Opt-in and opt-out are key concepts when it comes to complying with online data privacy laws. Many of these laws can either require an opt-in or opt-out approach, so it’s important to understand the difference between opt-in vs opt-out and how to implement them.
The concept itself isn’t too hard to understand.
“Opt-in” is the process used to describe when an affirmative action is required to subscribe a user to something, such as a newsletter list. In an opt-in system, explicit action is needed from the user to indicate their willingness to be included.
Examples of opt-in systems are the EU ePrivacy Directive, the General Data Protection Regulation (GDPR), or the Brazilian Lei Geral de Proteção de Dados Pessoais (LGPD).
Let’s take the GDPR as a reference. As we said, the GDPR uses an opt-in approach, and – when consent is needed – it must be “freely given, specific, informed and unambiguous”. That’s why the regulation specifically forbids pre-ticked boxes and similar opt-out mechanisms.
If you have a newsletter or send marketing emails, your users should either enter their email addresses or check a specific box to receive them. Remember not to pre-select the boxes, and have a checkbox for each specific consent you require. For example, you should not combine consent for your Terms and Conditions and your newsletter. You may use two separate boxes.
The EU ePrivacy Directive also requires explicit opt-in consent to install cookies. This is usually done via a cookie consent banner, which is shown on the user’s first visit to your website. Without explicit consent, you may only use technical cookies.
On the other hand, opt-out means that a user can be included in something without prior consent, but you need to provide them with an easy way out. So, users can withdraw their consent at any time.
Examples of opt-out systems are the California Consumer Privacy Act (CCPA) and the Swiss Federal Act on Data Protection (FADP), even though there are some exceptions when opt-in consent is required.
One common example of opt-out is the Unsubscribe link you can find at the bottom of newsletters.
Under certain regulations, like the US CAN-Spam Act, you can send your users commercial emails without the need for any action on their part. However, you must always provide them with an Unsubscribe link, so they can easily stop any further communication if they wish to.
The unsubscribe option should be free, not require a login process, and be honored within 10 days.
Another example of opt-out is the ‘Do Not Sell or Share My Personal Information’ link required under California’s CCPA. Under the CCPA, a “sale” is broadly defined and includes any exchange of personal information for valuable consideration, not just monetary transactions. For example, the use of tracking cookies for advertising can be considered a sale.
The “Do Not Sell or Share My Personal Information” link should also come with a notice designed to inform consumers of their right to opt out of the sale and sharing of their personal data. It should be placed on your homepage and in your privacy policy.
The difference between opt-in and opt-out lies in the initial consent process. Opt-in requires proactive consent from the user, while opt-out assumes consent until the user withdraws it.
How you sign up your users for direct marketing, and the specific privacy disclosures you must provide, depends on where these individuals reside.
As we said in the previous paragraph, the choice between opt-in and opt-out depends on the location of your users.
If you’re targeting EU-based users, it’s safe to assume that you’ll need to get consent from your users before any marketing activity (direct email marketing, newsletters, use of tracking cookies, etc.).
You could bypass the need for prior consent in the case of soft opt-in. Soft opt-in can occur when a user has provided their email address while purchasing a product or service from you. However, you must meet certain conditions:
On the other hand, if your users are based in the US, you can generally rely on opt-out mechanisms, such as the Unsubscribe or ‘Do Not Sell or Share My Personal Information’ links.
If you’re targeting children under the age of 13, you’ll always need prior consent from the child’s parents before processing their personal information. This is a requirement of the Children’s Online Privacy Protection Act (COPPA), which applies throughout the United States.
Of course, these are just a few examples, and we recommend checking your law of reference before choosing between opt in vs opt out.
The first thing you need to opt your users in is a cookie consent banner. A cookie banner is a notice displayed to users the first time they visit your site. A cookie banner allows users to accept or reject consent for cookies and to manage their preferences. If a user rejects cookies, you need to block them from running.
iubenda helps you create a customizable cookie banner, that automatically adapts its behavior to the location of your users. So if your users are based in the EU, it will apply an opt-in approach, while if they’re based in the US an opt-out one.
Here’s how to do it:
As previously mentioned, your forms must align with GDPR’s consent requirements: freely given, specific, informed, and unambiguous. Here’s how to do it:
Remember that it’s also essential to keep consent records to track all opt-in and opt-out requests.
Adding an Unsubscribe link to your newsletter is quite simple because most email marketing platforms provide an automated way to include it.
If you want to do it manually, you first need to create a page where your users will land once they click on the link. Then you need to add the link to the footer of your emails.
The link should redirect your users to the landing page and allow them to opt out, without the need to log in again or add any additional information.
Newsletters and email lists are key elements of a marketing strategy, but they need to be managed correctly. iubenda can help!
Our Newsletter Opt-in Booster is the perfect tool to make subscribing to your newsletter easy, while keeping your consent and opt-ins up to date.
Here’s how it works:
If the CCPA applies to you, you must provide, among others, a “Do Not Sell or Share My Personal Information” link. This link is typically placed in the footer of a website so that your users can opt out at any time.
iubenda helps you create your DNSOSMPI disclosure in no time!