What Is Opt-In and Opt-Out and How to Do It Right
Until the mid-2010s, there were almost no comprehensive laws protecting digital privacy for anyone except children, and even those laws were few and far between.
This lack of government oversight gave industries almost no motivation to create best practices governing what types of data could be collected or how it could be used. While there were a few outliers, businesses generally assumed more was, well, more, and often collected more consumer data than they needed or could protect.
The rise of e-commerce and ad targeting technologies made consumer data the most valuable currency of the modern economy. And if history has taught us anything, it’s that bad guys can’t resist the currency du jour. Like pirates who hoarded treasure and outlaws who robbed trains, hackers started attacking everyone from major international corporations to regional companies to neighborhood businesses.
Add on top of that the misuse and sharing of data, and it’s easy to see why it became critical to put in place modern era privacy laws.
The birth of digital privacy law
This surge of consumer outrage and government activism resulted in the first comprehensive privacy regulation, the European Union’s General Data Protection Regulation (GDPR). Passed in 2016 and effective in 2018, it completely changed the data privacy landscape for companies that operate in or collect information from residents of the EU.
The GDPR established regulatory obligations for all member countries, but so far the United States has opted for a sectoral approach, with laws for different sectors such as health (HIPPA), finance (GLBA) and email (CAN-SPAM). With no national framework, there has instead been a morph into a patchwork approach on a state-by-state basis.
With the California Consumer Privacy Act (CCPA), California was the first state in the U.S. to pass a comprehensive data privacy law. Virginia and Colorado followed suit this year, and a record number of state-level data privacy bills were introduced in 2021 legislative sessions.
What is consent?
Very little in privacy is straightforward, and that’s especially true when it comes to consent. Getting consent to collect an individual’s information doesn’t necessarily give a company the right to use or sell that information—unless that’s been clearly specified to the individual that’s how the data is going to be used.
Building an effective consumer privacy program requires obtaining consent for the collecting, processing, selling or sharing, and storing of individuals’ personal data as well as for when and how you contact them.
Most countries require opt-in consent, but U.S. laws are more commonly centered on an opt-out model.
Yes, please! (How opt-in consent works)
Opt-in consent, the strictest of all consent requirements, is considered the gold standard of digital privacy best practices because it puts the burden of managing consent squarely on data processors. Additionally, opt-in policies institutionalize and standardize privacy practices, giving all users fundamental protections online.
Under opt-in laws, a user must take clear, affirmative action consenting to the collection or data processing of their information. This obligation can be satisfied in several ways, including:
- Giving users the opportunity to consent to the processing of their personal information, using clear and plain language
- Placing unmarked checkboxes on your website so users can choose whether their data is processed or sold (Note: because they don’t require users to actively agree to anything, pre-ticked checkboxes don’t meet the requirements of opt-in laws)
- Using a cookie consent manager that allows users to accept or deny consent for specific categories of cookies
Most privacy laws with opt-in consent also stipulate that individuals who opt-in have a permanent and easily accessible way to withdraw their consent at any time.
No, thank you. (What opt-out consent looks like)
Unlike opt-in frameworks, opt-out consent requirements make individual users responsible for protecting their personal information and managing how companies use it.
Opt-out systems default to giving companies the right to collect and process personal information as long as they have both notified users of their privacy practices and given them opt-out options.
In practice, this looks like those pre-ticked boxes that say “Yes! I agree to receive information about XYZ’s new cat-cleaning products, as well as emails from all of their partner companies.” Unless a customer removes the checkmark, the company and its vendors can pretty much do whatever they want with the data, from sending marketing emails every five minutes to selling your email addresses to the highest bidder.
Consent isn’t as black and white as it seems
Here’s the tricky part: consent is absolute, but it’s also layered. Consenting to cookies isn’t the same as consenting to receiving marketing emails, and consenting to either isn’t the same as consenting to the sale of personal data.
The type of consent needed depends on the governing regulations, but there are five general categories of consent:
- Notice only (e.g. simply notifying users that tracking cookies are active on your site)
- Implied consent (aka soft opt-in, meaning users are notified about privacy practices but continue using the site/make a purchase without activating any opt-out options)
- Explicit consent (user gives clear, unambiguous consent for their data to be used in a certain way)
- Mixed consent (exactly what it sounds like: this model employs notice only, implied, and explicit consent options depending on the function, i.e., notice only for strictly necessary cookies, implied consent for performance cookies, and explicit consent for advertising cookies)
- Do not track/sell/share Under a pre-existing California law, websites need to disclose if they honor a browser’s “do not track” feature. If you sell data or share it with a third party, that could be considered a sale under California law—meaning you need to give individuals the option to opt out. To make it easier, there are ad industry self-regulatory frameworks that allow users to opt out of advertising and analytics, like aboutads.info.
The secret sauce that fixes everything
Whether your business needs to implement opt-in or opt-out consent policies, you must understand the type of consent needed to set cookies on your website, send marketing emails, process data, and sell data.
As privacy consultants who excel at helping businesses develop compliant but practical consent solutions, we know that both opt-in and opt-out processes have enough in common that the steps for setting up both are basically the same.
According to OneTrust and our years of experience, these steps are:
- Know your obligations
Not only do you need to understand which privacy regulations your business is subject
to on a local, national, and even global level, but you also need to be aware of industry
regulations (think HIPAA or the Gramm-Leach-Bliley Act) and vendor or customer
- Understand your risks
Conducting a risk analysis will show you where your data is at risk. Poor vendor
cybersecurity practices, lax internal permissions protocols, overaggressive data
collection processes, or non-compliant marketing programs all expose your business to
possible fines, breaches, and reputational damage.
- Map your data
A data map, also known as a data inventory, documents the flow of data as it travels through your company. Several privacy laws mandate that businesses have a lawful basis for collecting information, and a data inventory will tell you what you’re collecting and from whom, why and how you’re collecting it, and where and how long you’re storing it.
Mapping your data is the best, fastest way to understand your data at a granular level,
which makes getting compliant much, much easier.
- Create a privacy-first culture
An opt-in or opt-out program won’t work if the people at your company—from the CEO to
front-line employees—don't understand and believe in it. A privacy-first culture means
every department plays a role in your privacy program and that privacy
training is a regular part of staff meetings, company newsletters, and marketing
- Set up individual rights requests processes
Virtually all privacy laws give individuals the right to change their opt-in/opt-out status,
correct inaccurate information that’s been collected, or delete their information from a
company’s database through a process known as an individual rights request.
It’s important to have efficient processes and clear lines of communication set up
company-wide so you can meet the strictly mandated timelines for responding to and
resolving a user’s request.
Consider building a preference center
A preference center is a page on your website or in your app that allows users to opt-in or opt-out of marketing communications, the sharing or sale of personal information, and even cookies quickly and easily. It’s one of the easiest ways to quickly get compliant.
Opt-in to our consulting services
At Red Clover Advisors, we have the experience and knowledge necessary to help you achieve your brand’s goals of becoming a privacy-friendly company that is compliant with privacy regulations and best practices. Give us a call today to see what we can do for you.