Opt In vs Opt Out

It's all about giving or withholding consent, isn't it? Most major privacy laws worldwide, such as California's Consumer Privacy Act (CCPA) or Europe's General Data Protection Regulation (GDPR), now demand that companies ensure that customers either opt-in or opt-out of specific data collection and processing efforts.

It's important to note that practices regarding both opt-ins and opt-outs have changed over time. For instance, it used to be acceptable to gain consent from a customer through opt-out consent.

In other words, as long as your customer didn't actively decline to, say, accept your marketing communications, then your company was free to assume that you had the customer's permission to send them emails, newsletters, etc.

You still had to provide a means of opting out, such as an unsubscribe link, but the customer didn't have to opt in explicitly.

Now, however, in the EU, courts have ruled that companies cannot assume that they have gained consent just because a customer hasn't opted out. Thus, opt-outs are no longer a valid means of acquiring consent.

Instead, customers must use an active, affirmative action or "opt-in" to signify their acceptance of marketing communications and other activities, such as data collection.

With that said, privacy requirements in different geographic areas vary. Yet, keeping your business compliant with major legislation is essential.

In this article, we'll discuss opt-in and opt-out specifics. We'll go over their differences, when and how to use them, and what you should implement to ensure your company remains legally compliant.

The Difference Between Opt-ins and Opt-outs

Before taking steps to install either an opt-in or an opt-out modality, you have to understand the difference between them. You also need to know what each aims to achieve.

The Meaning of "Opt-in"

The Merriam-Webster dictionary's definition of opt-in is "to choose to do or be involved in something." For our purposes, it means that your customers choose to give their consent through affirmative action.

One typical way that companies use to acquire customer consent or get them to opt in is through the use of checkboxes, such as on a clickwrap agreement. When customers are presented with the agreement, they must choose whether or not to give consent by taking action. They must tick the checkbox, which signifies their consent.

Another common way of opting in is through the use of a form. The customer has to provide their contact information, etc., and then agree to the terms of a Privacy Policy. (Newer forms usually include a clickwrap agreement near the submit button.)

As you can see in the case that follows, when the customer first sees the form and the clickwrap agreement, the boxes are not checked. This allows your customers to make a conscious choice as to whether they will opt-in or not.

The Meaning of "Opt-out"

The Merriam-Webster dictionary's definition of opt-out is "to choose not to participate in something." For our purposes, it means an action your customers can take to withdraw their consent.

There are two primary methods to offer your customers a way to choose not to participate in your data collection activities. The first is by providing a clickwrap agreement that has its box already checked.

By unchecking that box, your customers indicate that they are withdrawing their consent from your data collection efforts (or whatever other activity you've put before them).

The second method of presenting an opt-out to your customers is to give them an opt-out link. That link takes them to a preference manager where they can indicate that they don't consent to whatever activity you're informing them about.

For example, your customers might be taken to a preferences manager where they can choose to click an unsubscribe link, which would then automatically remove them from your system.

How and When to Use Opt-ins

Now, obviously, the most significant difference between opt-ins and opt-outs is that one allows your customers to signify acceptance and consent. At the same time, the other denotes explicit rejection of whatever it is you're asking from them.

You need to know when and where to use these mechanisms. Various situations call for different strategies, and each of these mechanisms has its place when it comes to privacy law adherence.

When Doing Business With EU Residents

If you mention data collection and outline how you go about it in your Privacy Policy, then you should probably use an opt-in. In fact, it's a best practice to make sure you get explicit consent to all of your legal policies, such as your Privacy Policy and Terms and Conditions.

That's true even if you don't do business in Europe, which still has the strictest privacy law to date. The EU's GDPR requires companies to get explicit consent to their Privacy Policies before those businesses can begin collecting private, personal data in some cases.

For example, if you collect the personal information of EU residents, it has to be done on a specific legal basis, one of which is consent:

  • Public interest
  • Legal obligation
  • Vital interest of the user
  • Contractual necessity
  • Legitimate interests
  • User consent

Now, some businesses might argue that they have a legitimate interest when it comes to data collection and user consent isn't necessary. However, there are some categories of personal information for which you must absolutely gain explicit user consent.

If you collect any of the following types of personal data, gaining explicit consent to do so is required by the GDPR:

  • Political opinions
  • Racial or ethnic origins
  • Religious or philosophical beliefs
  • Genetic data
  • Biometric data
  • Health data
  • Sexual orientation
  • Trade union membership

The best option for doing that is by providing the user with an opt-in method. If you fail to do that, you could be found liable and have to pay significant fees. As Computer Weekly reported, France imposed gigantic penalties on Google in 2019 for "failure to obtain valid consent."

When Selling the Data of California Minors

While it's not considered quite as exacting as the GDPR, California's CCPA requires explicit consent for the sale of personal information that belongs to a California minor.

Here too, the best way to get customers under 16 years of age to "affirmatively authorize" or give explicit consent for you to sell their data is through the use of a user opt-in at the data collection point of entry.

An example of this might be a pop-up notice that appears on a company's sign-up page if a user indicates they're under 16 years old by entering their age on a form. On the pop-up, as with clickwrap agreements, there should be an unchecked box.

The users can provide explicit consent by checking that box.

How and When to Use Opt-outs

You should offer your customers the choice to opt out if they reside in California. One of the things the CCPA grants is the right of California residents to opt-out of having their data sold.

Specifically, the CCPA states:

"A consumer shall have the right, at any time, to direct a business that sells personal information about the consumer to third parties not to sell the consumer's personal information. This right may be referred to as the right to opt-out."

To ensure complete compliance with this section of the CCPA, companies need to make the opt-out available to their customers through a link on their homepage and their Privacy Policy.

The link must read as follows: "Do Not Sell My Personal Information."

When You Collect Data from EU Residents

Just as you have to acquire explicit consent from customers in the EU before collecting their data, you also have to provide them with a means of withdrawing that consent.

Remember that your customers have the right to say "no" to having their data collected at any time, even if they explicitly gave you permission in the past.

You can give them a way to opt out by providing them with a link where they can submit an opt-out request or by giving them a contact point.

When You Send Marketing Emails

As previously mentioned, a common way of allowing customers to opt-out of your marketing communications is through the use of an unsubscribe link in the footer of all emails.

Actually, the truth is that when it comes to email communications, it's considered a best practice to acquire consent through the use of an opt-in method and to also provide recipients with a way to opt-out any time they wish, through the use of an opt-out (unsubscribe) link.

Using both an opt-in and an opt-out method covers most bases.

When You Use Cookies

If you use cookies for advertising or analysis, you must provide your customers with a way to reject cookies or withdraw previously given permission.

As previously mentioned, cookie consent banners are the most common method used to allow opt-outs in this situation.

Here's another quick example from The Guardian that has a banner which allows users to opt out by clicking a button to manage cookie preferences:

The Guardian cookie consent notice with manage my cookies button highlighted


There are circumstances where using an opt-in method is more appropriate than using an opt-out method, and vice versa. However, because privacy laws aren't the same everywhere, it's a best practice to adhere as much as possible with the strictest legislation out there. By default, in most cases, you'll be complying with the others.

It's not just about complying with the law, though. It's also about respecting your customers by giving them more control over the privacy of their personal information.

What it all means for your company is that if you want to respect your customers and follow the law as closely as possible, you should employ both opt-ins and opt-outs in every situation where they may apply.

It's not overly complicated. Just remember that if you provide your customers with the choice to give consent, you must also give them a way to withdraw it.