When running a website, protecting users’ privacy is critical. Today, many privacy laws govern the handling of personal data to protect user privacy. A website needs to obtain explicit consent from users to collect, store, or process personal data about users. Website owners can provide simple and effective mechanisms for opting into these actions and for revoking consent. Opt in and opt out are two mechanisms that websites use to obtain permission from visitors to collect or use their personal data. By using buttons, checkboxes and toggle buttons, you can present opt-in and opt-out systems on your website or app.
Let us see how opt-in and opt-out are different and how to implement them.
Opt In vs. Opt out: What is the difference?
Opt-in and opt-out are both ways of getting people’s consent for the collection, use and disclosure of their personal information online. They are similar in that they are necessary and will inform users the site will use their data. The biggest difference is that with an “opt-in” process, the users have to take action to express their consent. With an “opt-out” process, the users have to take action if they don’t want to give their consent.
What is opt-in?
Opt-in is the process that describes an affirmative action user takes to offer their consent for companies to use their data. Unticked checkboxes or buttons are the most common way in which you can implement opt-in mechanisms to obtain users’ consent.
You may use this method to seek your user’s consent for storing cookies, agreeing to your legal and privacy policies, or subscribing to marketing emails.
What is opt-out?
Opt-out is the process using which a user withdraws or refuses consent for carrying out certain actions. This method provides the user with a fairly large amount of control over their data and other privacy settings. Opt-out helps protect user relationships by ensuring that users do not want their data tracked or receive marketing messages. Opting out is just as important as opting in. users must have a simple, effective way to implement it.
On some websites, the opt-in process means opt-out is active by default and the opt-out process means that opt-in is active by default. The latter is not a recommended action under many privacy laws. So it is better to have both opt-in and opt-out options with adequate information about them so that the users can make an informed decision.
How and when to implement opt-in and opt-out?
Different laws have different ways of defining opt-in and opt-out models. In most cases, you need opt-in and opt-out if you have to collect, use, share or disclose personal data of users subject to privacy laws.
In this article, we will discuss two of the most widely applicable and discussed data protection laws — the EU’s General Data Protection Regulation (GDPR) and the US’ California Consumer Privacy Act (CCPA).
How do opt-in and opt-out work under GDPR?
The GDPR rules are very clear that users need to be able to opt in and out of any use of their data. Furthermore, the users need to be able to do this easily, especially opt out. However, there are circumstances where consent is not necessary if you collect personal data to fulfill:
- Contractual Obligation: the processing is necessary for the performance of a contract the data subject is part of or to perform a task requested by the data subject before entering into a contract.
- Legal Obligation: the processing is necessary for complying with a legal obligation under the laws of EU member states.
- Vital Interests: the processing is necessary to protect the vital interests of the data subject or any other natural person.
- A Public Task: the processing is necessary to carry out a public task, or you are a public authority.
- Legitimate Interests: the processing is necessary to carry out for your legitimate interests or of any third party. An exception is when the legitimate interest is outweighed by the interest or fundamental rights and freedom of the data subject, especially if it is a child.
Exceptions in the above cases are when you require to collect sensitive personal data of your users. Sensitive data include data related to racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data or sex life or sexual orientation.
To process sensitive personal data, you must get explicit consent from your users via opt-in methods.
Article 4 of the GDPR defines consent as
“‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”
That is, GDPR treats opt-in consent as valid only when it is freely given, informed, specific and unambiguous.
The data subjects should not feel compelled to give consent to process their personal data. It includes not being able to give consent because of non-negotiable terms and conditions. In short, any consent that prevents the data subjects from exercising their free will is invalid.
Consent is valid when
- the purpose of the data collection is specified;
- it is granular, i.e., separate consent request for different activities; and
- information relating to it is distinguishable from information about other matters.
For consent to be informed, you must inform the data subjects about the following:
- your identity;
- the intended purpose of the processing;
- the type of data that will be collected and used;
- where the data will be used and stored, and for how long;
- the right to withdraw consent;
- the use of the data for automated decision-making where relevant; and
- the possible risks of data transfer and the appropriate safeguard measures.
Consent is unambiguous when it is given by explicit affirmative action, such as written statements, including by electronic means, or oral statements. It includes consent obtained via tick boxes, technical settings changed by the data subject, or any clear statement that indicates the data subject’s agreement. A user’s inferred consent, such as their failure to opt out through their inaction, is not valid, so is the consent obtained via pre-enabled options.
Additionally, GDPR also requires consent to be revocable and demonstrable.
The data subject has the right to withdraw their consent at any time they wish and without any justification. You must stop processing or storing the data once you receive the request. Withdrawing consent should be as easy as it was to give it. An opt-out option should be made available at every step of the way, and you must make sure that the data subject is aware of the same before granting consent.
The GDPR makes websites liable to maintain a record of consent to prove that they have collected consent before collecting personal data from users. The record will come in handy if the users or data protection authorities request to demonstrate proof of consent.
How do opt-in and opt-out work under CCPA?
The California Consumer Privacy Act (CCPA), passed in 2018, is similar to the GDPR in many ways. Both have a similar definition of personal data and sensitive personal data, and both aim to protect the data of users and give them their right to privacy. However, they both have some differences; for example, the CCPA requires consumers to be opted in by default; while the GDPR requires consumers to be opted out by default.
Under the CCPA, websites have to disclose what information they collect about users and for what purpose. It doesn’t specifically emphasize implementing opt-in, but it does give users the “right to opt-out” of selling or sharing their personal information (or personal data).
The CCPA recommends that organizations implementing the right to opt-out on their websites use a link “Do Not Sell My Personal Information”. It should be easily accessible omepage or any page where they collect data.
The opt-out approach contrasts with how laws like the GDPR require websites to obtain opt-in for collecting user information. However, an opt-out option is mandatory. Opt-in under CCPA is only necessary for collecting personal data of children under 16 years of age. So under CCPA, the users can be opted in by default.
eBay website has a DNSMPI link placed in the footer, clicking on it will open the page where the users can opt out of the sale of their personal information.
Opt-in and opt-out in cookies
Internet cookies are one of the most commonly used ways to store website user data. A cookie is a small file stored on a user’s computer by their browser, which can be read and written by the site that created it. This allows for more dynamic interaction between the user and the site, with the site remembering information about the user each time they visit, such as what products they have in their shopping cart or what customizations they have chosen.
For cookies, opt-in means you need your website visitors’ permission to place cookies on their browser, so you can only track them if they give it. This is more privacy-friendly and is becoming increasingly common as companies are liable to ask permission before they can track a visitor’s activity online. Opt-out means visitors can deny consent if they don’t want to have tracking cookies stored on their devices. Using cookies after the user opts out is a violation of privacy laws.
It is generally safer to provide both an opt-in and an opt-out approach to cookies. A third option where users can individually approve or reject cookies on a per-category basis is also necessary.
For more information, read our article on cookie consent.
The most common way a website can exercise cookie opt-in and opt-out is by using a cookie banner that provides necessary information about cookies and the opt-in and opt-out choices to help users make an informed decision.
Want a cookie banner like this for your website?
CookieYes is trusted by 1 Million+ websites for cookie consent management. Try for free and get compliant today!
FREE COOKIE BANNER
*No credit card required
Frequently asked questions
What is meant by opt-in and opt-out?
Opt-in is the process of users expressing their explicit consent to collect and use their personal by a website. Whereas, opt-out is the process of letting users withdraw or refuse consent to collect and use their personal data by a website. Both consent types are important for a website and you should implement them effectively and they should be easily accessible to the users.
Is opt-in or opt-out better?
It is difficult to determine which option is better, but each serves its own purpose. Providing an opt-in option where users are opted out by default is more effective than having users are opted in by default. However, if you want to be legally compliant, it is safer to have both the options with opt-out as the default.
What does opt-out stand for?
Opt-out refers to a method of withdrawing consent from website collection of personal data. You can execute it using checkboxes, toggle switches, buttons, or dedicated forms. E.g., the “Reject” button on cookie banners, the “Unsubscribe” link in emails, and dedicated forms for opting out of data collection or selling.
Should I opt-in or opt-out?
It is always better and safer to use an opt-in model for your website since it will allow users to make an informed decision. However, the opt-in model should also have an opt-out option for users to deny consent.
If you are a website user, you should choose between both mechanisms depending on the information the site has provided.
What is an opt-out in business?
To “opt out” means the users are denying or withdrawing consent to let your website collect their personal data. If they opt out, you cannot collect their data. As a business, opt-out is as crucial as opt-in, as it will give your users the freedom to choose what is best for their data privacy.