Blog | Clym

Opt-In vs Opt-Out Consent Explained for Data Privacy

Written by Alex Margau | 20 December 2023

In this article we are discussing opt-in and opt-out consent and how businesses can balance user privacy with data collection needs. Under various data privacy laws, including California’s Consumer Privacy Act (CCPA), companies must navigate the complexities of obtaining clear and explicit consent (opt-in) or offering straightforward methods for users to decline data processing (opt-out). This demands a detailed understanding of the legal requirements for consent mechanisms, often necessitating a significant adjustment in how they engage with users and manage data, adding operational challenges. 

Clym assists businesses in this area by providing a consent management tool (CMP) that simplifies the management of opt-in and opt-out consents, facilitating compliance with data privacy laws while maintaining user engagement and data collection efficiency, and easing the burden posed by operational complexities associated with consent management. 

Five years ago, when the GDPR went into force, the world of data privacy changed forever. Individuals, residents of the European Union, referred to as ‘data subjects’, and individuals in the United States, referred to as ‘consumers’, found that they had more control than ever over the way their personal information was collected, processed, or shared with third parties. Then, in 2020, the California Consumer Privacy Act (CCPA) became effective, setting the tone across the US for 13 more consumer privacy laws being passed - at the time of the writing of this article - and several others in development or discussion. 

This irreversible change revolves around the concept of ‘consent’ and the way this is expressed, either via an ‘opt-in’ or an ‘opt-out’ action on the part of the individual. You may have seen our Data Privacy Glossary, where we define some of the key terms found in data privacy jargon across the globe, but if you’re not yet sure what all of these mean, here is a refresher and a lengthier explanation of what opt-in and opt-out mean in data privacy. 

 

But first … 

 

What is Consent in Data Privacy? 

 

According to Article 4 of the GDPR, consent means that  an individual has freely given a specific, informed, and clear indication of their wishes to agree to the processing of their personal data. 

Similarly, the CCPA defines  consent as the consumer's clear indication of their wishes to have their personal information processed. To be considered valid, consent has to be freely given, specific, informed, and unambiguous indication of the consumer’s wishes, provided by the consumer, or the consumer’s legal guardian. For a business to use personal information, the consumer must give a clear agreement for a specific purpose. An agreement to use general, broad terms of use, as well as hovering over, muting, pausing, or closing the message cannot be considered as a signification of a valid consent. Same applies to a consent obtained through use of deceptive design or dark patterns

 

 

 

To put it simply, consent is only valid if:  

  • It relies on an action performed by an individual;
  • It is given towards clear and transparent terms of data collection and processing, explained in understandable to individuals language; 
  • It is not forced on individuals via the use of dark patterns

 

Despite the differences between the various data privacy regulations currently in force, there is a consensus as to what consent is. Some of the most common instances where consent has to be obtained include placing cookies or other similar trackers on data subjects’ devices, obtaining data subjects’ consent in regards to legal policies, when asking data subjects to subscribe to promotional or marketing emails, or when data subjects register with an organization’s website and/or mobile app and have to agree to the organization’s terms, conditions, and policies. 

For a business, the means that obtaining consent will depend on several factors: the location of the data subjects interacting with the business and its website, the data privacy laws applicable to the business in question, and the type(s) of personal information that the business collects and processes, i.e. sensitive personal information.

Consent by Jurisdiction

Let’s walk through some of the major legislation currently on the books. The table below outlines consent obligations, specifically for websites, for CCPA, GDPR, and LGPD:

Regulation Consent and Response Obligations
CCPA – California – Assumes consumers to have provided consent for data to be collected, and organizations must provide an easy opt-out process for consumers to restrict processing.
– Requires businesses to have a “Do Not Sell My Personal Information” or “Do Not Sell My Info” link on websites, giving consumers the right to opt out from the selling and/or disclosing of their personal information.
– CCPA’s definition of “sale” applies to the exchange for value of all consumer information, including sharing personal data captured by cookies and other tracking technologies with third parties.
GDPR – Europe + UK – Requires businesses to prompt consumers to “accept” cookies and other tracking technologies before progressing on a website. Without a consumer’s explicit consent, businesses can’t collect or share their data.
– For consent to be valid under GDPR, a consumer must actively confirm their consent, such as by ticking an unchecked opt-in box.
– Data subjects may request that a controller restrict any type of data processing of personal data if:

  1. The data subject contests the accuracy of the personal data.
  2. The processing is unlawful, but the data subject agrees to restriction.
  3. The controller no longer needs the personal data for processing, but data are required by the data subject to establish or exercise a legal claim or defense.
  4. The data subject has objected to processing pending verification of whether the controller can process on other legal grounds.
LGPD – Brazil – Requires businesses to prompt consumers to “accept” cookies and other tracking technologies before progressing on a website. Consent must be a “free, informed and unambiguous manifestation whereby the data subject agrees to her/his processing of personal data for a given purpose”.
– For consent to be valid under LGPD, a consumer must actively confirm their consent, such as by ticking an unchecked opt-in box.

 

What does “Opt-In” Mean? 

 

The action of opt-in, or “to opt-in”, means the  indication of a data subject’s consent towards the processing of their personal information. This could mean provision of consent for any type of personal information collection or processing, for example, subscribing an email to receive newsletters/emails, or accepting cookies. 

What this means is that when a data subject provides their opt-in consent they actually give active permission to an organization to collect, process, and (if that is the case) even share their personal information for a set of specific purposes disclosed to them prior to their opt-in action. 

However, it is important to note that opt-in in data privacy means also the following: 

  • Affirmative Action: the data subject actively participated by proactively ticking a box, signing a form, clicking a button, etc. to indicate agreement;
  • Transparency: the data subject received all the relevant information related to the way their data would be used, in clear language that is easy to understand, which included the reasons for data collection, the means of data processing, the period of retention, and the details of the parties who would have access to the data;
  • Granular Consent: the data subject must have a choice and be in control of what they choose to provide to organizations and which data processing activities they are willing to consent to, i.e. consenting to receiving marketing emails but refusing consent for third party data sharing.

Let’s look at an example.

Dropbox, the cloud storage company, makes use of an opt-in model. When users create a new account, it asks them to click on a button called “Agree and sign up,” signalling their consent to the business’ terms and conditions: 

 

Another example of opt-in is Spotify, the music streaming service, which asks users who create an account with them to tick a box signaling that they consent to have their data shared with Spotify’s content providers for marketing purposes, which could mean that the personal information the user provided may be shared with a third party: 

 



What does “Opt-Out” Mean? 

 

The action of opt-out is the indication of a data subject’s refusal or withdrawal of consent as regards the processing of their personal information. Opt-out in data privacy can refer either to an action performed by the data subject to indication of a  refusal of consent, as well as a withdrawal of previously given consent. 

What this means is that when a data subject expresses their opt-out they actively deny consent for the collection, processing and sharing of all or parts of their personal information, or that they withdraw consent after previously performing an opt-in action with regards to their personal information. For example, a data subject may deny consent for the use of cookies that are non-essential, which means only functional cookies will be allowed on a user’s device. This is seen as a pre-emptive opt-out and it would require that the data subject untick/uncheck a checkbox that has been checked by default, or perform any other type of action which would undo an assumed confirmation. We’ve outlined the difference between cookies in our two part guide on cookies which you can find here and here

Another example is where a data subject may refuse to consent to the collection of their personal information for the purposes of targeted advertising right at the start of their interaction with an organization’s website, or they may submit a request for withdrawing their consent at a later date, through the emerging authorized agents, such as UOOMs (Universal Opt-Out Mechanisms), which are already recognized by several of the United States’ consumer privacy laws. The best example for this is California’s CCPA, which mandates that covered entities have to display a link on their website called “Do Not Sell or Share My Personal Information,” which has to lead data subjects to a page where they can opt out of selling or sharing their personal information with third parties.  

Looking at a specific example, used solely for illustrative purposes, if a user creates an account with an organization, and sees both boxes already checked, they have two options: to go ahead and click on “Continue” or first uncheck the second box related to receiving product and data privacy regulation updates, in effect performing an opt-out. While the first box requires an opt-in for the user to be able to create an account, the second box does not and is instead a great example of an opt-out. 

 

 

Opt-In, Opt-Out, and Cookies

 

As we mentioned earlier in this article, one example of opt-in in data privacy is agreeing to cookies. 

Cookies are small files of information that are generated by a web server and sent to the device of the user (web browser, phone, etc.) where they are stored either for a set amount of time or for the duration of the browsing session of the user, and are used to track users' behavior on a website, analyze their activity, help deliver targeted content, ensure security, and do many more useful things to keep a website running, such as keeping the items you picked in your shopping cart. Cookies can be classified as first party, third party, essential, non-essential, and so on, and we have made it easy for you to understand the differences between these in our two part guide on cookies which you can find here and here

When we speak of cookies in the context of opt-in or opt-out in data privacy, some data protection laws, such as e-Privacy Directive, or CCPA, require that  data subjects should be asked for their freely given, specific, informed, and unambiguous consent for the use of cookies in their browsing session. By accepting all cookies a data subject will opt-in to the placing of cookies on their device. However, a data subject may deny consent for the use of non-essential cookies that are not necessary for a website to perform accurately or not directly related to the provision of services, such as cookies used for analytics or advertisement, for example.

Some regulations may allow cookie placement without a consent, in which case individuals should be granted the right to object or opt-out. Denying consent to the use of marketing cookies requires the unticking/unchecking of checkboxes by the data subject when all the boxes for all types of cookies are set to ticked/checked by default. 

Collecting users’ consent for the use of cookies is done nowadays through the use of Consent Management Platforms, or CMPs, which are technologies that allow organizations to automate their cookie consent management and facilitate compliance with various data privacy laws around the world. A CMP that complies with data privacy regulations will take a load off the shoulders of organizations by informing data subjects who visit their website about the types of data that will be collected and the purposes for collection, they will keep a record of consents obtained from data subjects and will offer data subjects a means to submit data subjects requests, or DSRs, about the data that has been collected, such as a request for access or for the deletion of the data.

To help make this easier to understand, we’ve explained what a CMP is at length here.

In the case of cookies, an opt-in would look like this: 

When accessing www.clym.io a data subject located in the European Union, and this protected by the GDPR, would see this compliance widget which asks them to confirm which cookies they wish to allow. Data subjects then have the option to Reject All (opt-out of all cookies, except essential cookies), Accept all (opt-in to all cookies, including non-essential cookies such as those for advertising purposes), or configure their cookie choices, opting in to having certain cookies placed on their device, and opting out of having other types of cookies placed.

 

So let’s sum up. 

  • Opt-in and opt-out refer to providing or withholding consent for personal information to be collected, processed, and shared. Opt-in means giving affirmative consent, while opt-out means actively withdrawing or denying consent.
  • Consent in data privacy is an unambiguous and freely given permission provided by an individual to collect, process, or share their personal information, for example, to subscribe their email to newsletters or accept cookies.
  • Privacy laws may require obtaining prior consent (opt in) from individuals to place cookies or denying consent (opt out) when individuals visit the website. 
  • Consent collection can be automated or managed with the use of a Consent Management Platform, also referred to as CMP. 
  • Not having a CMP on the website or using a configuration not set by requirements applicable to your business legislation may result in significant penalties due to violation of data privacy laws. 



How can Clym help?

 

 

 

Clym believes in striking a balance between digital compliance and your business needs, which is why we offer businesses the following:

  • All-in-one platform: One interface combining Privacy and Accessibility compliance with global regulations, at an affordable price;
  • Seamless integration into your website;
  • Adaptability to your users’ location and applicable regulation;
  • Customizable branding;
  • ReadyCompliance™: Covering 30+ data privacy regulations;
  • Six preconfigured accessibility profiles, as well as 25+ display adjustments that allow visitors to customise their individual experience.

You can convince yourself and see Clym in action by booking a demo or reaching out to us to discuss your specific needs today.