top of page

Opt-in Vs Opt-out Consent: How to Implement Each with CCPA & GDPR

Updated: Jun 6, 2023

Opt-in Vs Opt-out Consent:  How to Implement Each with CCPA & GDPR

Many complexities are already gripping the data world. Now, lawmakers have added a nexus of provisions in global data privacy laws that make it jarring for businesses to understand the underlying meaning of it.

Stringent data privacy laws like the General Data Protection Regulation (GDPR) and the California Privacy Regulation Act (CPRA) have many intricacies that need to be understood to improve your business compliance.

Today we'll be understanding the opt-in and opt-out consent model, how exactly a business takes the user's consent and how companies can lose large sums of money if they don't pay attention to these little details.

Opt-in and Opt-out: The what's, how's, whys, and when's!

Businesses can only make a strategic plan for the company if they figure out the minor details that create the foundation for a business's success. In the same way, a business needs to understand the little but significant details to become fully compliant with data privacy. And for this, we first need to figure out what Opt-in and Opt-out are and how they function.

Are you still learning the ins and outs of cookie consent? Please read our Cookie consent: A Marketer's Guide to thrive everything you need to know about cookies and other tracking technologies.

Understanding Opt-in:

Opt-in consent is when a user takes affirmative action to a request made by the businesses asking for their consent.

Opt-ins are used for cookie consent through Cookie banners and email marketing for the newsletters mailing list, subscribing to bell notifications, agreeing to the terms and conditions policy, and much more.

So, a business implements an opt-in consent model, most commonly through a checkbox. The user must tick the checkbox, which denotes the user's consent.

Understanding Opt-out:

Opt-out means when a user doesn't take affirmative action or tries to withdraw their consent.

There are two methods of Opt-out consent. One is pre-emptive opt-out, which means the user unchecks a marked checkbox or undo their confirmation to show that they are not interested in the products and services.

The other opt-out method is consent withdrawal when the user wants to withdraw the consent they had already given or wants to change some preferences. For example, a user signed up for a newsletter but now wants to receive any further notification, or they want to receive a marketing newsletter and not for sales; this is called consent withdrawal.

Companies let users change their data or preference via a preference manager. Many companies also provide an "unsubscribe "link in the footer of an email.

An unsubscribe link is mandatory if you send commercial emails to U.S. residents. The practice is regulated by the rules of the CAN-SPAM Act, the Controlling the Assault of Non-Solicited Pornography and Marketing Act of 2003.

Know what cookies your website uses with our free cookie consent scanning tool.

When & How to Use Opt-In

The answer depends on how well you know your business' data processing system. Also, it's crucial to understand what Data privacy laws you will be dealing with. These factors will guide you to make a holistic compliance strategy giving you an edge over your competitors.

GDPR: Opt-in or Opt-out?

GDPR has a global impact on all businesses that receive traffic from E.U. citizens, even if these businesses are located outside the E.U.

GDPR requires that users must have the option to enable cookies freely. Since multiple cookies exist, including advertising and analytics cookies, users must have different opt-in options for the different cookie categories.

GDPR defines consent as "freely given, specific, informed and unambiguous" by a "clear affirmative action." Assigning consent by a lack of response or pre-filling inboxes is not permissible.

The information on a cookie banner must be easy to understand. The average person should easily understand the message, not the legal jargon that has become popular on the Terms of Service Privacy Policy pages.

Opt-In in GDPR

Opt-in under the GDPR applies to any organization operating within the E.U. and any organizations outside of the E.U. that offer goods or services to customers. In short, most large corporations need to comply with GDPR and provide an opt-in option. Any business that collects or processes data of E.U. citizens must comply with GDPR by using an Opt-in model of consent for the user.

Under this regulation, companies that collect the data of E.U. citizens must base that data collection on one of the following bases:

  1. User consent

  2. Legitimate interests

  3. Contractual necessity

  4. Vital interest of the user

  5. Legal obligation

  6. Public interest

Also, there is a particular category of data types that GDPR outlines in Article 9, in that businesses must mandatorily request explicit consent from the user to collect and process this data. They are:

  1. Racial or ethnic origin

  2. Political opinions

  3. Religious or philosophical beliefs

  4. Trade union membership

  5. Genetic data

  6. Biometric data

  7. Health data

  8. Sex life or sexual orientation

Cookie banners are an easy way to gain user consent. It doesn't matter where the opt-in is on the page, but the information must be easily accessible. And it should maintain the user's navigation experience.

Apart from that, it's best to get consent to legal policies — like terms and conditions and privacy policies — through user opt-in.

To do this, add a link to the Privacy policy and terms and conditions policy to your consent banner. So as soon as a user visits your website, the consent banner can not only ask for consent but also give a detailed explanation of how cookies are used and their purpose for asking the consent.

The whole point of GDPR is to give E.U. citizens enough control and motivation to consent to your business's request by taking affirmative action rather than being coerced to do so with dark practice, as Meta did.

Summing up GDPR: What you need to do

Since the GDPR applies to all businesses and organizations established inside and outside the E.U., the opt-in requirement applies to them regardless of whether the data processing takes anywhere in the world.

Noncompliance with these conditions laid by GDPR will attract hefty fines for your business, as Amazon did. Seven hundred forty-six million euros in July 2021. You can't afford that!

If your business is targeting E.U. citizens, then the Opt-in consent model is what you need. Period!

Our helpful "Startup: Guide to GDPR compliance in 2023" will tell you everything you need to make GDPR happy.

CCPA: Opt-in or Opt-out?

Opt-Out under CCPA

The California Consumer Privacy Act allows consumers to opt-out and prevents businesses from selling their data.

Companies complying with CCPA must have clearly defined policies and procedures to help consumers with their right to opt out of the sale of their data. The CCPA requires businesses to have an option for users to click "Do Not Sell My Personal Information."

How Does Opt-Out Work in CCPA?

Opt-out applies only to California consumers over the age of 16. Businesses must honor the consumer's right to opt out unless the consumer consents to opt in to sell their personal information.

What Does CCPA's Opt-Out Mean for Businesses?

The CCPA applies to businesses having:

  1. More than $25 million in annual revenue–

  2. Have personal information on 50,000 people or households annually, or

  3. More than 50% of their income is from the sale of personal information.

Businesses that meet these criteria and sell to California residents comply with the CCPA. It grants California-based users the "right to opt out" of selling their data (Section 1798.120 (a) of CCPA.

The CCPA also requires businesses to have opt-out banners visible on their website. The company's privacy policy must also have a "Do Not Sell My Personal Information" section.

Caution!! Minors ahead.

Though CCPA doesn't require you to get explicit consent, this changes when the user is a minor. As per,

Section 1798.120 (c) of the CCPA states:

A business shall not sell or share the personal information of consumers if the business has actual knowledge that the consumer is less than 16 years of age, unless the consumer, in the case of consumers at least 13 years of age and less than 16 years of age, or the consumer's parent or guardian, in the case of consumers who are less than 13 years of age, has affirmatively authorized the sale or sharing of the consumer's personal information.

This means a business must use the opt-in consent model if the user visiting the website is less than 16. You can do this by having a cookie consent banner or a pop-up that gets triggered every time a minor visits your website. Make the boxes unchecked so that a minor can give their "authorized affirmation "to use a cookie for data collection and specify its purpose. Also, keep in mind that, concerning minors, the banner or a pop-up should be implemented at the entry point of your data collection.

The new and fierce amendment to this California Law is the California privacy rights act, which has already got businesses on their toes and will be enforced from July 2023. Under CPRA, companies who violate the cookie consent law, even unintentionally, will be fined $2,500 and can be charged up to $7,500 per violation if necessary.

Also, read our "California Privacy Rights Act: CPRA Compliance Game Plan" guide to make your business super-compliant with U.S. strictest privacy law.

Not done yet! Other uses of Opt-in and Opt-out

GDPR and CCPA might have their requirements for businesses to implement opt-ins and opt-outs; we're going to take a broader and in-depth approach to how different scenarios use opt-in and opt-out models of consent.

Do you Want More Targeted Emailing Lists?

While most businesses think that the opt-in consent model works best for compliance, they have less idea about how effective it can be for your marketing strategy.

Users who opt-in are already interested in receiving emails regarding your products and services. This gives you an advantage over others as you know your audience better and can devise a marketing strategy catering to that audience. Also, it helps you to optimize your email campaigns, getting you better CTRs.

As for how to install email marketing opt-ins, Neil Patel lists some of the best spots on your site to include email marketing opt-ins.

You Send Marketing Emails

Under CAN-SPAM Act, the enforcer, Federal Trade Commission (FTC), makes it mandatory for businesses to include an opt-out "unsubscribe" link at the bottom of the Marketing emails promoting or advertising your products and services.

To comply with CAN-SPAM, your marketing emails must have the following:

  1. An easily understandable and visible "unsubscribe" link that works

  2. Accurate and relevant "from" lines and subject lines

  3. A verified and visible physical address

All three of these elements are visible in the sample above. If a user sends you an unsubscribe request, you must unsubscribe them within ten days.

You Use Analytics Platforms

Suppose a website uses any analytics tracking platform such as Google Analytics or Bing analytics under California Consumer Privacy Act (CCPA) in the U.S. and E.U.'s Data protection directive. In that case, it is compulsory for you to include an opt-out consent model in your privacy policy for users who don't want you to collect and process personal data.

Even Google Analytics states in their Terms of Service that you need to post a privacy policy that explains to your users how you will use cookies to collect data for analytics. You must disclose your use of Google Analytics and how you'll be collecting and processing data by including a prominent link to a page explaining how Google uses the data it contains.

Want full compliance: Opt-in for Adzapier

If your business wants to thrive in 2023 and beyond and build a trustable brand for your customers, you must know all about compliance.

I know. Compliance is complex. But don't worry. Adzapier makes it too easy for you.

Adzapier's cookie consent management will see that you provide the best to your customer while providing you with the best compliance.

Whether GDPR, CCPA, VCDPA, or any other primary Data privacy law, we have personalized cookie consent banners that fit your brand and tell your story.

Apart from that, it has a geo-tagging feature that first analyzes your user's location and presents cookies according to the data privacy law active in the region.

One of the essential tools in Adzapier's CMP is Auto cookie blocking. This will not deploy non-necessary cookies unless the user has consented to its use. This will be kept in GDPR's good books.

Privacy concerns will emerge as new legislation is passed. Consumers are more careful with their data and will take extra measures to protect it.

Get a competitive edge and drive sales by complying with privacy laws only with Adzapier. Contact one of our privacy experts today to schedule a demo and see how easy it is to get your business in compliance.

bottom of page