Products

Data Command Center
View

Data+AI Teams

Data+AI Security Teams

Data Governance Teams

Data Privacy Teams

Build safe enterprise AI systems

Safe Enterprise AI Copilots

Implement rule-aware AI copilots across your organization’s data anywhere

Data Vectorization and Ingestion

Extract info from complex Unstructured Files, convert it into AI-ready formats, and sync to vector databases

Data Curation and Sanitization for AI

Transform raw, unstructured files into data ready for model training and tuning

Context-aware LLM Firewalls

Protect AI interactions with intelligent retrieval, response, and prompt firewalls

Unstructured Data Governance

Manage and govern unstructured data to enable its safe use with generative AI

Secure Data+AI anywhere

Data Security Posture Management

Secure sensitive data everywhere from hybrid multicloud to SaaS

AI Security & Governance

Establish controls for safe adoption of AI technologies including GenAI

Security for AI Copilots in SaaS

Unblock the biggest impediments for Safe Adoption of AI Copilots like Microsoft 365 Copilot

Data Access Intelligence & Governance

Monitor user access to data and enforce least privilege controls

Data Discovery & Classification

Discover shadow and cloud-native assets and accurately classify data

Compliance Management

Assess & improve compliance with security best practices frameworks

Breach Impact Analysis

Analyze breach impact & automate notifications to affected individuals

Data Flow Governance

Understand data lineage and secure real-time streaming data

Govern data for safe innovation

Data Discovery & Classification

Discover shadow and cloud-native assets and accurately classify data

Unstructured Data Governance

Manage unstructured data to enable safe use with generative AI

Data Access Governance

Monitor sensitive data access and prevent unauthorized use

AI Governance

Establish controls for safe adoption of AI technologies including GenAI

Data Catalog

Enable users to easily find, understand, trust and access the data they need

Data Lineage

Automatically track changes and transformations of data throughout its lifecycle

Data Quality

Conduct data quality checks and validation across various data types

Automate data privacy operations

Data Mapping Automation

Manage your entire data mapping lifecycle and automate RoPA reports

AI Governance

Comply with emerging AI regulations and ensure safe use of AI

Data Subject Request Automation

Automate entire DSR lifecycle from consumer request intake to secure report delivery

Assessment Automation

Automate your entire assessment lifecycle and demonstrate compliance

Consent Management

Manage your first-party and third-party consent lifecycle from scanning to reporting

Breach Management

Automate your incident management and optimize notifications to users & regulatory bodies

Privacy Center

Elegant Consumer Frontend, Fully Automated Backend, Privacy Regulation Intelligent Everywhere

Compliance Management

Use automation to audit and improve compliance with global regulations and industry standards
Solutions
Technologies

Covering you everywhere with 1000+ integrations across data systems.

GCP

View

AWS

View

Databricks

View

Snowflake

View

Azure

View

+ More

View

Learn more

Regulations & Frameworks

Automate compliance with global privacy regulations.

CDMC

View

EU AI Act

View

NIST AI RMF

View

European Union GDPR

View

California's CPRA

View

Brazil's LGPD

View

Canada's PIPEDA

View

China's PIPL

View

+ More

View

Learn more

Roles

Identify data risk and enable protection & control.

Data+AI Builders

View

Data Security

View

Data Privacy

View

Data Governance

View

Marketing

View
Resources

Blog

Read through our articles written by industry experts

Collateral

Product brochures, white papers, infographics, analyst reports and more.

Knowledge Center

Learn about the data privacy, security and governance landscape.

Securiti Education

Courses and Certifications for data privacy, security and governance professionals.

Webinars

Learn from industry thought leaders why you need a Data Command Center to enable safe use of data.
Company

About Us

Learn all about Securiti, our mission and history

Partner Program

Join our Partner Program

Contact Us

Contact us to learn more or schedule a demo

News Coverage

Read about Securiti in the news

Press Releases

Find our latest press releases

Careers

Join the talented Securiti team

Opt In vs Opt Out Consent: What’s the Difference?

Download: Consent Report Q2 2024

Author

Senior Data Privacy Consultant at Securiti

FIP, CIPT, CIPM, CIPP/US

The global hunger for data collection is increasing exponentially. With businesses starting to collect more and more personal data, a rapid emergence in data privacy laws and regulations can be observed worldwide.

The opt in consent model requires a user to perform an affirmative action before they can be sent any marketing emails. Alternatively, opt out consent model has the users signed up to receive marketing emails by default and require an action from the user to opt out of receiving such mails.

What is an Example of Opt-In?

Here, whenever users visit a website, they can manually opt in to retain their online activity for various purposes. When a user first arrives on this page, all boxes are unchecked. The user can choose to opt-in to any box of their choice or select them all, indicating the website of their preferences.

An opt-in consent can be successfully implemented as follows:

Process users’ personal data only once their consent has been obtained,
Ask users to either accept or reject the use of cookies by providing equal prominences to “accept” and “reject” options on the consent banner,
Provide sufficient information to users about why their personal data will be collected and what it will be used for,
Allow individual cookie category selection based on the purposes of cookies, and
Ensure not to use any dark pattern to obtain the user’s consent, including pre-ticked checkboxes and cookie walls.

There are two main ways through which opt-out options are offered to the consumer:

Pre-emptive opt-out – a consumer can untick/uncheck a pre-selected checkbox or otherwise undo a confirmation indicating their refusal to data processing.
Consent withdrawal – where users are provided a clear option to withdraw their permission or change their preferences concerning the treatment of their personal data.

What is an Example of Opt-Out?

An opt-out consent can be successfully implemented as follows:

- Indicate the “Do Not Sell My Personal Information” button or link on the website's homepage as well as in the privacy policy enabling users to opt-out of the sale and sharing of their personal data. This is relevant for compliance with the CCPA,
- Provide sufficient information to users about the categories of personal data to be collected and their purposes, including the sensitive personal data and their purposes,
- Inform users whether or not their personal data is sold or shared, the length of time the organization intends to retain each category of personal data, or, if not possible, the criteria used to determine such period, and
- Ensure not to use any dark pattern, such as not making the “opt-out” or “Do Not Sell My Personal Information” option prominent enough for the user to view on the web page.

The CCPA is based on an opt-out consent practice. Even though countries are increasingly becoming opt-in consent regimes due to users’ growing privacy concerns, countries like the United States, Australia, Hong Kong, and Switzerland still have opt-out consent requirements.

Opt-In and Opt-Out in Cookies

Cookie laws, primarily after the introduction of the e-Privacy Directive in the EU have brought forward strict regulations around cookies, enabling opt-in and opt-out cookie consent banners as two of the most significant measures for compliance.

Opt-in and opt-out for cookies typically come in the shape of cookie banners/pop-ups. As witnessed in the examples above, opt-in regimes require websites to obtain explicit consent from users. On the other hand, opt-out in cookies are marked consent by default, unless the user rejects the request or withdraws the consent later.

This means non-essential cookies are already activated on a webpage and can get deactivated once a user opts-out. As a matter of best practice, organizations must let users acknowledge the opt-out cookie consent banner first and then drop the cookies even in an opt-out cookie consent regime.

Most data protection and cookie laws demand websites to provide crystal clear and accurate information regarding their cookie policy (including the necessary ones) and their intended purpose to collect cookies. The aim is to empower users to make an informed decision both in the case of opt-in or opt-out consent regimes.

When and How to Use Opt-In & Opt-out

Let’s take a detailed look at when to use opt-in and opt-out under prominent data protection laws such as CCPA, GDPR, and LGPD.

Opt-Out under CCPA

The California Consumer Privacy Act, typically referred to as CCPA, provides consumers with the right to opt-out and stop businesses from selling their personal information.

Companies complying with CCPA must have clearly defined policies and adequate procedures in place to facilitate consumers with their right to opt-out of the sale of personal information. The CCPA requires businesses to have a button or a link stating “Do Not Sell My Personal Information” as a mandatory requirement.

How Does Opt-Out Work in CCPA?

Opt-out applies to California consumers ages 16 or older. Businesses must honor the consumer’s right to opt-out unless the consumer willingly decides to opt-in to the sale of their personal information.

What Does CCPA’s Opt-Out Mean for Businesses?

The CCPA only applies to businesses having:

More than $25 million in annual revenue,
Posses’ personal information on 50,000 people or households annually, or
Receive more than 50% of their revenue from the sale of personal information.

Businesses that fall under the CCPA criteria and deal with California residents have to comply with the CCPA that grants Californian users the “right to opt-out” of selling their personal data (Section 1798.120 (a) of CCPA.

The CCPA requires businesses to have opt-out banners visibly clear on the website’s homepage. Additionally, the company’s privacy policy must have a “Do Not Sell My Personal Information” section and functionality.

What Does CCPA Say about Minors?

Section 1798.120 (c) of the CCPA states:

[…] a business shall not sell or share the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers at least 13 years of age and less than 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale or sharing of the consumer’s personal information.

Businesses need to implement special opt-in measures when processing the data of those under 16 years of age. The popup consent banner must have an unchecked box by default.

GDPR has widespread implications for all businesses that receive traffic from EU citizens, even if these businesses are located outside the EU.

GDPR requires that users must be given the option to enable cookies out of their free will. Since there are various types of cookies serving different purposes, such as advertising cookies and analytics cookies, the user must have separate opt-in checkboxes for different cookie categories based on their purposes. In short, the GDPR requires consent to be opt-in.

GDPR defines consent as “freely given, specific, informed and unambiguous” given by a “clear affirmative action.” It is not acceptable to assign consent through the data subject’s silence or by supplying “pre-ticked boxes.”

The information on a cookie banner must be clear, plain and understandable by an average person. This means a message should be easily understandable for the average person and not only for lawyers and organisations must avoid using statements full of legal jargon.

Opt-in under the GDPR applies to any organization operating within the EU and any organizations outside of the EU that offer goods or services to customers in the EU. That ultimately means that almost every major corporation in the world to whom the GDPR applies needs to embed an opt-in mechanism.

Cookie banners are an ingenious way to obtain consent from the user. They can be placed at the bottom, top, or on either side of the website. However, the information presented must be easily accessible to the user and as a matter of user interface practice, it should not disrupt the user’s navigation experience. The cookie banner should be designed so that it does not disrupt a user’s navigation experience as well as be easily accessible to the user.

Since the GDPR applies to all businesses and organizations established inside and outside the EU, regardless of whether the data processing takes place in the EU or not, the opt-in mechanism automatically applies to them.

GDPR requires businesses to write clear privacy notices for children to understand what will happen to their personal data and be aware of their rights. Information needs to be concise, transparent and easily accessible form, using clear and plain language, addressed specifically to a child. Businesses must respect the consumer’s right to opt-in unless the consumer willingly decides to opt-out later on.

For children under 13 years of age, businesses need to get consent from whoever holds parental responsibility for the child - unless the business’s online service is preventive or counseling. Member states can provide by law a lower age, but the age cannot be below 13 years.

Opt-In under LDPD

The Brazilian General Data Protection Law, Lei Geral de Proteção de Dados Pessoais, commonly known as LGPD, regulates how personal data of individuals located in Brazil can be collected, used, and processed. Under the LGPD, consent must be free, informed, and unambiguous.

How Does Opt-In Work in LGPD?

The LGPD impacts Brazilian companies and any business that targets Brazilian individuals or collects, uses, or processes the personal data of Brazilian individuals regardless of where the business is located.

What Does LGPD’s Opt-In Mean for Businesses?

The LGPD requires businesses to:

Prompt consumers to “accept” cookies and other tracking technologies before installing non-essential cookies on website; and
Consent must be a “free, informed and unambiguous manifestation whereby the data subject agrees to their processing of personal data for a given purpose.

For consent to be valid under the LGPD, a consumer must actively confirm their consent by ticking an unchecked opt-in box.

What Does LGPD Say about Minors?

Regarding consent for children, the LGPD does not explicitly provide for any age. The age for contractual capacity is 18 years old in Brazil. As per the Law No. 8069 for the Statute of Children and Adolescents and Other Measures and the Brazilian Civil Code, consent might be given by a 12 to 18 year old natural person as long as the processing is in his/her best interests.

How Opt-In Pans Out in Email Marketing

Opt-in emails are required when a business sends emails to a consumer after they willingly provide their email address for email marketing purposes.

Most countries, including New Zealand, Canada, Australia, Hong Kong, Singapore, the United Kingdom, and all European Union countries, require you to obtain explicit opt-in consent from individuals before sending them marketing communications. This requires you to ensure the following steps:

Show the checkbox on the website for users to select whether they want to receive marketing communications. Do not pre-tick checkboxes (default unchecked).
Provide the option to opt-out in every subsequent marketing communication by including language at the bottom that instructs users how to opt-out. For example: If you do not wish to receive further marketing emails from us, please click here.

How Opt-out Pans Out in Email Marketing

Marketing emails are a great way to reach a target audience, but they’re a nuisance for users who do not wish to receive them. As a matter of good practice, marketing emails should include an opt-out link in every email. An example of this is ‘unsubscribe me from the list.’

Organisations operating in the United States have to comply with the CAN-SPAM Act in relation to their direct marketing practices. The CAN-SPAM Act creates the following major rules for organizations:

Easily identifiable and apparent unsubscribe functionality: The marketing message must be clearly identifiable as a commercial communication and organisations must inform recipients how to opt-out of receiving future emails from them in every single marketing email communication. Opt-out requests must be honored promptly and maximum within 10 business days.
Relevant and accurate subject lines and content body: Organisations must not use false or misleading header information including the originating name and email address or deceptive subject lines.
A visible physical address: Organisations must tell recipients where they are located and provide them a valid physical postal address.

Opt-out Functionality When Retargeting Users

In countries where opt-out consent is applicable, businesses must allow users to opt-out if they send remarketing emails. Retargeting emails are a form of digital marketing strategy that deliberately targets users based on their previous choices.

Opt-out Functionality from Third-Party Tools

Most users and businesses use multiple third-party tools, plugins, and extensions that share users’ personal data with these tools. The tool’s terms and conditions and its privacy policy can determine what type of personal data is being collected and shared with multiple parties.

As such, in countries where opt-out consent is applicable, businesses must have built-in opt-out functionality that provides users with an option to opt-out/unsubscribe from having their personal data broadcasted to third parties.

How Securiti Can Help

All consent rules related to collecting and processing personal data apply to cookies and similar tracking and identification technologies as well as where consent is used as a lawful basis such as for direct marketing purposes.

Therefore, organizations must consider consent principles as per their respective consent regime before installing any tracking technology on the user’s terminal equipment and collecting users’ personal data.

Failure to comply with consent requirements may expose organizations to excessive amounts of fines and penalties. As a result, organizations are encouraged to be responsible custodians of their consumers’ data and implement the correct consent practice as per the applicable consent regime.

Through Securiti’s State of Global Consent Requirements, find out consent requirements of more than 40 countries, including how consent is defined, consent as a lawful basis of data processing, specific rules on cookies, and learn whether you should implement opt-in or opt-out consent practice.

Securiti’s PrivacyOps approach enables organizations to comply with the applicable consent requirements using automatic scanning, auto-blocking, and preference center features. With the help of robotic automation and artificial intelligence, organizations can make cookie compliance a swift and straightforward process.

Key Takeaways:

Rising Demand for Data Collection: The global appetite for data collection is growing exponentially, prompting the emergence of stringent data privacy laws worldwide.
Opt-In vs. Opt-Out Consent Models:
1. Opt-In Consent: Requires users to actively subscribe to marketing emails, providing their information willingly.
2. Opt-Out Consent: Users are automatically signed up for marketing emails unless they take action to unsubscribe.
Global Privacy Regulations: Most international data privacy laws mandate organizations to obtain user consent and respect their choices regarding data collection and processing.
Understanding Opt-In and Opt-Out:
1. Opt-In: Users actively choose to receive emails or newsletters, typically by checking boxes indicating their preferences.
2. Opt-Out: Users must take action to unsubscribe from marketing emails, often through checkboxes or explicit instructions.
Examples of Opt-In and Opt-Out Implementation:
1. Opt-In Example: Users manually select preferences on a website, ensuring transparency and informed consent.
2. Opt-Out Example: Websites offer a clear 'Do Not Sell My Personal Information' option, empowering users to control data usage.
Opt-In and Opt-Out in Cookies: Cookie laws, especially in the EU, emphasize opt-in consent for cookies, ensuring users' explicit agreement before data collection.
Application of Opt-In and Opt-Out in Major Data Protection Laws:
1. CCPA (Opt-Out): California residents have the right to opt-out of data sales, with clear opt-out mechanisms required by businesses.
2. GDPR (Opt-In): EU citizens must provide explicit consent for cookies and data processing, with clear, accessible information provided.
3. LGPD (Opt-In): Brazilian individuals' personal data processing requires free, informed, and unambiguous consent.
Opt-In and Opt-Out in Email Marketing:
1. Opt-In Emails: Businesses must obtain explicit consent before sending marketing communications, with clear options for users to select preferences.
2. Opt-Out Emails: Marketing emails should include visible unsubscribe links, complying with regulations like the CAN-SPAM Act.
Opt-Out Functionality in Retargeting and Third-Party Tools: Users should have the option to opt-out of remarketing emails and data sharing with third-party tools, aligning with opt-out consent requirements.
Importance of Compliance: Failure to comply with consent requirements may lead to significant fines and penalties, emphasizing the need for responsible data stewardship and proper consent practices.
Securiti's Role: Securiti's PrivacyOps approach aids organizations in complying with consent requirements through automatic scanning, auto-blocking, and preference center features, streamlining cookie compliance and data protection efforts.

Opt-in is giving explicit consent from an individual before engaging in any activity such as sending marketing emails. Whereas opt-out is the process of allowing individuals to decline or withdraw from participating in a certain activity such as receiving marketing communications.

The best example of Opt-in is when you subscribe to a newsletter after providing an email address. Whereas opt-out is when you choose to unsubscribe from a newsletter to stop receiving emails.

Opt-in is generally considered better for privacy and consent which is often required by data protection regulations. Opt-out might be seen as less privacy-friendly as it places the onus on individuals to actively take action to avoid something they don’t want.

Opt In vs Opt Out Consent: What’s the Difference?

What is the Difference Between Opt-In and Opt-Out