'Most Innovative Startup 2020' by RSA - Watch the videoLearn More
Published on March 15, 2021 AUTHOR PRIVACY RESEARCH TEAM
With the increase in the use of technology and businesses starting to collect more and more personal data, a rapid emergence in data privacy laws and regulations can be observed all around the world. Today, most global privacy laws require organizations to rely on the users’ consent and respect their choices for the collection and processing of their personal data online. With the passage of time and the world becoming more digital, consent requirements are only expected to become stricter. When it comes to relying on the user’s consent as a lawful basis of data processing, most global privacy laws can be classified as either opt-in or opt-out consent regimes.
Let's look at both kinds of consent regimes, their examples, and how organizations can implement consent practices as per respective jurisdictional requirements.
An opt-in consent regime requires organizations to obtain the explicit consent from the user before the collection and processing of their personal data. It refers to an affirmative action taken by the user indicating their consent to allow processing of their personal data.
An opt-in consent can be successfully implemented as follows:
The European Union’s General Data Protection Regulation (GDPR) serves as a prime example of an opt-in consent regime requiring the users’ consent to be freely given, specific, informed, and an unambiguous indication of the user’s wishes with respect to the treatment of their personal data.
In addition to the European Union, other examples of opt-in consent regimes include Brazil, Canada, Chile, Columbia, India, Mexico, Morocco, Malaysia, South Africa, South Korea, Japan, Taiwan, and the United Kingdom. The United States’ California Consumer Privacy Act (CCPA) also requires users to obtain the explicit consent from minors in relation to the processing of personal data belonging to minors.
An opt-out consent regime does not require organizations to obtain the user’s consent prior to the collection and processing of their personal data. It refers to allowing users to take action to withdraw their consent to processing of their personal data.
There are two main ways through which opt-out options are offered to the consumer. The first way is known as a pre-emptive opt-out, in which a consumer can untick/uncheck a pre-selected checkbox or otherwise undo a confirmation indicating his/her refusal to data processing. Another form of opt-out is referred to as the consent withdrawal where users are provided a clear option to withdraw their permission or change their preferences with respect to the treatment of their personal data.
An opt-out consent can be successfully implemented as follows:
The United States’ CCPA is based on an opt-out consent practice. Even though countries are increasingly becoming opt-in consent regimes due to user’s growing privacy concerns, countries like the United States, Australia, Hong Kong, and Switzerland still have opt-out consent requirements. Estonia, despite being part of the European Union has not implemented opt-in consent and works upon an opt-out consent practice.
All consent rules applicable to the collection and processing of personal data apply equally to cookies and similar tracking and identification technologies. Therefore, organizations must take into consideration consent principles as per their respective consent regime before installing any tracking technology on the user’s terminal equipment and collecting users’ personal data.
Failure to comply with consent requirements may expose organizations to exorbitant amounts of fines and penalties. As a result, organizations are encouraged to be responsible custodians of their consumers’ data and implement the correct consent practice as per the applicable consent regime.
Through Securiti’s State of Global Consent Requirements, find out consent requirements of more than 40 countries including how consent is defined, consent as a lawful basis of data processing, specific rules on cookies, and learn whether you should implement opt-in or opt-out consent practice.
The Securiti’s PrivacyOps approach enables organizations to comply with the applicable consent requirements using automatic scanning, auto-blocking, and preference center features. With the help of robotic automation and artificial intelligence, organizations can make cookie compliance a swift and simple process.