privacy requirements in different geographic areas vary. Yet, keeping your business compliant with major legislation is essential.

In this article, we'll discuss opt-in and opt-out specifics. We'll go over their differences, when and how to use them, and what you should implement to ensure your company remains legally compliant.

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your business. Just follow these steps:

  1. At Step 1, select the Website option or App option or both.
  2. TermsFeed Privacy Policy Generator: Create Privacy Policy - Step 1

  3. Answer some questions about your website or app.
  4. TermsFeed Privacy Policy Generator: Answer questions about website - Step 2

  5. Answer some questions about your business.
  6. TermsFeed Privacy Policy Generator: Answer questions about business practices  - Step 3

  7. Enter the email address where you'd like the Privacy Policy delivered and click "Generate."

    TermsFeed Privacy Policy Generator: Enter your email address - Step 4

    You'll be able to instantly access and download your new Privacy Policy.



The Difference Between Opt-ins and Opt-outs

Before taking steps to install either an opt-in or an opt-out modality, you have to understand the difference between them. You also need to know what each aims to achieve.

The Meaning of "Opt-in"

The Merriam-Webster dictionary's definition of opt-in is "to choose to do or be involved in something." For our purposes, it means that your customers choose to give their consent through affirmative action.

One typical way that companies use to acquire customer consent or get them to opt in is through the use of checkboxes, such as on a clickwrap agreement. When customers are presented with the agreement, they must choose whether or not to give consent by taking action. They must tick the checkbox, which signifies their consent.

Another common way of opting in is through the use of a form. The customer has to provide their contact information, etc., and then agree to the terms of a Privacy Policy. (Newer forms usually include a clickwrap agreement near the submit button.)

As you can see in the case that follows, when the customer first sees the form and the clickwrap agreement, the boxes are not checked. This allows your customers to make a conscious choice as to whether they will opt-in or not.

Common situations where companies need to provide customers with the option to opt-in include cookie use, legal policy agreements, and newsletter/email mailing lists.

Here's an example of an opt-in from Turn2Us that has separate opt-in boxes for each different method of communication:

Turn2Us account register form with communications opt-in checkboxes highlighted

Yet another type of opt-in is a cookie consent banner. There are several different kinds, such as footer banners, header banners, corner boxes, and persistent pop-ups. These banners usually appear the first time a customer visits your website.

Say you use a header banner. It will present your customer with a link to your Privacy Policy (you can also link to your Terms and Conditions agreement here) and explicitly ask for consent to use cookies.

The user is then given the option to click that they agree, in which case they will continue to use your website, and you can put cookies on their computer. If they click "No, take me to settings" or something similarly showing they are not consenting to the cookies, then they'll be taken to a page where they can specify which cookies they'll allow, if any.

Here's how Adidas UK uses a pop-up opt-in banner to gain explicit consent.

Adidas UK cookie wall

Here is a list of all typical opt-in methods:

  • Oral consent requests
  • Paper forms
  • Digital forms
  • Opt-In boxes
  • Opt-In links or buttons
  • Yes/No options
  • Preference dashboard settings
  • Clickwrap agreements
  • Consent banners
  • Consent popups
  • Consent corner boxes

The Meaning of "Opt-out"

The Merriam-Webster dictionary's definition of opt-out is "to choose not to participate in something." For our purposes, it means an action your customers can take to withdraw their consent.

There are two primary methods to offer your customers a way to choose not to participate in your data collection activities. The first is by providing a clickwrap agreement that has its box already checked.

By unchecking that box, your customers indicate that they are withdrawing their consent from your data collection efforts (or whatever other activity you've put before them).

The second method of presenting an opt-out to your customers is to give them an opt-out link. That link takes them to a preference manager where they can indicate that they don't consent to whatever activity you're informing them about.

For example, your customers might be taken to a preferences manager where they can choose to click an unsubscribe link, which would then automatically remove them from your system.

Here's how Entrepreneurs HQ Limited allows customers to opt-out of further email communications:

Entrepreneurs HQ Limited email footer with Unsubscribe link highlighted

As you can see, the company places the unsubscribe link in the footer of the email. This is a common practice in email marketing today.

How and When to Use Opt-ins

How and When to Use Opt-ins

Now, obviously, the most significant difference between opt-ins and opt-outs is that one allows your customers to signify acceptance and consent. At the same time, the other denotes explicit rejection of whatever it is you're asking from them.

You need to know when and where to use these mechanisms. Various situations call for different strategies, and each of these mechanisms has its place when it comes to privacy law adherence.

When Doing Business With EU Residents

If you mention data collection and outline how you go about it in your Privacy Policy, then you should probably use an opt-in. In fact, it's a best practice to make sure you get explicit consent to all of your legal policies, such as your Privacy Policy and Terms and Conditions.

That's true even if you don't do business in Europe, which still has the strictest privacy law to date. The EU's GDPR requires companies to get explicit consent to their Privacy Policies before those businesses can begin collecting private, personal data in some cases.

For example, if you collect the personal information of EU residents, it has to be done on a specific legal basis, one of which is consent:

  • Public interest
  • Legal obligation
  • Vital interest of the user
  • Contractual necessity
  • Legitimate interests
  • User consent

Now, some businesses might argue that they have a legitimate interest when it comes to data collection and user consent isn't necessary. However, there are some categories of personal information for which you must absolutely gain explicit user consent.

If you collect any of the following types of personal data, gaining explicit consent to do so is required by the GDPR:

  • Political opinions
  • Racial or ethnic origins
  • Religious or philosophical beliefs
  • Genetic data
  • Biometric data
  • Health data
  • Sexual orientation
  • Trade union membership

The best option for doing that is by providing the user with an opt-in method. If you fail to do that, you could be found liable and have to pay significant fees. As Computer Weekly reported, France imposed gigantic penalties on Google in 2019 for "failure to obtain valid consent."

When Selling the Data of California Minors

While it's not considered quite as exacting as the GDPR, California's CCPA requires explicit consent for the sale of personal information that belongs to a California minor.

Specifically, in section 1798.120 (d) of the CCPA states:

"A business shall not sell the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, [...], has affirmatively authorized the sale of the consumer's personal information."

Here too, the best way to get customers under 16 years of age to "affirmatively authorize" or give explicit consent for you to sell their data is through the use of a user opt-in at the data collection point of entry.

An example of this might be a pop-up notice that appears on a company's sign-up page if a user indicates they're under 16 years old by entering their age on a form. On the pop-up, as with clickwrap agreements, there should be an unchecked box.

The users can provide explicit consent by checking that box.

How and When to Use Opt-outs

How and When to Use Opt-outs

You should offer your customers the choice to opt out if they reside in California. One of the things the CCPA grants is the right of California residents to opt-out of having their data sold.
Specifically, the CCPA states:

"A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer's personal information. This right may be referred to as the right to opt-out."

To ensure complete compliance with this section of the CCPA, companies need to make the opt-out available to their customers through a link on their homepage and their Privacy Policy.

The link must read as follows: "Do Not Sell My Personal Information."

When You Collect Data from EU Residents

Just as you have to acquire explicit consent from customers in the EU before collecting their data, you also have to provide them with a means of withdrawing that consent.

Remember that your customers have the right to say "no" to having their data collected at any time, even if they explicitly gave you permission in the past.

You can give them a way to opt out by providing them with a link where they can submit an opt-out request or by giving them a contact point.

When You Send Marketing Emails

As previously mentioned, a common way of allowing customers to opt-out of your marketing communications is through the use of an unsubscribe link in the footer of all emails.

Actually, the truth is that when it comes to email communications, it's considered a best practice to acquire consent through the use of an opt-in method and to also provide recipients with a way to opt-out any time they wish, through the use of an opt-out (unsubscribe) link.

Using both an opt-in and an opt-out method covers most bases.

When You Use Cookies

If you use cookies for advertising or analysis, you must provide your customers with a way to reject cookies or withdraw previously given permission.

As previously mentioned, cookie consent banners are the most common method used to allow opt-outs in this situation.

Here's another quick example from The Guardian that has a banner which allows users to opt out by clicking a button to manage cookie preferences:

The Guardian cookie consent notice with manage my cookies button highlighted

Conclusion

There are circumstances where using an opt-in method is more appropriate than using an opt-out method, and vice versa. However, because privacy laws aren't the same everywhere, it's a best practice to adhere as much as possible with the strictest legislation out there. By default, in most cases, you'll be complying with the others.

It's not just about complying with the law, though. It's also about respecting your customers by giving them more control over the privacy of their personal information.

What it all means for your company is that if you want to respect your customers and follow the law as closely as possible, you should employ both opt-ins and opt-outs in every situation where they may apply.

It's not overly complicated. Just remember that if you provide your customers with the choice to give consent, you must also give them a way to withdraw it.

Create Privacy Policy, Terms & Conditions and other legal agreements in a few minutes. Free to use, free to download.

Get started today ⇢

William Blesch

William Blesch

Legal and data protection research writer at TermsFeed

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.