Iubenda logo
Start generating

Documentation

Table of Contents

Opt-In vs Opt-Out: What’s the Difference?

Opt-in and opt-out are key concepts when it comes to complying with online data privacy laws. Many of these laws can either require an opt-in or opt-out approach, so it’s important to understand the difference between opt-in vs opt-out and how to implement them.

opt in vs opt out

Opt-in vs Opt-out

The concept itself isn’t too hard to understand.

Opt-in meaning

Opt-in” is the process used to describe when an affirmative action is required to subscribe a user to something, such as a newsletter list. In an opt-in system, explicit action is needed from the user to indicate their willingness to be included.

Examples of opt-in systems are the EU ePrivacy Directive, the General Data Protection Regulation (GDPR), or the Brazilian Lei Geral de Proteção de Dados Pessoais (LGPD).

Examples of opt-in

Let’s take the GDPR as a reference. As we said, the GDPR uses an opt-in approach, and – when consent is needed – it must be “freely given, specific, informed and unambiguous”. That’s why the regulation specifically forbids pre-ticked boxes and similar opt-out mechanisms.

Newsletter and Marketing Emails

If you have a newsletter or send marketing emails, your users should either enter their email addresses or check a specific box to receive them. Remember not to pre-select the boxes, and have a checkbox for each specific consent you require. For example, you should not combine consent for your Terms and Conditions and your newsletter. You may use two separate boxes.

opt-in example

Cookie consent

The EU ePrivacy Directive also requires explicit opt-in consent to install cookies. This is usually done via a cookie consent banner, which is shown on the user’s first visit to your website. Without explicit consent, you may only use technical cookies.

basic cookie banner requirements under the gdpr and eprivacy

Opt-out meaning

On the other hand, opt-out means that a user can be included in something without prior consent, but you need to provide them with an easy way out. So, users can withdraw their consent at any time.

Examples of opt-out systems are the California Consumer Privacy Act (CCPA) and the Swiss Federal Act on Data Protection (FADP), even though there are some exceptions when opt-in consent is required.

Examples of opt-out

Unsubscribe link

One common example of opt-out is the Unsubscribe link you can find at the bottom of newsletters.

Under certain regulations, like the US CAN-Spam Act, you can send your users commercial emails without the need for any action on their part. However, you must always provide them with an Unsubscribe link, so they can easily stop any further communication if they wish to.

The unsubscribe option should be free, not require a login process, and be honored within 10 days.

Do Not Sell or Share My Personal Information Link

Another example of opt-out is the ‘Do Not Sell or Share My Personal Information’ link required under California’s CCPA. Under the CCPA, a “sale” is broadly defined and includes any exchange of personal information for valuable consideration, not just monetary transactions. For example, the use of tracking cookies for advertising can be considered a sale.

The “Do Not Sell or Share My Personal Information” link should also come with a notice designed to inform consumers of their right to opt out of the sale and sharing of their personal data. It should be placed on your homepage and in your privacy policy.

What’s the difference between opt-in and opt-out?

The difference between opt-in and opt-out lies in the initial consent process. Opt-in requires proactive consent from the user, while opt-out assumes consent until the user withdraws it.

How you sign up your users for direct marketing, and the specific privacy disclosures you must provide, depends on where these individuals reside.

When are opt-in and opt-out needed?

As we said in the previous paragraph, the choice between opt-in and opt-out depends on the location of your users.

If you’re targeting EU-based users, it’s safe to assume that you’ll need to get consent from your users before any marketing activity (direct email marketing, newsletters, use of tracking cookies, etc.).

⚠️ Exception

You could bypass the need for prior consent in the case of soft opt-in. Soft opt-in can occur when a user has provided their email address while purchasing a product or service from you. However, you must meet certain conditions:

  • the email address is collected during a sales process on your site;
  • you inform your customer that you use emails in this way (via a notice on the sales page or in your privacy policy);
  • the user has not opted out of being contacted;
  • your future promotional emails are related to products and services similar to those originally purchased; and
  • the products/services you intend to promote are your own (not third-party).

On the other hand, if your users are based in the US, you can generally rely on opt-out mechanisms, such as the Unsubscribe or ‘Do Not Sell or Share My Personal Information’ links.

⚠️ Exception

If you’re targeting children under the age of 13, you’ll always need prior consent from the child’s parents before processing their personal information. This is a requirement of the Children’s Online Privacy Protection Act (COPPA), which applies throughout the United States.

Of course, these are just a few examples, and we recommend checking your law of reference before choosing between opt in vs opt out.

How to implement opt-in and opt-out

Cookie Consent Banner

The first thing you need to opt your users in is a cookie consent banner. A cookie banner is a notice displayed to users the first time they visit your site. A cookie banner allows users to accept or reject consent for cookies and to manage their preferences. If a user rejects cookies, you need to block them from running.

Create a cookie banner with iubenda

iubenda helps you create a customizable cookie banner, that automatically adapts its behavior to the location of your users. So if your users are based in the EU, it will apply an opt-in approach, while if they’re based in the US an opt-out one.

Here’s how to do it:

  1. Start the configuration and answer a few questions. Our Generator will automatically apply the best configuration for you.
  2. Customize the look of your cookie banner to match your brand.
  3. Add it to your website, and you’re done!

Make your forms GDPR-compliant

As previously mentioned, your forms must align with GDPR’s consent requirements: freely given, specific, informed, and unambiguous. Here’s how to do it:

  • Use clear and straightforward language.
  • Avoid pre-ticked checkboxes.
  • Separate different consent requests.
  • Make it easy to withdraw consent.

Remember that it’s also essential to keep consent records to track all opt-in and opt-out requests.

Unsubscribe link

Adding an Unsubscribe link to your newsletter is quite simple because most email marketing platforms provide an automated way to include it.

If you want to do it manually, you first need to create a page where your users will land once they click on the link. Then you need to add the link to the footer of your emails.

The link should redirect your users to the landing page and allow them to opt out, without the need to log in again or add any additional information.

Manage your newsletters with iubenda

Newsletters and email lists are key elements of a marketing strategy, but they need to be managed correctly. iubenda can help!

Our Newsletter Opt-in Booster is the perfect tool to make subscribing to your newsletter easy, while keeping your consent and opt-ins up to date.

Here’s how it works:

  1. Create your customizable form and add it to your website.
  2. Every time a new user signs up, a consent record is automatically created.
  3. Easily keep track of all opt-ins and opt-outs: the solution records any changes to the consent status.

Do Not Sell or Share My Personal Information Link

If the CCPA applies to you, you must provide, among others, a “Do Not Sell or Share My Personal Information” link. This link is typically placed in the footer of a website so that your users can opt out at any time.

Add your DNSOSMPI link with iubenda

iubenda helps you create your DNSOSMPI disclosure in no time!

  1. Go to the Privacy and Cookie Policy Generator and create a privacy policy that includes CCPA disclosures.
  2. Add your notice at collection through the Privacy Controls and Cookie Solution. Our solution will also help you manage all the opt-out requests you receive.

Manage opt-in and opt-out with iubenda

Start for free