Data Privacy, De-Mystified.
For data processors, the choice architecture of consent often comes down to ticking or un-ticking a box. The seemingly small difference between opt-in and opt-out fields has big implications for privacy compliance.
In a nutshell, an opt-in case is when users must proactively consent to a processing activity, and accepting of terms, or some other on-site activity. An opt-out case assumes consent unless the user proactively denies it, most often by de-selecting a box on-site. It’s a small difference in process that can make a big difference in how regulators assess compliance.
Opting out may not seem like a lot of extra work, but user experience testing shows that pre-selecting consent and making a user de-select is a far more effective tool for gaining consent than opting in. Consequently many regulators don’t believe that opt-out policies represent “meaningful” consent. GDPR effectively bans opt-out as a method of consent by mandating “clear affirmative” action.
While marketers may fret at the data leveraging foregone due to required opt-in consent, it should be noted that consent is only one of six scenarios in which it is lawful to process data under GDPR. The other five are:
- A contract with the individual
- Compliance with a legal obligation
- Vital interests
- A public task
- Legitimate interests
If those terms seem vague, you can read more about the conditions for lawful processing of data under GDPR here.