To meet users’ rising expectations for data privacy, teams must first understand the basic frameworks for consent management. Different regulations apply distinct approaches to user consent, and growing companies in 2021 need to understand both approaches.
To meet users’ rising expectations for data privacy, teams must first understand the basic frameworks for consent management. Different regulations apply distinct approaches to user consent, and growing companies in 2021 need to understand both approaches.
Few companies in 2021 would claim that their main goal is to just get by when it comes to respecting users’ data privacy. Being a privacy champion is more important than ever, because strong privacy fosters user trust. User trust is increasingly important to successful business. Three-quarters of consumers prioritize brand trust over price in their purchasing decisions. To respect privacy, you need to build trust. And to build trust, you need to put consent management at the core of your company’s data processing operations.
The consent process is an inherently user-facing piece of your team’s privacy ops. Teams must balance an easy-to-understand consent process for your users with detailed regulatory requirements. One of the first steps in becoming a champion for user consent is understanding the basic approaches to consent: opt-in and opt-out.
Here, we give a primer that breaks down these two general approaches to consent in today’s regulations.
Before diving into the two approaches to acquiring user consent, it’s important to recognize the legal basics for consent. In data privacy laws across the globe, consent is typically required to be informed, specific, and freely given. That is, users must be appropriately educated on the specific processing activities they are willingly consenting to. Any consent acquired through coercion or ambiguous, vague terms would constitute improper consent. Importantly, the consent violation in that case is on the requesting company, not the user.
Those violations can be costly for businesses: of the 14 largest GDPR fines between January 2020 and January 2021, 6 of them involved consent violations. GDPR authorities categorize consent violations as one of the more severe violations, punishable with a fine of up to €20 million or 4% of annual revenue, whichever is the greater amount.
With this baseline of proper consent in mind, we explore the basic approaches to obtaining user consent:
Under some regulations, a company needs the user to actively indicate “Yes, I consent to this data processing” in order to proceed with the processing activity. The company only receives consent when the user provides it. This approach is called opt-in.
Under other regulations, a company proceeds with the processing activity unless the user actively indicates “No, I do not consent to this data processing.” The company receives consent unless the user withholds it. This approach is called opt-out.
The distinction can seem subtle, but understanding the difference is crucial to building data systems that comply with today’s leading data privacy regulations.
When approaching a privacy regulation, it can be useful to ask: “if a user does nothing, can a company proceed with data processing?” If the answer is yes, then it’s opt-out; if no, then it’s opt-in.
Let’s see how today’s regulations compare in their approaches to user consent.
The European Union’s General Data Protection Regulation (GDPR) follows the opt-in approach to consent for any processing of personal data. Brazil’s Lei Geral Proteção de Dados (LGPD) also follows an opt-in approach.
State-level privacy regulations in the United States generally use an opt-out consent framework. California’s CCPA and Virginia’s CDPA require users to opt out of personal data sales. The CCPA explicitly requires that websites include a “Do Not Sell My Personal Information” link on their homepages, which will take users to the opt-out function. The CDPA also includes opt-out rights for automated targeted advertising and user profiling.
However, US regulations feature opt-in consent in predefined circumstances. On a federal level, the Children’s Online Privacy Protection Act (COPPA) follows the opt-in approach. State legislation in recent years has applied this same spirit in processing of children’s data. The CCPA takes an opt-in approach with the selling of children’s data, and the CDPA requires opt-in consent for any processing activity applied to children’s data.
Looking to the future, a mix of opt-in and opt-out approaches are on the horizon. Like GDPR and LGPD, India’s draft Personal Data Protection (PDP) bill uses the opt-in framework for user consent. The recently approved CPRA, California’s successor to the CCPA, expands opt-out rights to automated decision-making. Draft legislation in numerous other states like Washington generally uses the opt-out framework.
Opt-in or opt-out, it is vital for companies to design consent processes that are straightforward to users and compliant with the relevant regulations. Consent management platforms might need to fine-tune their operations according to specific laws. However, teams can make significant progress toward global privacy readiness with a few steps:
No matter a user’s state or country of residence, their consent process should be informed and accessible. Everyday users should be able to understand why you are requesting their consent, and your request should cover all of the intended use cases. In a nutshell, users deserve to know what they’re signing up for, and your website should clearly indicate where they can express their consent choices.
Have dedicated opt-in and opt-out functions. The present landscape is a mix of opt-in and opt-out, mirrored in the legislation coming down the pipeline. Whether it’s a “Do Not Sell My Information” opt-out feature for Californian users or an unambiguous opt-in feature for EU users, teams should be ready to accommodate consent requests of both forms.
A business cannot freely choose whether they want to implement opt-in or opt-out consent. The decision on which framework(s) are required comes from the relevant regulations. In the eyes of the law, opt-in and opt-out are not interchangeable.
Despite the legal nuances of consent – which are central to compliance ops – the concept of a consent request is straightforward for companies and users alike. It is a request for a user’s informed and clear agreement to data processing. Each layer of legal and technical detail is a build on this simple consent requirement. Users will appreciate a consent management platform that makes privacy terms understandable and consent requests simple across regulatory frameworks. Empowering users to exercise their legal rights in data transfers is an invaluable investment in growing a trustworthy brand.
Today we’re announcing faster and more powerful Data Privacy and AI Governance support
See new feature releases enhancing user experience, adding new integrations and support for IAB GPP
Learn more about the privacy and data governance enhancements in Fides 2.27 here.
Read Ethyca’s CEO Cillian Kieran describe why and how an open data governance ontology enables companies to comply with data privacy regulations and frameworks.
Ethyca sponsored the Unpacking Privacy Engineering for Lawyers webinar for the Interactive Advertising Bureau (IAB) on December 14, 2023. Our CEO Cillian Kieran moderated the event and ran a practical discussion about how lawyers and engineers can work together to solve the technical challenges of privacy compliance. Read a summary of the webinar here.
Ethyca’s CEO Cillian Kieran hosted a LinkedIn Live about the newly agreed upon EU AI Act. Read a summary of his talk and find a link to his slides on what governance, data, and engineering teams need to do to comply with the AI Act’s technical risk assessment and data governance requirements.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!
Request a Demo