Laws like the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and HIPAA, all center around economic theories of data privacy and result in mandates for businesses on having their users opt-in or opt-out of certain data collection and processing activities.
In this post, you have access to an easy framework for understanding the meanings of opt-in and opt-out policies, and actionable tips for how to implement each method and keep your business on the right side of the law.
In order to understand when to implement opt-in measures and when to defer to opt-out measures, it’s important to first understand the difference between the two methods and what each seeks to accomplish.
With data privacy in general, the way consent is utilized (or not) is key! In the case of opting-in, users take action affirming their consent. An opt-in measure dictates that organizations obtain explicit consent from the user before collecting and processing their personal data.
The most common way businesses implement opt-in methods is through checkboxes. For example, when presented with a checkbox, the user must take action to check the box, which denotes their consent. Opting in can be used in a variety of situations, including subscribing to email and newsletter mailing lists, accepting cookie use, and agreeing to legal policies.
Often times this can be seen when the user opts in to receiving “news, offers, style tips, and other promotional materials” from the company. By filling out the form with their personal data (name, phone number, and email address), the user can choose to opt-in for email marketing content.
The action of Opting-out is the inverse of opting-in. In this case, users withdraw consent from an organization to use their data.
With opting-out, an assumption has been made that the user is okay with their data being collected and used but still offers an opportunity for the user to indicate they are not interested in the activity a company presents to them, therefore withdrawing their consent.
The most common forms of opt-out policies appear via checkboxes and unsubscribe links through email marketing. With checkboxes, the boxes appear pre-checked and the user has to unselect them. Similarly, a user may receive information or messages that they did not opt-in to (e.g. an email appeared in their inbox), but they can then choose to opt-out (unsubscribe). If you have an email inbox or have displayed interest in receiving any promotional material chances are you’re familiar with these practices. For businesses, it’s best practice to always include an opt-out mechanism for email marketing.
Now that you have a grasp on the differences between opt-in and opt-out measures, it’s time to evaluate when to use one versus the other. Each policy offers its own functionality and both are necessary for complying with certain aspects of privacy law.
Using opt-in is a smart choice for safeguarding any legal policies such as terms & conditions or privacy policies. Allowing the user to opt-in to these policies ensures they have truly given their consent and read the necessary text, securing the actual policy in play.
Certain laws dictate the use of opt-in mechanisms. Now we’ll touch on a few specific laws, the GDPR and LGPD, and what these laws mandate in regards to opt-in or opt-out.
The General Data Protection Regulation (GDPR) mandates businesses receive user consent to their privacy policies through affirmative action before collecting any of the user’s personal data. GDPR has widespread implications for all businesses that receive traffic from EU citizens, even if these businesses are located outside the EU.
Using opt-in measures to ensure privacy law compliance works well when implementing a consent banner. With consent banners, a user is directed away from the basic content visually, steered towards a banner that requires consent before proceeding (e.g. terms and conditions when installing an update) or before continuing to browse (app tracking).
The data protection law of Brazil, known as the Lei Geral de Proteção de Dados Pessoais (or LGPD), enacted in 2020 affects how websites are allowed to track users in Brazil. The law is greatly influenced by the EU’s GDPR.
The LGPD requires businesses to:
For consent to be valid under the LGPD, a consumer must actively confirm their consent by ticking an unchecked opt-in box or clicking an “accept” button.
GDPR and LGPD both also include regulations for garnering consent from minors and those who hold parental responsibility for a child. With LGPD, 13-18 year olds can provide consent, assuming the processing of their personal data is done in their best interest.
The big takeaway for businesses cooperating with both laws is that children should be addressed in a clear, age-appropriate language they are sure to understand. Where a child’s data is concerned, transparency and accountability are paramount, especially when children are accessing online services.
Opt-Out measures are commonly used under the California Consumer Privacy Act (CCPA). The law gives consumers the right to opt out and prevent businesses from selling their personal information. CCPA applies to all businesses that make over $25 million in annual revenue, contain over 50,000 users’ data, or earn more than 50% of their revenue from data sales.
Complying with the CCPA demands that companies have clearly defined policies and procedures in place to empower consumers to have the clear information they need opt out of the sale of their data. Mandatory requirements for compliance often look like a business’s website having a button or a link reading “Do Not Sell My Personal Information.”
Like the GDPR and LGPD, complying with CCPA also requires certain actions when dealing with minors. Opt-out compliance applies to California consumers ages 16 or older, making it required for businesses to enable the consumer’s right to opt-out (unless the minor willingly decides to opt-in to the sale of their personal information through a consent banner).
Knowing the basic requirements of data privacy laws is essential when businesses want to avoid big fees and penalties. The laws are important, but so are the actual rights of the consumer. Your business’s brand and ethical standards are reflected in how you treat customers. Giving customers control over their information is good for your business and good for the consumer.
Once gaining an understanding of these laws, implementing best practices and strategies for when to use opt-in or opt-out policies is the next step. Certain circumstances lend themselves better to one method versus the other.
The abundance of acronyms and complicated legislation can be reduced to the commitment to your customers, honoring their right to give and withdraw their consent in how the company uses their personal information. At the end of the day, it’s likely a combo of both opt-in and opt-out measures will meet your needs.
"Accountable allowed us to quickly establish Core Compliance with HIPAA as well as a firm foundation for our Security Program." - Michael H.
