CCPA/CPRA Data Mapping: The Why, What, and How
How often does the word “right” show up in the text of the CCPA/CPRA?Read Now
August 29, 2022
Have you ever asked a friend what they wanted to eat for dinner? Sometimes, they clearly answer: "I want to go to Torchy's Tacos!" That's a great example of an opt-in.
Sometimes, the answer isn't so clear. In that case, you may offer your friend a couple of options, asking whether they want to eat at Home Slice Pizza, Hopdoddy Burger Bar, or Sushi Zushi. When the answer to those options is, "I don't feel like pizza, burgers, or sushi," they've just opted out of all of your suggestions.
When it comes to privacy online, there are several types of consent models — opt-in, opt-out, and hybrid. Different privacy regulations require alternative consent regimes. Staying compliant means keeping up to date with the latest laws. In this article, we'll go over opt-in meaning, opt-out meaning, the laws that cover each, and how to be sure you comply with all the privacy regulations.
Opt-in consent requires users to take a specific action that gives a business consent to collect and use their information. These activities include ticking a box, clicking a button, or taking another proactive measure to establish consent. Businesses may utilize these opt-in methods for newsletters, subscriptions, and cookies.
Without a consumer's explicit "yes," a company using the opt-in method can not drop cookies on a consumer's browser. If a business cannot deploy cookies, it is impossible to track user behavior.
Opt-in is more common outside the US, where data privacy laws like the GDPR are structured to give users more control over their data. Even when opt-in is not required, this method can build a greater level of trust with consumers and encourage brand loyalty — especially when handling sensitive information.
The opt-out model requires businesses to divulge that it collects and uses information and gives consumers the option to opt-out. In contrast to the opt-in model, companies using the opt-out model assume consent until a person takes action to revoke permission.
Privacy isn't always an either/or situation. Sometimes, both models are needed.
A hybrid model incorporates aspects of opt-in and opt-out models depending on the type of information collected and how the business will use it. In this scenario, a company may use an opt-out regime for non-personal information and an opt-in regime for sensitive personal information.
MarketingWeek reported on a study by fast.MAP in partnership with Tangible and Opt-4 on user behavior regarding consent. Of the respondents surveyed, "29% would opt-in to emails and other messages, compared with 51% who say they would not opt-out." The hybrid method gives consumers more control over how their personal data is collected and processed while providing businesses a better chance of receiving non-personal information.
This method is a win-win for businesses that want to maintain worldwide compliance and build consumer trust.
It is possible to obtain actionable information while ethically complying with data privacy regulations. Once you know the obligations of privacy regulations, like the GDPR and CCPA/CPRA, you can tailor your business and marketing strategies to secure consent without running afoul of the regulatory bodies.
The GDPR states that "consent must be freely given, specific, informed and unambiguous," as indicated by a "statement or a clear affirmative act." For example, a business may utilize a cookie banner at the bottom of its website when a consumer from the EU visits for the first time. The language on the banner should be clear, easy to understand, and allow users to accept the cookies. Until the user communicates consent, the business cannot collect personal information or use tracking cookies to monitor consumer behavior.
While ePrivacy and the GDPR require explicit opt-in consent, the CCPA/ CPRA gives consumers the right to opt-out. This means that California residents over the age of 16 can tell businesses not to sell (or share once CPRA becomes effective) their personal information.
To give consumers adequate time and information to decide whether they should opt out, the CCPA requires businesses to provide a "notice at collection" at the time of or before the point of collection. According to the CCPA, the notice should list the categories of personal information businesses collect about consumers and the reasons they'll use each type of data.
How should businesses treat minors under CCPA? Opt-out is the default setting for minors between the ages of 13 and 16. These children may opt-in to the sale of personal information. Parents or guardians of children under 13 must opt-in on their behalf.
The data privacy landscape is constantly evolving, and staying on top of the latest compliance requirements can feel like a full-time job. More than 750,000 websites use Osano's Consent Management Platform to stay compliant with worldwide data privacy regulations. No matter where your web visitors come from, the intelligent consent feature displays and enforces the correct consent requirement based on geolocation data, with support in more than 40 languages.
With just 1 line of code, your website will be immediately compliant with the data privacy laws in over 50 countries. Sign up for a demo to see for yourself!
The Osano staff is a diverse team of free thinkers who enjoy working as part of a distributed team with the common goal of working to make a more transparent internet. Occasionally, the team writes under the pen name of our mascot, “Penny, the Privacy Pro.”