What Are Opt-in And Opt-out?
Opt-in is an affirmative action of giving/seeking user consent.
Now and then, you must have seen websites asking you to tick checkboxes. That is one example of opt-in. You can register your consent to their request by ticking the box if you wish.
Opt-out is an action of users refusing/withdrawing consent in response to a particular event or process.
What about cookies?
The EU Cookie Law and GDPR’s arrival has only tightened the laws around cookies, making opt-in and opt-out, two of the most important measures for compliance.
Opt-in for cookies is simple – ask the users who visit your website for consent to store cookies on their device. And opt-out means rejecting the request or withdrawing the consent later at any time they wish.
One of the major decisions around the consent regarding cookies was firmly established after the CJEU-Plant49 judgment.
The judgment stated that the users’ opt-in obtained through pre-ticked checkboxes is longer valid. Also, you cannot bundle multiple consent requests as one. They should be kept separate. The third point of the judgment said that the users must be aware of all the details about the cookies and what consenting to use them will mean. Knowledge of such information will make the decision easy and clear for them.
Opt-in and opt-out on cookies are generally implemented using cookie consent banners/pop-ups.
Here is one example of a cookie consent banner, where you can see both opt-in and opt-out options:
You can read more about the cookies banner and its requirements here.
In this article, however, we will focus on when opt-in and opt-out must be used and how.
When and How To Implement Opt-in and Opt-out?
Let’s look at some cases where you should use opt-in or opt-out options and how to implement each of them.
When and how to use opt-in
#When: You collect personal data (including the special categories of data) of people in the EU based on one of these lawful bases:
- Contractual Obligation
- Legal Obligation
- Legitimate Interest
- Vital Interest
- Public Interest
How: For asking for consent, you can choose one of the opt-in methods:
- paper form;
- opt-in boxes, on paper or electronically;
- opt-in buttons or links;
- yes/no options;
- technical settings or preference dashboard settings;
- emails requesting consent;
- oral consent requests;
- volunteering optional information for a specific purpose.
You need explicit consent from users in such a case. A simple and clear opt-in option must be provided to them.
How: The opt-in option here can be implemented using cookies consent banners.
#When: You collect personal data from minors.
If you require to collect personal data of minors, you need parental consent.
How: Parental consent using any of the opt-in methods mentioned above.
#When: you require email addresses for newsletters and marketing purposes.
Often, you may require email addresses of users to send newsletters or marketing emails. You must seek their permission before storing the email ids on your database.
How: Some of the ways you can implement the opt-in options are:
- Checkboxes at the end of forms
- Website footer
- First email (note that unless they opt-in for the subscription, you cannot send any more emails)
- On blog posts
When and how to use opt-out
#When: You use personal data (including the special category of data) of people in the EU for various purposes (lawful bases).
Users have the right to reject permission to collect or process their data if they deem right. You are supposed to temporarily terminate the processing of data or delete the data in such cases.
How: A contact point or link to submit consent opt-out requests.
Users must be able to withdraw or reject the usage of cookies should they deem right.
How: Cookie Banners must have a reject option or link to manage cookies where they can choose what type of cookie they do not want to be stored on their device.
#When: You email newsletters and promotional content to your users.
At any point, if the users feel like they no more want to receive such content on their email addresses, they should be able to unsubscribe.
How: Include an easily accessible unsubscription link on the emails itself or on the website for the users to use.
Most of the time, it is wise to have both options, giving more control to the users. And that is precisely what data protection laws like GDPR aims to do.