Securiti PrivacyOps Named a Leader in The Forrester WaveTM

Download Now

The global hunger for data collection is increasing exponentially. With businesses starting to collect more and more personal data, a rapid emergence in data privacy laws and regulations can be observed worldwide.

 

Today, most international data privacy laws require organizations to rely on the users’ consent and respect their choices for collecting and processing their data online. With the world becoming more digital, consent requirements are only expected to become stricter.

When relying on the user’s consent as a lawful basis for data processing, most global privacy laws can be classified as either opt-in or opt-out consent regimes.

What is the Difference Between Opt-In and Opt-Out

Let’s dive deeper into opt-in and opt-out measures to understand the difference between the two and what they aim to achieve.

What is Opt-In?

An opt-in consent requires organizations to obtain explicit consent from the user before collecting and processing their personal data. It refers to an affirmative action taken by the user indicating their consent to allow processing of their personal data.

What is an Example of Opt-In?

opt in consent

Here, whenever users visit a website, they can manually opt in to retain their online activity for various purposes. When a user first arrives on this page, all boxes are unchecked. The user can choose to opt-in to any box of their choice or select them all, indicating the website of their preferences.

An opt-in consent can be successfully implemented as follows:

  • Process users’ personal data only once their consent has been obtained,
  • Ask users to either accept or reject the use of cookies by providing equal prominences to “accept” and “reject” options on the consent banner,
  • Provide sufficient information to users about why their personal data will be collected and what it will be used for,
  • Allow individual cookie category selection based on the purposes of cookies, and
  • Ensure not to use any dark pattern to obtain the user’s consent, including pre-ticked checkboxes and cookie walls.

What is Opt-Out?

An opt-out consent does not require organizations to obtain the user’s consent before collecting and processing their personal data. It refers to allowing users to take action to withdraw their consent to the processing of their personal data.

There are two main ways through which opt-out options are offered to the consumer:

  1. Pre-emptive opt-out – a consumer can untick/uncheck a pre-selected checkbox or otherwise undo a confirmation indicating their refusal to data processing.
  2. Consent withdrawal – where users are provided a clear option to withdraw their permission or change their preferences concerning the treatment of their personal data.

What is an Example of Opt-Out?

opt out consent

An opt-out consent can be successfully implemented as follows:

    • Indicate the “Do Not Sell My Personal Information” button or link on the website's homepage as well as in the privacy policy enabling users to opt-out of the sale and sharing of their personal data. This is relevant for compliance with the CCPA,
    • Provide sufficient information to users about the categories of personal data to be collected and their purposes, including the sensitive personal data and their purposes,
    • Inform users whether or not their personal data is sold or shared, the length of time the organization intends to retain each category of personal data, or, if not possible, the criteria used to determine such period, and
    • Ensure not to use any dark pattern, such as not making the “opt-out” or “Do Not Sell My Personal Information” option prominent enough for the user to view on the web page.
ccpa do not sell

The CCPA is based on an opt-out consent practice. Even though countries are increasingly becoming opt-in consent regimes due to users’ growing privacy concerns, countries like the United States, Australia, Hong Kong, and Switzerland still have opt-out consent requirements.

Opt-In and Opt-Out in Cookies

Cookie laws, primarily after the introduction of the e-Privacy Directive in the EU have brought forward strict regulations around cookies, enabling opt-in and opt-out cookie consent banners as two of the most significant measures for compliance.

Opt-in and opt-out for cookies typically come in the shape of cookie banners/pop-ups. As witnessed in the examples above, opt-in regimes require websites to obtain explicit consent from users. On the other hand, opt-out in cookies are marked consent by default, unless the user rejects the request or withdraws the consent later.

This means non-essential cookies are already activated on a webpage and can get deactivated once a user opts-out. As a matter of best practice, organizations must let users acknowledge the opt-out cookie consent banner first and then drop the cookies even in an opt-out cookie consent regime.

Most data protection and cookie laws demand websites to provide crystal clear and accurate information regarding their cookie policy (including the necessary ones) and their intended purpose to collect cookies. The aim is to empower users to make an informed decision both in the case of opt-in or opt-out consent regimes.

When and How to Use Opt-In & Opt-out

Let’s take a detailed look at when to use opt-in and opt-out under prominent data protection laws such as CCPA, GDPR, and LGPD.

Opt-Out under CCPA

The California Consumer Privacy Act, typically referred to as CCPA, provides consumers with the right to opt-out and stop businesses from selling their personal information.

Companies complying with CCPA must have clearly defined policies and adequate procedures in place to facilitate consumers with their right to opt-out of the sale of personal information. The CCPA requires businesses to have a button or a link stating “Do Not Sell My Personal Information” as a mandatory requirement.

How Does Opt-Out Work in CCPA?

Opt-out applies to California consumers ages 16 or older. Businesses must honor the consumer’s right to opt-out unless the consumer willingly decides to opt-in to the sale of their personal information.

What Does CCPA’s Opt-Out Mean for Businesses?

The CCPA only applies to businesses having:

  • More than $25 million in annual revenue,
  • Posses’ personal information on 50,000 people or households annually, or
  • Receive more than 50% of their revenue from the sale of personal information.

Businesses that fall under the CCPA criteria and deal with California residents have to comply with the CCPA that grants Californian users the “right to opt-out” of selling their personal data (Section 1798.120 (a) of CCPA.

The CCPA requires businesses to have opt-out banners visibly clear on the website’s homepage. Additionally, the company’s privacy policy must have a “Do Not Sell My Personal Information” section and functionality.

What Does CCPA Say about Minors?

Section 1798.120 (c) of the CCPA states:

[…] a business shall not sell or share the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers at least 13 years of age and less than 16 years of age, or the consumer’s parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale or sharing of the consumer’s personal information.

Businesses need to implement special opt-in measures when processing the data of those under 16 years of age. The popup consent banner must have an unchecked box by default.

Opt-In under GDPR

GDPR has widespread implications for all businesses that receive traffic from EU citizens, even if these businesses are located outside the EU.

GDPR requires that users must be given the option to enable cookies out of their free will. Since there are various types of cookies serving different purposes, such as advertising cookies and analytics cookies, the user must have separate opt-in checkboxes for different cookie categories based on their purposes.  In short, the GDPR requires consent to be opt-in.

GDPR defines consent as “freely given, specific, informed and unambiguous” given by a “clear affirmative action.” It is not acceptable to assign consent through the data subject’s silence or by supplying “pre-ticked boxes.”

The information on a cookie banner must be clear, plain and understandable by an average person. This means a message should be easily understandable for the average person and not only for lawyers and organisations must avoid using statements full of legal jargon.

How Does Opt-In Work in GDPR?

Opt-in under the GDPR applies to any organization operating within the EU and any organizations outside of the EU that offer goods or services to customers in the EU. That ultimately means that almost every major corporation in the world to whom the GDPR applies needs to embed an opt-in mechanism.

Cookie banners are an ingenious way to obtain consent from the user. They can be placed at the bottom, top, or on either side of the website. However, the information presented must be easily accessible to the user and as a matter of user interface practice, it should not disrupt the user’s navigation experience. The cookie banner should be designed so that it does not disrupt a user’s navigation experience as well as be easily accessible to the user.

What Does GDPR’s Opt-In Mean for Businesses?

Since the GDPR applies to all businesses and organizations established inside and outside the EU, regardless of whether the data processing takes place in the EU or not, the opt-in mechanism automatically applies to them.

What Does GDPR Say about Minors?

GDPR requires businesses to write clear privacy notices for children to understand what will happen to their personal data and be aware of their rights. Information needs to be concise, transparent and easily accessible form, using clear and plain language, addressed specifically to a child. Businesses must respect the consumer’s right to opt-in unless the consumer willingly decides to opt-out later on.

For children under 13 years of age, businesses need to get consent from whoever holds parental responsibility for the child - unless the business’s online service is preventive or counseling. Member states can provide by law a lower age, but the age cannot be below 13 years.

GDPR requires businesses to write clear privacy notices for children to understand what will happen to their personal data and be aware of their rights. Information needs to be concise, transparent and easily accessible form, using clear and plain language, addressed specifically to a child.

Opt-In under LDPD

The Brazilian General Data Protection Law, Lei Geral de Proteção de Dados Pessoais, commonly known as LGPD, regulates how personal data of individuals located in Brazil can be collected, used, and processed. Under the LGPD, consent must be free, informed, and unambiguous.

How Does Opt-In Work in LGPD?

The LGPD impacts Brazilian companies and any business that targets Brazilian individuals or collects, uses, or processes the personal data of Brazilian individuals regardless of where the business is located.

What Does LGPD’s Opt-In Mean for Businesses?

The LGPD requires businesses to:

  • Prompt consumers to “accept” cookies and other tracking technologies before installing non-essential cookies on website; and
  • Consent must be a “free, informed and unambiguous manifestation whereby the data subject agrees to their processing of personal data for a given purpose.

For consent to be valid under the LGPD, a consumer must actively confirm their consent by ticking an unchecked opt-in box.

What Does LGPD Say about Minors?

Regarding consent for children, the LGPD does not explicitly provide for any age. The age for contractual capacity is 18 years old in Brazil. As per the Law No. 8069 for the Statute of Children and Adolescents and Other Measures and the Brazilian Civil Code, consent might be given by a 12 to 18 year old natural person as long as the processing is in his/her best interests.

How Opt-In Pans Out in Email Marketing

Opt-in emails are required when a business sends emails to a consumer after they willingly provide their email address for email marketing purposes.

Most countries, including New Zealand, Canada, Australia, Hong Kong, Singapore, the United Kingdom, and all European Union countries, require you to obtain explicit opt-in consent from individuals before sending them marketing communications. This requires you to ensure the following steps:

  1. Show the checkbox on the website for users to select whether they want to receive marketing communications. Do not pre-tick checkboxes (default unchecked).
  2. Provide the option to opt-out in every subsequent marketing communication by including language at the bottom that instructs users how to opt-out. For example: If you do not wish to receive further marketing emails from us, please click here.

How Opt-out Pans Out in Email Marketing

Marketing emails are a great way to reach a target audience, but they’re a nuisance for users who do not wish to receive them. As a matter of good practice, marketing emails should include an opt-out link in every email. An example of this is ‘unsubscribe me from the list.’

Organisations operating in the United States have to comply with the CAN-SPAM Act in relation to their direct marketing practices. The CAN-SPAM Act creates the following major rules for organizations:

  • Easily identifiable and apparent unsubscribe functionality: The marketing message must be clearly identifiable as a commercial communication and organisations must inform recipients how to opt-out of receiving future emails from them in every single marketing email communication. Opt-out requests must be honored promptly and maximum within 10 business days.
  • Relevant and accurate subject lines and content body: Organisations must not use false or misleading header information including the originating name and email address or deceptive subject lines.
  • A visible physical address: Organisations must tell recipients where they are located and provide them a valid physical postal address.

Opt-out Functionality When Retargeting Users

In countries where opt-out consent is applicable, businesses must allow users to opt-out if they send remarketing emails. Retargeting emails are a form of digital marketing strategy that deliberately targets users based on their previous choices.

Opt-out Functionality from Third-Party Tools

Most users and businesses use multiple third-party tools, plugins, and extensions that share users’ personal data with these tools. The tool’s terms and conditions and its privacy policy can determine what type of personal data is being collected and shared with multiple parties.

As such, in countries where opt-out consent is applicable, businesses must have built-in opt-out functionality that provides users with an option to opt-out/unsubscribe from having their personal data broadcasted to third parties.

How Securiti Can Help

All consent rules related to collecting and processing personal data apply to cookies and similar tracking and identification technologies as well as where consent is used as a lawful basis such as for direct marketing purposes.

Therefore, organizations must consider consent principles as per their respective consent regime before installing any tracking technology on the user’s terminal equipment and collecting users’ personal data.

Scan your website and maintain GDPR/CCPA/LGPD compliant cookie consent - FREE

Provide a simple and secure way for your visitors to exercise their right to opt out of the sale of their information to advertisers.

Failure to comply with consent requirements may expose organizations to excessive amounts of fines and penalties. As a result, organizations are encouraged to be responsible custodians of their consumers’ data and implement the correct consent practice as per the applicable consent regime.

Through Securiti’s State of Global Consent Requirements, find out consent requirements of more than 40 countries, including how consent is defined, consent as a lawful basis of data processing, specific rules on cookies, and learn whether you should implement opt-in or opt-out consent practice.

Securiti’s PrivacyOps approach enables organizations to comply with the applicable consent requirements using automatic scanning, auto-blocking, and preference center features. With the help of robotic automation and artificial intelligence, organizations can make cookie compliance a swift and straightforward process.

Share this

Join Our Newsletter

Get all the latest information, law updates and more delivered to your inbox

Related Content

 

Systems

Newsletter


Securiti PrivacyOps Named a Leader in The Forrester WaveTM

View