Securiti PrivacyOps Named a Leader in The Forrester WaveTMDownload Now
Published on December 5, 2021 AUTHOR - PRIVACY RESEARCH TEAM
The global hunger for data collection is increasing exponentially. With businesses starting to collect more and more personal data, a rapid emergence in data privacy laws and regulations can be observed worldwide.
Today, most international data privacy laws require organizations to rely on the users’ consent and respect their choices for collecting and processing their data online. With the world becoming more digital, consent requirements are only expected to become stricter.
When relying on the user’s consent as a lawful basis for data processing, most global privacy laws can be classified as either opt-in or opt-out consent regimes.
Let’s dive deeper into opt-in and opt-out measures to understand the difference between the two and what they aim to achieve.
An opt-in consent requires organizations to obtain explicit consent from the user before collecting and processing their personal data. It refers to an affirmative action taken by the user indicating their consent to allow processing of their personal data.
Here, whenever users visit a website, they can manually opt in to retain their online activity for various purposes. When a user first arrives on this page, all boxes are unchecked. The user can choose to opt-in to any box of their choice or select them all, indicating the website of their preferences.
An opt-in consent can be successfully implemented as follows:
An opt-out consent does not require organizations to obtain the user’s consent before collecting and processing their personal data. It refers to allowing users to take action to withdraw their consent to the processing of their personal data.
There are two main ways through which opt-out options are offered to the consumer:
An opt-out consent can be successfully implemented as follows:
The CCPA is based on an opt-out consent practice. Even though countries are increasingly becoming opt-in consent regimes due to users’ growing privacy concerns, countries like the United States, Australia, Hong Kong, and Switzerland still have opt-out consent requirements.
Cookie laws, primarily after the introduction of the e-Privacy Directive in the EU have brought forward strict regulations around cookies, enabling opt-in and opt-out cookie consent banners as two of the most significant measures for compliance.
Opt-in and opt-out for cookies typically come in the shape of cookie banners/pop-ups. As witnessed in the examples above, opt-in regimes require websites to obtain explicit consent from users. On the other hand, opt-out in cookies are marked consent by default, unless the user rejects the request or withdraws the consent later.
This means non-essential cookies are already activated on a webpage and can get deactivated once a user opts-out. As a matter of best practice, organizations must let users acknowledge the opt-out cookie consent banner first and then drop the cookies even in an opt-out cookie consent regime.
The California Consumer Privacy Act, typically referred to as CCPA, provides consumers with the right to opt-out and stop businesses from selling their personal information.
Companies complying with CCPA must have clearly defined policies and adequate procedures in place to facilitate consumers with their right to opt-out of the sale of personal information. The CCPA requires businesses to have a button or a link stating “Do Not Sell My Personal Information” as a mandatory requirement.
Opt-out applies to California consumers ages 16 or older. Businesses must honor the consumer’s right to opt-out unless the consumer willingly decides to opt-in to the sale of their personal information.
The CCPA only applies to businesses having:
Businesses that fall under the CCPA criteria and deal with California residents have to comply with the CCPA that grants Californian users the “right to opt-out” of selling their personal data (Section 1798.120 (a) of CCPA.
Section 1798.120 (c) of the CCPA states:
[…] a business shall not sell or share the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers at least 13 years of age and less than 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale or sharing of the consumer’s personal information.
Businesses need to implement special opt-in measures when processing the data of those under 16 years of age. The popup consent banner must have an unchecked box by default.
GDPR has widespread implications for all businesses that receive traffic from EU citizens, even if these businesses are located outside the EU.
GDPR requires that users must be given the option to enable cookies out of their free will. Since there are various types of cookies serving different purposes, such as advertising cookies and analytics cookies, the user must have separate opt-in checkboxes for different cookie categories based on their purposes. In short, the GDPR requires consent to be opt-in.
GDPR defines consent as “freely given, specific, informed and unambiguous” given by a “clear affirmative action.” It is not acceptable to assign consent through the data subject’s silence or by supplying “pre-ticked boxes.”
The information on a cookie banner must be clear, plain and understandable by an average person. This means a message should be easily understandable for the average person and not only for lawyers and organisations must avoid using statements full of legal jargon.
Opt-in under the GDPR applies to any organization operating within the EU and any organizations outside of the EU that offer goods or services to customers in the EU. That ultimately means that almost every major corporation in the world to whom the GDPR applies needs to embed an opt-in mechanism.
Cookie banners are an ingenious way to obtain consent from the user. They can be placed at the bottom, top, or on either side of the website. However, the information presented must be easily accessible to the user and as a matter of user interface practice, it should not disrupt the user’s navigation experience. The cookie banner should be designed so that it does not disrupt a user’s navigation experience as well as be easily accessible to the user.
Since the GDPR applies to all businesses and organizations established inside and outside the EU, regardless of whether the data processing takes place in the EU or not, the opt-in mechanism automatically applies to them.
GDPR requires businesses to write clear privacy notices for children to understand what will happen to their personal data and be aware of their rights. Information needs to be concise, transparent and easily accessible form, using clear and plain language, addressed specifically to a child. Businesses must respect the consumer’s right to opt-in unless the consumer willingly decides to opt-out later on.
For children under 13 years of age, businesses need to get consent from whoever holds parental responsibility for the child - unless the business’s online service is preventive or counseling. Member states can provide by law a lower age, but the age cannot be below 13 years.
GDPR requires businesses to write clear privacy notices for children to understand what will happen to their personal data and be aware of their rights. Information needs to be concise, transparent and easily accessible form, using clear and plain language, addressed specifically to a child.
The Brazilian General Data Protection Law, Lei Geral de Proteção de Dados Pessoais, commonly known as LGPD, regulates how personal data of individuals located in Brazil can be collected, used, and processed. Under the LGPD, consent must be free, informed, and unambiguous.
The LGPD impacts Brazilian companies and any business that targets Brazilian individuals or collects, uses, or processes the personal data of Brazilian individuals regardless of where the business is located.
The LGPD requires businesses to:
For consent to be valid under the LGPD, a consumer must actively confirm their consent by ticking an unchecked opt-in box.
Regarding consent for children, the LGPD does not explicitly provide for any age. The age for contractual capacity is 18 years old in Brazil. As per the Law No. 8069 for the Statute of Children and Adolescents and Other Measures and the Brazilian Civil Code, consent might be given by a 12 to 18 year old natural person as long as the processing is in his/her best interests.
Opt-in emails are required when a business sends emails to a consumer after they willingly provide their email address for email marketing purposes.
Most countries, including New Zealand, Canada, Australia, Hong Kong, Singapore, the United Kingdom, and all European Union countries, require you to obtain explicit opt-in consent from individuals before sending them marketing communications. This requires you to ensure the following steps:
Marketing emails are a great way to reach a target audience, but they’re a nuisance for users who do not wish to receive them. As a matter of good practice, marketing emails should include an opt-out link in every email. An example of this is ‘unsubscribe me from the list.’
Organisations operating in the United States have to comply with the CAN-SPAM Act in relation to their direct marketing practices. The CAN-SPAM Act creates the following major rules for organizations:
In countries where opt-out consent is applicable, businesses must allow users to opt-out if they send remarketing emails. Retargeting emails are a form of digital marketing strategy that deliberately targets users based on their previous choices.
As such, in countries where opt-out consent is applicable, businesses must have built-in opt-out functionality that provides users with an option to opt-out/unsubscribe from having their personal data broadcasted to third parties.
All consent rules related to collecting and processing personal data apply to cookies and similar tracking and identification technologies as well as where consent is used as a lawful basis such as for direct marketing purposes.
Therefore, organizations must consider consent principles as per their respective consent regime before installing any tracking technology on the user’s terminal equipment and collecting users’ personal data.
Failure to comply with consent requirements may expose organizations to excessive amounts of fines and penalties. As a result, organizations are encouraged to be responsible custodians of their consumers’ data and implement the correct consent practice as per the applicable consent regime.
Through Securiti’s State of Global Consent Requirements, find out consent requirements of more than 40 countries, including how consent is defined, consent as a lawful basis of data processing, specific rules on cookies, and learn whether you should implement opt-in or opt-out consent practice.
Securiti’s PrivacyOps approach enables organizations to comply with the applicable consent requirements using automatic scanning, auto-blocking, and preference center features. With the help of robotic automation and artificial intelligence, organizations can make cookie compliance a swift and straightforward process.
billed annually or monthly
|Number of domains||1||1|
|Configurable preference center||1|
|Automated website scanning|
|Automated cookie categorization|
|Automated banner code generation|
|Auto-blocking of 1st and 3rd party cookies|
|Geo-based cookie banner|
|IAB EU TCF v2.0 support|