Opt In vs Opt Out Consent: What’s the Difference?
With the increase in the use of technology and businesses starting to collect more and more personal data, a rapid emergence in data privacy laws and regulations can be observed all around the world. Today, most global privacy laws require organizations to rely on the users’ consent and respect their choices for the collection and processing of their personal data online. With the passage of time and the world becoming more digital, consent requirements are only expected to become stricter. When it comes to relying on the user’s consent as a lawful basis of data processing, most global privacy laws can be classified as either opt-in or opt-out consent regimes.
Let’s look at both kinds of consent regimes, their examples, and how organizations can implement consent practices as per respective jurisdictional requirements.
Opt-in consent
An opt-in consent regime requires organizations to obtain the explicit consent from the user before the collection and processing of their personal data. It refers to an affirmative action taken by the user indicating their consent to allow processing of their personal data.
An opt-in consent can be successfully implemented as follows:
- Process users’ personal data only once their consent has been obtained,
- Ask users to either accept or reject the use of cookies by providing equal prominences to “accept” and “reject” options on the consent banner,
- Provide sufficient information to users about why their personal data will be collected and what it will be used for,
- Allow individual cookie category selection based on the purposes of cookies, and
- Ensure to not use any dark pattern to obtain the user’s consent including the use of pre-ticked checkboxes and cookie walls.
The European Union’s General Data Protection Regulation (GDPR) serves as a prime example of an opt-in consent regime requiring the users’ consent to be freely given, specific, informed, and an unambiguous indication of the user’s wishes with respect to the treatment of their personal data.
In addition to the European Union, other examples of opt-in consent regimes include Brazil, Canada, Chile, Columbia, India, Mexico, Morocco, Malaysia, South Africa, South Korea, Japan, Taiwan, and the United Kingdom. The United States’ California Consumer Privacy Act (CCPA) also requires users to obtain the explicit consent from minors in relation to the processing of personal data belonging to minors.
Opt-out consent
An opt-out consent regime does not require organizations to obtain the user’s consent prior to the collection and processing of their personal data. It refers to allowing users to take action to withdraw their consent to processing of their personal data.
There are two main ways through which opt-out options are offered to the consumer. The first way is known as a pre-emptive opt-out, in which a consumer can untick/uncheck a pre-selected checkbox or otherwise undo a confirmation indicating his/her refusal to data processing. Another form of opt-out is referred to as the consent withdrawal where users are provided a clear option to withdraw their permission or change their preferences with respect to the treatment of their personal data.
An opt-out consent can be successfully implemented as follows:
- Indicate the “Do Not Sell My Personal Information” button or link on the website’s homepage as well as in the privacy policy enabling users to opt-out of the sale and sharing of their personal data,
- Provide sufficient information to users about the categories of personal data to be collected and their purposes including the sensitive personal data and their purposes,
- Inform users whether or not their personal data is sold or shared, the length of time the organization intends to retain each category of personal data, or, if not possible, the criteria used to determine such period, and
- Ensure to not use any dark pattern such as not making the “opt-out” or “Do Not Sell My Personal Information” option prominent enough for the user to view on the webpage.
The United States’ CCPA is based on an opt-out consent practice. Even though countries are increasingly becoming opt-in consent regimes due to user’s growing privacy concerns, countries like the United States, Australia, Hong Kong, and Switzerland still have opt-out consent requirements. Estonia, despite being part of the European Union has not implemented opt-in consent and works upon an opt-out consent practice.
How Securiti can help?
All consent rules applicable to the collection and processing of personal data apply equally to cookies and similar tracking and identification technologies. Therefore, organizations must take into consideration consent principles as per their respective consent regime before installing any tracking technology on the user’s terminal equipment and collecting users’ personal data.
Failure to comply with consent requirements may expose organizations to exorbitant amounts of fines and penalties. As a result, organizations are encouraged to be responsible custodians of their consumers’ data and implement the correct consent practice as per the applicable consent regime.
Through Securiti’s State of Global Consent Requirements, find out consent requirements of more than 40 countries including how consent is defined, consent as a lawful basis of data processing, specific rules on cookies, and learn whether you should implement opt-in or opt-out consent practice.
The Securiti’s PrivacyOps approach enables organizations to comply with the applicable consent requirements using automatic scanning, auto-blocking, and preference center features. With the help of robotic automation and artificial intelligence, organizations can make cookie compliance a swift and simple process.
Originally posted here: https://securiti.ai/blog/opt-in-vs-opt-out/
