Opt-In / Opt-Out

Search Knowledge Base by Keyword

For data processors, the choice architecture of consent often comes down to ticking or un-ticking a box. The seemingly small difference between opt-in and opt-out fields has big implications for privacy compliance.

In a nutshell, an opt-in case is when users must proactively consent to a processing activity, and accepting of terms, or some other on-site activity. An opt-out case assumes consent unless the user proactively denies it, most often by de-selecting a box on-site. It’s a small difference in process that can make a big difference in how regulators assess compliance. 

Opting out may not seem like a lot of extra work, but user experience testing shows that pre-selecting consent and making a user de-select is a far more effective tool for gaining consent than opting in. Consequently many regulators don’t believe that opt-out policies represent “meaningful” consent. GDPR effectively bans opt-out as a method of consent by mandating “clear affirmative” action. 

While marketers may fret at the data leveraging foregone due to required opt-in consent, it should be noted that consent is only one of six scenarios in which it is lawful to process data under GDPR. The other five are:

  • A contract with the individual
  • Compliance with a legal obligation
  • Vital interests
  • A public task
  • Legitimate interests

If those terms seem vague, you can read more about the conditions for lawful processing of data under GDPR here