Opt-Out Rights Under Privacy Laws

Under modern privacy laws, consumers have the right to opt out of certain activities involving the collection, use, and disclosure of their personal information.

In other words, consumers can simply say "no" to most data processing activities, from marketing emails to website cookies to the sale of data. And businesses must honor these requests or risk facing significant penalties.

This article will break down the different forms of opt-out rights under major privacy laws around the world. We'll also clarify the circumstances in which some of these rights would or wouldn't apply to help you navigate your compliance responsibilities appropriately. Let's get into it.

The Right to Opt Out: An Overview

The term "opt-out" in data privacy carries the same meaning as its literal definition. When consumers exercise their right to opt out, they're actively choosing not to participate in a data processing activity.

In practice, this includes actions like rejecting web tracking cookies, texting "STOP" to telephone marketing campaigns, and unsubscribing from a promotional mailing list.

The right to opt out has gained a lot of significance over the years, thanks to the advent of modern data protection laws. The two most prominent laws in this regard are Europe's General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA/CPRA).

Following the lead of these influential laws, numerous countries and regions have established their own privacy regulations, each with its distinct form of opt-out rights.

As a business owner, this triggers the need to understand and honor the specific forms of consumer opt-out rights under privacy laws in your jurisdiction(s).

Without further ado, let's examine the various opt-out rights under major privacy laws around the world.

Opt-Out Rights Under the General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) is the most stringent and robust privacy legislation today. It significantly increases global data protection standards and strengthens the privacy rights and freedoms of individuals in the European Union (EU).

When it comes to opt-out rights, the GDPR has three major provisions: the right to withdraw consent, the right to object to data processing, and rights in relation to automated decision-making.

Let's examine each in turn.

The right to withdraw consent

Under Article 7 of the GDPR, EU consumers who have previously given their consent to a specific data processing activity can withdraw their consent whenever they wish. In addition, the GDPR stipulates that the process of withdrawing consent must be just as simple as providing it:

This opt-out right is relatively straightforward for businesses to implement. All you need to do is provide a means for consumers to revoke their consent to your data processing activities.

One obvious example would be including an "unsubscribe" link at the bottom of your email marketing messages like Entrepreneurs HQ does here:

The right to object to data processing

Under Article 21, the GDPR empowers consumers to object to the processing of their personal data for certain activities (including profiling). But this right only applies in limited instances.

Consumers can exercise this right if the data processing is performed in:

• The public interest
• The exercise of official authority
• Your legitimate interests (or those of a third party)

In these instances, the right to object is not absolute. If you have a legitimate reason for data processing that overrides a consumer's interests, rights, and freedoms, then you may proceed despite their objection. An example would be if you need to process data to fulfill a legal obligation.

However, in cases of direct marketing, the right to object is absolute. This means you must immediately stop all data processing once consumers object to your direct marketing activities.

Rights in relation to automated decision-making

Under Article 22, the GDPR grants consumers the right to opt out of automated decision-making technology, including profiling. This right empowers consumers to have a say in decisions that significantly affect them and are made solely by automated systems.

For instance, if a computer algorithm denies an individual's loan application, that individual can request that a natural person review the decision.

To comply with this right, you must be completely transparent about your automated decision-making processes and make it easy for consumers to opt out through a simple mechanism.

This could be through an opt-out form, preferences settings, or a dedicated contact point.

Once a consumer opts out, you must respect their decision and adjust your systems accordingly to honor their choice.

Opt-Out Rights Under the ePrivacy Directive

The ePrivacy Directive is another prominent piece of European legislation. It's expected to be replaced by the ePrivacy Regulation in the near future.

The ePrivacy Directive is designed to complement the GDPR. It specifically regulates the area of privacy in electronic communications, such as telephone marketing, web cookies, and email campaigns.

While the GDPR briefly addresses electronic communications, the ePrivacy Directive provides more comprehensive coverage, making it a bigger authority than the GDPR on electronic communications.

In terms of opt-out rights, the ePrivacy Directive has two significant applications: Cookies and similar technologies and Direct Marketing/Unsolicited Communications.

Cookies and similar technologies

Cookies and similar technologies (e.g., web beacons, pixels, etc.) are trackers that are typically used to monitor consumers' online behavior for various purposes.

Under the ePrivacy Directive, businesses must obtain GDPR-compliant consent (opt-in) from consumers before placing non-essential cookies on their devices. Plus, they must provide an equally simple way for consumers to reject (opt-out) these cookies.

Note: Non-essential cookies are those that are not necessary for the basic functioning of a website or app.

It's important to note that essential/strictly necessary cookies are exempt from this opt-out requirement.

Here's an example from Deloitte's cookie consent banner. Note how it's equally easy for consumers to accept or reject optional cookies:

Similarly, PwC allows users to reject unnecessary cookies from the get-go:

Direct Marketing and Unsolicited Communications

Under the ePrivacy Directive, EU consumers have the right to opt out of receiving direct marketing communications, including promotional emails, text messages, and telemarketing calls, to mention a few.

The ePrivacy Directive also prohibits sending unsolicited communications, like spam emails or text messages, without a consumer's prior consent.

If you have an existing business relationship with a consumer, you can send them marketing messages about similar products or services without their consent, thanks to a provision called the "soft opt-in." However, you must still provide an easy way for them to opt out of receiving such communications.

A conspicuous "Unsubscribe" button or similar mechanism placed within every marketing communication to consumers will satisfy the ePrivacy Directive's opt-out requirement.

Opt-Out Rights Under the California Consumer Privacy Act (CCPA/CPRA)

The California Consumer Privacy Act (CCPA) with its amendments known as the California Privacy Rights Act (CPRA) is arguably the most comprehensive and prominent privacy law in the United States today. It raises California's data privacy standards and protects the personal information of its residents from intrusive data processing practices.

When it comes to opt-out rights, the CCPA (CPRA) offers Californians considerable control over the collection, use, sale, and sharing of personal information. Let's take a look at its major opt-out rights.

"Do Not Sell or Share My Personal Information"

The CCPA (CPRA) introduces perhaps the most famous opt-out right in data privacy today: the "Do Not Sell or Share My Personal Information" right.

In short, this right allows Californians to opt out of having their personal information sold or shared by applicable companies.

Setting up this opt-out mechanism involves a three-step process:

1. Create a web page that provides clear information and instruction about your opt-out procedures
2. Provide a conspicuous link to that web page in both your Privacy Policy and on your website's homepage
3. Ensure the link reads as "Do Not Sell or Share My Personal Information"

Here's an example of the "Do Not Sell or Share" link at the footer of AGCO's homepage:

When users click this link, AGCO directs them to a page with clear instructions to submit opt-out requests:

Keep in mind that once you receive an opt-out request, you must stop selling the consumer's information without undue delay.

You can ask the consumer if they wish to opt back into the sale of their information, but not for at least 12 months after their initial opt-out request.

Cookies and Similar Technologies

Like the ePrivacy Directive, the CCPA (CPRA) establishes its own standards for cookies and similar technologies. In this regard, the CCPA (CPRA) supports an opt-out system known as "pre-emptive opt-out."

This opt-out system allows businesses to automatically place cookies and similar trackers on consumers' devices without explicit consent.

In other words, it implies that consumers are okay with a data processing activity until they take action to stop it.

For example, AGCO sets optional cookies on consumers' devices by default, using the pre-emptive opt-out method. Consumers would have to put off these switches to reject optional cookies:

Global Privacy Control (GPC)

Global Privacy Control (GPC) is an opt-out mechanism supported under the CCPA (CPRA) that allows consumers to stop companies from tracking their online behavior. It replaces the ambiguous "Do Not Track" opt-out signals previously introduced in California.

Under the CCPA (CPRA), GPC can also be used to communicate "Do Not Sell or Share" requests to businesses. It works as a setting or extension that consumers can configure on their browsers to notify websites of their privacy preferences.

GPC allows consumers to opt out of behavioral tracking, sale, and sharing of their personal information at the browser level instead of having to submit opt-out requests on different websites and devices.

For example, here's how EY concisely explains GPC signals in its Privacy Statement:

Once users enable GPC opt-out signals in their browsers, EY automatically disables marketing/targeting cookies to prevent tracking users or selling and sharing their personal information:

Opt-out rights are key to transparency and compliance, so do not overlook these valuable rights or leave them out of your business privacy plan.

Opt-Out Rights Under the California Online Privacy Protection Act (CalOPPA)

The California Online Privacy Protection Act (CalOPPA) is a privacy law that requires commercial websites and online services that collect personally identifiable information from Californians to publish a Privacy Policy.

In terms of opt-out rights, CalOPPA upholds Do Not Track (DNT) signals that allow consumers to refuse targeted advertising and other forms of online tracking.

Interestingly, CalOPPA doesn't require businesses to honor DNT signals. It simply asks that they clarify whether or not they do:

In light of the GPC mechanism, DNT signals are gradually becoming obsolete due to the ambiguous conditions surrounding their implementation.

Opt-Out Rights Under the CAN-SPAM Act

The Controlling the Assault of Non-Solicited Pornography And Marketing Act of 2003, or CAN-SPAM Act, is a U.S. federal law that sets rules for commercial email marketing messages. Its provisions are enforced by the Federal Trade Commission (FTC)

When it comes to opt-out rights, the CAN-SPAM Act requires all email messages to include a clear and conspicuous way for consumers to opt out of receiving future communications.

Typically, this takes the form of an "unsubscribe" button or link at the bottom of every single email message you send consumers.

Here's an excellent example from JOY:

The CAN-SPAM Act also demands that opt-out mechanisms shouldn't impose unnecessary burdens on recipients. JOY does a swell job here by requesting no further action from users once they click its unsubscribe link:

Keep in mind that once someone has opted out, you must honor their request within 10 days and refrain from sending them commercial emails unless they specifically request to re-subscribe or if other permissible exceptions under the CAN-SPAM Act apply.

For more information about email opt-out requirements, check out our article: 10 Unsubscribe Best Practices

Opt-Out Rights Under the Telephone Consumer Protection Act (TCPA)

The Telephone Consumer Protection Act (TCPA) is a federal law that regulates telemarketing calls, auto-dialed calls, pre-recorded messages, and SMS text messages in the United States.

Under the TCPA, you must obtain prior express consent before contacting consumers via telemarketing calls or text messages. You must also include an easy way for consumers to opt out of future communications in each message.

Practically speaking, this could take the form of a toll-free number or a 'STOP' response system, which allows consumers to decline SMS marketing messages by texting the word 'STOP.'

Once a consumer opts out, you must promptly remove them from your calling or messaging lists. It's a best practice to maintain an up-to-date internal do-not-call list to avoid accidentally marketing to unsubscribed consumers.

Opt-Out Rights Under the Personal Information Protection and Electronic Documents Act (PIPEDA)

The Personal Information Protection and Electronic Documents Act (PIPEDA) is Canada's central private-sector privacy regulation. It governs how private-sector organizations collect, use, and disclose personal information during commercial activities.

When it comes to opt-out rights, PIPEDA's requirements are fairly standard. Consumers have the right to opt out of specific data uses, and businesses must provide them with a simple and accessible opt-out mechanism.

Practically speaking, an unsubscribe link in marketing emails or a dedicated opt-out request mechanism on your website will suffice.

Once a consumer opts out, you must take immediate action to honor their request and ensure their data isn't shared with third parties for those purposes as well.

Keep in mind that opt-out rights also apply to the collection and use of sensitive information, like health, biometric, or financial data. In short, you must obtain explicit consent for these categories of information and provide simple opt-out mechanisms where applicable.

Opt-Out Rights Under the Canadian Anti-Spam Legislation (CASL)

The Canadian Anti-Spam Legislation (CASL) establishes strict rules for digital marketing communications in Canada, much like CAN-SPAM does in the United States.

CASL primarily regulates Commercial Electronic Messages (CEMs) but also covers text and automated cell phone marketing messages.

When it comes to opt-out rights, CASL maintains the status quo and simply requires businesses to provide a clear unsubscribe mechanism in communications to consumers. And like CAN-SPAM, CASL demands that opt-out requests be honored within 10 days.

In practice, CASL's requirements entail honoring "STOP" replies to text message CEMs from consumers and providing a conspicuous "unsubscribe" link at the bottom of every email marketing CEM.

Summary

Thanks to the proliferation of privacy laws, organizations worldwide are held to higher standards for responsible data management and respecting consumers' privacy rights.

These laws aim to strike a balance between the need for businesses to collect and use personal information for legitimate purposes and the importance of giving consumers control over their data.

The right to opt out plays a crucial role here by empowering consumers to express their disinterest in specific data processing activities.

To recap, some of the most prominent opt-out rights under major privacy laws are as follows:

• The right to withdraw consent
• The right to opt out of automated decision-making
• The right to opt out of email, SMS, and telephone marketing campaigns
• "Do Not Sell or Share My Personal Information" right
• Global Privacy Control/"Do Not Track" signals

To help exercise these rights, businesses must provide clear and accessible mechanisms for consumers to withdraw their consent or indicate their preferences.

This typically involves the following:

• Including unsubscribe links or buttons in email messages
• Enabling 'STOP' response systems for SMS marketing
• Honoring browser-enabled opt-out signals
• Setting up privacy preference settings in user accounts
• Providing opt-out forms, buttons, or switches on websites

By observing opt-out rights, you not only demonstrate respect for consumers' choices but also avoid substantial penalties for violating consumer rights under privacy laws.