Have you ever asked a friend what they wanted to eat for dinner? Sometimes, they clearly answer: "I want to go to Torchy's Tacos!" That's a great example of an opt-in.
Sometimes, the answer isn't so clear. In that case, you may offer your friend a couple of options, like whether they want to eat at Home Slice Pizza, Hopdoddy Burger Bar, or Sushi Zushi. When the answer to those options is, "I don't feel like pizza, burgers, or sushi," they've just opted out of all of your suggestions.
When it comes to privacy online, there are several types of consent models—opt-in (sometimes called “explicit” consent), opt-out (sometimes called “implicit” consent), and hybrid. Different privacy regulations require different consent regimes. Staying compliant means keeping up to date with the latest laws.
In this article, we'll discuss the meaning of opt-in, opt-out, and hybrid consent; the laws that require each; and how to be sure you comply with all the privacy regulations.
Opt-in consent requires users to take a specific action that gives a business consent to collect and use their information. These activities include ticking a box, clicking a button, or taking another proactive measure to establish consent. Businesses may utilize these opt-in methods for marketing emails, newsletters, subscriptions, and cookies, or other data trackers.
Under many data privacy regulations, companies cannot collect consumers’ personal information without them saying “yes” explicitly first. That includes dropping cookies on the consumer’s browser, even if that makes it much more difficult to track user behavior.
Opt-in consent is more common outside the U.S., where data privacy laws like the General Data Protection Regulation (GDPR) are structured to give users more control over their data. Even when opt-in consent is not required, this method can build a greater level of trust with consumers and encourage brand loyalty—especially when handling sensitive information. Because opt-in consent requires a clear and explicit action, however, it can result in less user data for use in, say, marketing analytics.
The opt-out model (also referred to as implicit consent) requires businesses to divulge that they collect and use personal information and give consumers opt-out mechanisms. In contrast to the opt-in model, opt-out assumes consent until a person takes action to revoke permission.
For example, businesses can install cookies on devices without explicit consent from users under the opt-out model. However, they must have a cookie consent banner that tells them about their opt-out rights and provides them with a means of setting their consent preferences. They should also be provided with a link to a privacy policy that informs them of the business's data-sharing and processing systems as well as its privacy protection mechanisms.
Note that data privacy laws using the implicit consent model require businesses to very explicitly inform consumers about any data collection. That’s why you still see cookie notices on websites that use this consent model. Consumers still need to be able to opt-out easily, too; under the California Consumer Privacy Act (CCPA), as amended by the California Privacy Rights Act (CPRA), for instance, businesses need to include links on their homepage reading “Do Not Sell or Share My Personal Information” and “Limit the Use of My Sensitive Personal Information.”
Both opt-in and opt-out options serve as valid approaches to securing a consumer’s consent to data collection and processing—but only under certain laws and certain circumstances.
Opt-in or explicit consent is considered to be the higher standard, which is why it’s the default for regulations like the GDPR. The GDPR requires you to get the user’s permission to collect and use personal data such that it is freely given, specific, informed, and unambiguous, and only opt-in consent can meet that standard.
Opting out, by contrast, requires further action on the consumer’s part. They may have to navigate to a different UI to make their opt-out request, for instance. But, because businesses can collect data until the request to withdraw their consent is made, businesses using this model often have access to more data for a variety of purposes compared to those using an opt-in model.
Because the opt-out approach is more common in the U.S., U.S. privacy laws are often construed as being more business-friendly, while the GDPR is considered to be more consumer-friendly and mindful of consumers’ privacy concerns.
It’s important to note that even if you aren’t required to use opt-in consent, you may still wish to do so in order to play it safe with your organization’s compliance and demonstrate a greater commitment to consumer privacy and their sensitive data.
Privacy isn't always an either/or situation. Sometimes, both models are needed.
A hybrid model incorporates aspects of both opt-in and opt-out user consent depending on the type of information collected and how the business will use it. In this scenario, a company may use an opt-out regime for personal data and an opt-in regime for sensitive personal information.
MarketingWeek reported on a study by fast.MAP, in partnership with Tangible and Opt-4, on user behavior regarding consent. Of the respondents surveyed, "29% would opt-in to emails and other messages, compared with 51% who say they would not opt-out." Thus, the hybrid method gives consumers more control over how their personal data is collected and processed while providing businesses a better chance of receiving non-sensitive personal information.
Learn how to stay compliant with our Cookie Consent FAQ guide - Download here.
It is possible to obtain actionable information while ethically complying with data privacy regulations. Once you know the obligations of privacy regulations, like the GDPR and CCPA/CPRA, you can tailor your business and marketing strategies and data practices. Whether it's opt-in or opt-out, you can secure consent without running afoul of the regulatory bodies.
In the EU, ePrivacy and the GDPR overlap a bit when it comes to what consent is required for the use of cookies. Together, they create a pretty rigid privacy regime. As such, these regulations give EU citizens significant control of their personal information, no matter where they are in the world.
The GDPR states that "consent must be freely given, specific, informed and unambiguous," as indicated by a "statement or a clear affirmative act." For example, a website needs to get consent for cookies before it can start collecting data from consumers in the EU. A business may use a cookie banner at the bottom of its website when a consumer from the EU visits for the first time. The language on the banner should be clear, easy to understand, and allow users to accept the cookies. Until the user communicates consent, the business cannot collect personal information or use tracking cookies to monitor consumer behavior.
While ePrivacy and the GDPR require explicit opt-in consent, the CCPA/CPRA gives consumers the right to opt-out. This means that California residents over the age of 16 can tell businesses not to sell or share their personal information.
To give consumers adequate time and information to decide whether they should opt out of the sale of their data, the CCPA requires businesses to provide a "notice at collection" at the time of or before the point of collection. According to the CCPA, the notice should list the categories of personal information businesses collect about consumers and the reasons they'll use each type of data.
How should businesses treat minors under CCPA? Opt-in consent is the default for minors between the ages of 13 and 16. These children may opt into the sale/share of personal information, but it must not be collected or processed until then. Parents or guardians of children under 13 must opt in on their behalf.
The data privacy landscape is constantly evolving, and staying on top of the latest compliance requirements can feel like a full-time job. More than 750,000 websites use Osano's Consent Management Platform to stay compliant with worldwide data privacy regulations. No matter where your web visitors come from, the intelligent consent feature displays and enforces the correct consent requirement based on geolocation data, with support in more than 40 languages.
With just one line of code, your website will be immediately compliant with the data privacy laws in over 50 countries. Sign up for a demo to see for yourself!