Opt-in Vs Opt-out Consent: How to Implement Each with CCPA & GDPR

Opt-in Vs Opt-out Consent: How to Implement Each with CCPA & GDPR

We have both opt-in and opt-out consent practices in today’s data privacy regulations. The CCPA, for instance, is an opt-out consent practice. Consent is still largely opt-out despite growing privacy concerns in countries such as the United States, Switzerland, Hong Kong, and Australia. 

Opt-in vs Opt-Out Cookies 

Since introducing the e-Privacy Directive in the EU, cookie laws have become much stricter. Two of the most notable changes have been enabling opt-in and opt-out in cookie consent banners. 

Opt-in consents require websites to obtain explicit consent from users, whereas opt-out content is where cookies are marked consent by default unless the user denies the request or withdraws the consent at a later time. 

With this approach, non-essential cookies are active by default and only deactivated once a user opts out. Organizations must let users view the opt-out cookie consent banner first and then drop the cookies to stay compliant. 

Most data protection and cookie laws demand websites to provide clear and accurate information about their cookie policy (including the necessary ones) and why they’re collecting cookies. The goal is to give users the ability to make informed decisions in opt-in and opt-out consent regimes. 

Opt-In & Opt-out: When and How to Use 

Let’s take a detailed look at when to use opt-in and opt-out under leading data protection laws such as CCPA and GDPR

Opt-Out under CCPA 

The California Consumer Privacy Act provides consumers with the right to opt-out and prevents businesses from selling their data. 

Companies complying with CCPA must have clearly defined policies and procedures to help consumers with their right to opt-out of the sale of their data. The CCPA requires businesses to have an option for users to click “Do Not Sell My Personal Information.” 

How Does Opt-Out Work in CCPA? 

Opt-out applies only to California consumers over the age of 16. Businesses must honor the consumer’s right to opt-out unless the consumer consents to opt-in to sell their personal information. 

What Does CCPA’s Opt-Out Mean for Businesses? 

The CCPA applies to businesses having: 

  • More than $25 million in annual revenue, 
  • Have personal information on 50,000 people or households annually, or 
  • Receive more than 50% of their revenue from the sale of personal information. 

Businesses that meet these criteria and sell to California residents comply with the CCPA. It grants California-based users the “right to opt-out” of selling their data (Section 1798.120 (a) of CCPA. 

The CCPA also requires businesses to have opt-out banners visible on their website. Additionally, the company’s privacy policy must have a “Do Not Sell My Personal Information” section. 

Opt-In under GDPR 

GDPR has a global impact on all businesses that receive traffic from EU citizens, even if these businesses are located outside the EU. 

GDPR requires that users must have the option to enable cookies freely. Since multiple cookies exist, including advertising and analytics cookies, users must have different opt-in options for the different cookie categories.  

GDPR defines consent as “freely given, specific, informed and unambiguous” given by a “clear affirmative action.” Assigning consent by a lack of response or pre-filling inboxes is not permissible.  

The information on a cookie banner must be easy to understand. The average person should easily understand the message, not the legal jargon that has become popular on Terms of Service Privacy Policy pages. 

Opt-In in GDPR 

Opt-in under the GDPR applies to any organization operating within the EU and any organizations outside of the EU that offer goods or services to customers. In short, most large corporations need to comply with GDPR and provide an opt-in option. 

Cookie banners are an easy way to gain user consent. It doesn’t matter where the opt-in is on the page, but the information must be easily accessible. And it should not disrupt the user’s navigation experience. 

How Does GDPR’s Opt-In Work for Businesses? 

Since the GDPR applies to all businesses and organizations established inside and outside the EU, regardless of whether the data processing takes place in the EU or not, the opt-in requirement applies to them. 

How Can Adzapier Help? 

Organizations must consider consent requirements before installing any tracking technology on the user’s equipment and collecting their data. 

Privacy concerns will emerge as new legislation is passed. Consumers are more careful with their data and will take extra measures to protect it.  

Consumers will expect more options from the brands they follow. Together, we can provide data privacy options that are best for both consumers  

Check out <<Marketers Guide to Data Privacy>> for more information.   

Like what you’re reading? Share it on social:

Sign up for our weekly newsletter

By clicking “SUBSCRIBE” you agree to Adzapier’s privacy policy and terms & conditions

Keep reading