Opt-In and Opt-Out: Consent Management For Global Readiness
To meet users’ rising expectations for data privacy, teams must first understand the basic frameworks for consent management. Different regulations apply distinct approaches to user consent, and growing companies in 2021 need to understand both approaches.
Privacy Champions Need Top-Tier Consent Management
Few companies in 2021 would claim that their main goal is to just get by when it comes to respecting users’ data privacy. Being a privacy champion is more important than ever, because strong privacy fosters user trust. User trust is increasingly important to successful business. Three-quarters of consumers prioritize brand trust over price in their purchasing decisions. To respect privacy, you need to build trust. And to build trust, you need to put consent management at the core of your company’s data processing operations.
The consent process is an inherently user-facing piece of your team’s privacy ops. Teams must balance an easy-to-understand consent process for your users with detailed regulatory requirements. One of the first steps in becoming a champion for user consent is understanding the basic approaches to consent: opt-in and opt-out.
Here, we give a primer that breaks down these two general approaches to consent in today’s regulations.
Understanding the Basics of Consent
Before diving into the two approaches to acquiring user consent, it’s important to recognize the legal basics for consent. In data privacy laws across the globe, consent is typically required to be informed, specific, and freely given. That is, users must be appropriately educated on the specific processing activities they are willingly consenting to. Any consent acquired through coercion or ambiguous, vague terms would constitute improper consent. Importantly, the consent violation in that case is on the requesting company, not the user.
Those violations can be costly for businesses: of the 14 largest GDPR fines between January 2020 and January 2021, 6 of them involved consent violations. GDPR authorities categorize consent violations as one of the more severe violations, punishable with a fine of up to €20 million or 4% of annual revenue, whichever is the greater amount.
With this baseline of proper consent in mind, we explore the basic approaches to obtaining user consent:
Contrasting Opt-In and Opt-Out
Under some regulations, a company needs the user to actively indicate “Yes, I consent to this data processing” in order to proceed with the processing activity. The company only receives consent when the user provides it. This approach is called opt-in.
Under other regulations, a company proceeds with the processing activity unless the user actively indicates “No, I do not consent to this data processing.” The company receives consent unless the user withholds it. This approach is called opt-out.
The distinction can seem subtle, but understanding the difference is crucial to building data systems that comply with today’s leading data privacy regulations.
When approaching a privacy regulation, it can be useful to ask: “if a user does nothing, can a company proceed with data processing?” If the answer is yes, then it’s opt-out; if no, then it’s opt-in.
Let’s see how today’s regulations compare in their approaches to user consent.
Comparing Consent Across Privacy Regulations
The European Union’s General Data Protection Regulation (GDPR) follows the opt-in approach to consent for any processing of personal data. Brazil’s Lei Geral Proteção de Dados (LGPD) also follows an opt-in approach.
State-level privacy regulations in the United States generally use an opt-out consent framework. California’s CCPA and Virginia’s CDPA require users to opt out of personal data sales. The CCPA explicitly requires that websites include a “Do Not Sell My Personal Information” link on their homepages, which will take users to the opt-out function. The CDPA also includes opt-out rights for automated targeted advertising and user profiling.
However, US regulations feature opt-in consent in predefined circumstances. On a federal level, the Children’s Online Privacy Protection Act (COPPA) follows the opt-in approach. State legislation in recent years has applied this same spirit in processing of children’s data. The CCPA takes an opt-in approach with the selling of children’s data, and the CDPA requires opt-in consent for any processing activity applied to children’s data.
Looking to the future, a mix of opt-in and opt-out approaches are on the horizon. Like GDPR and LGPD, India’s draft Personal Data Protection (PDP) bill uses the opt-in framework for user consent. The recently approved CPRA, California’s successor to the CCPA, expands opt-out rights to automated decision-making. Draft legislation in numerous other states like Washington generally uses the opt-out framework.
The Upshot for Consent Management Platforms
Opt-in or opt-out, it is vital for companies to design consent processes that are straightforward to users and compliant with the relevant regulations. Consent management platforms might need to fine-tune their operations according to specific laws. However, teams can make significant progress toward global privacy readiness with a few steps:
No matter a user’s state or country of residence, their consent process should be informed and accessible. Everyday users should be able to understand why you are requesting their consent, and your request should cover all of the intended use cases. In a nutshell, users deserve to know what they’re signing up for, and your website should clearly indicate where they can express their consent choices.
Have dedicated opt-in and opt-out functions. The present landscape is a mix of opt-in and opt-out, mirrored in the legislation coming down the pipeline. Whether it’s a “Do Not Sell My Information” opt-out feature for Californian users or an unambiguous opt-in feature for EU users, teams should be ready to accommodate consent requests of both forms.
A business cannot freely choose whether they want to implement opt-in or opt-out consent. The decision on which framework(s) are required comes from the relevant regulations. In the eyes of the law, opt-in and opt-out are not interchangeable.
Making Consent Scalable and Simple for Users
Despite the legal nuances of consent – which are central to compliance ops – the concept of a consent request is straightforward for companies and users alike. It is a request for a user’s informed and clear agreement to data processing. Each layer of legal and technical detail is a build on this simple consent requirement. Users will appreciate a consent management platform that makes privacy terms understandable and consent requests simple across regulatory frameworks. Empowering users to exercise their legal rights in data transfers is an invaluable investment in growing a trustworthy brand.