The data protection laws are a major concern for any business operating online. Depending on the regulations in place, you will either need to get explicit consent from each customer before sending them marketing messages (opt-in) or provide them with a way to opt out of receiving these messages after they have been sent (opt-out).
To stay compliant with data protection laws, you must understand the difference between opt-in and opt-out consent.
An opt-in is when someone specifically agrees to receive communications from you. In other words, the individual must take a clear and affirmative action signifying that they agree to have their data collected and processed. This means they’re much more likely to be interested in what you have to say.
The trend set by the GDPR is applicable to most of the data protection laws around the world. However, there’s one exception: the US takes an opt-out approach instead. That is, companies are not legally required to obtain explicit consent from users — they can simply provide a notice informing users of their right to opt out of data collection and usage.
Here’s a closer look at the opt-in approach:
The registration page above requests that users consent to have their data saved and subscribe to email notifications. By default, neither option is selected, so users have to actively opt in.
When it comes to opt-in approaches, there are single opt-in and double opt-in.
Single opt-in means that a person becomes a subscriber simply by submitting their email to your sign-up form.
With the double opt-in approach, not only do you have explicit permission to contact someone, but they also have to take an additional step to confirm that they want to hear from you. This is usually done by sending a confirmation email afterwards and requiring the recipient to click on a link in that email before they’re added to your list.
Opting out means that you take back your consent. To offer opt-outs, there are two main ways.
In this example, the user is presented with two boxes that are already checked. These represent the user’s consent to something. The user then has the opportunity to opt out of this consent by unchecking the boxes.
Keep in mind, this approach is not allowed under the GDPR because people’s consent cannot be assumed through something like a pre-ticked box.
In the example above, the company provides users with the option to unsubscribe from future marketing contact by directing them to a preference manager through the opt-out link. This allows users to have more control over the types of communications they receive from the company.
The unsubscribe link is a common way to opt out of receiving emails. This is probably something you are familiar with and may even use yourself. When you click the unsubscribe link, it means you no longer want to receive emails from that sender.
Understanding which approach (opt-in or opt-out) is required by privacy regulations is essential for ensuring email compliance.
Privacy regulations in the United States are generally based on an opt-out consent framework. California’s CCPA and Virginia’s CDPA require users to opt out of the agreement that their data may be sold, which is different from European Union GDPR or Brazilian LGPD laws where a user must first give permission before any processing can occur.
In the United States, children’s data can only be collected and used with parental consent. This is known as the opt-in approach, and it is required by federal law (COPPA) and some state laws. The California Consumer Privacy Act also has opt-in requirements for selling children’s data, and the California Data Privacy Act requires opt-in consent for any data processing activities involving children.
The future of data privacy may involve a mix of opt-in and opt-out approaches. For example, the General Data Protection Regulation (GDPR) in the European Union and the Lei Geral de Proteção de Dados Pessoais (LGPD) in Brazil both use an opt-in framework, where users must give their explicit consent before their data can be collected. Indian law takes the same approach. India’s draft Personal Data Protection (PDP) takes the same approach.
In contrast, the California Privacy Rights Act (CPRA), which is the successor to the California Consumer Privacy Act (CCPA), uses an opt-out framework, where users must specifically indicate if they do not want their data to be collected. Draft legislation in other U.S. states, such as Washington, also generally uses the opt-out framework. It is likely that different jurisdictions will continue to experiment with different approaches in the future.
The key to understanding when and where you should use opt-in or opt-out lies in the specific situation that requires compliance with privacy laws.
There are some cases where you must use an opt-in form for your website visitors:
If you outlined data collection in your privacy policy
Businesses must get explicit consent from users before collecting any personal information. This includes not only privacy policies and terms & conditions but also emails or other communications with customers where they might ask for details like names, addresses, etc. Companies that fail to receive user consent will be subject to the fines under GDPR.
Privacy policies are often overlooked and ignored, but there is a simple way to make them more visible. One method of drawing attention includes displaying an opt-in consent banner when your user first visits the site. This will direct them towards where they can find more information about what kind of data you collect from each visitor. By checking the box, they agree to the terms outlined in the policy.
If you collect data from EU citizens
The GDPR requires businesses that collect data from EU citizens to get consent for marketing purposes before collecting their data. There are six legal bases for collecting data under GDPR: user consent, legitimate interests, contractual necessity, vital interest of the user, legal obligation, and public interest.
In order to process data lawfully under the GDPR email marketing, you must have the user’s consent. This consent must be given through a clear and affirmative action to avoid facing penalties.
In case you sell data of California minors
The CCPA is a privacy law that was enacted in California in 2018. It applies to businesses that collect data from California residents, regardless of whether those businesses are located within the state or not. The law went into effect in 2020.
The law includes a section on the rights of minors regarding the sale of their data. According to this section, businesses are not allowed to sell or share the personal information of users under the age of 16, unless they have received explicit permission from the user (or the user’s parent or guardian, if the user is under 13). To get this permission, businesses need to implement opt-in measures at the beginning of their data collection process.
If you want to make it clear that you are asking for permission to sell someone’s data, you can add a pop-up to your sign-up page. This pop-up will appear if the user enters their age as under 16 years old. There will be an unchecked box where the user can offer their consent to having their information sold.
If you use cookies and market to EU citizens
The GDPR requires that website owners get explicit consent from users before collecting any data, including through cookies. This means offering users the chance to opt into specific types of cookies, like advertising or analytics. Having separate opt-in checkboxes for each category ensures that users can make an informed choice about which data they’re comfortable sharing.
You can get consent for cookie use through a banner that appears when someone accesses your site. This will stay on their screen until they opt in or manage preferences. The banner should give users the chance to set their cookie preferences and also tell them where they can find your cookie policy.
If you want more targeted emailing lists
While opt-ins may be required for legal compliance, they can also be a great marketing tool. By placing opt-in forms in strategic locations on your website, you can encourage users who are interested in your product to sign up for email updates. This makes it easier to target your email campaigns and improve your overall marketing strategy. Some good places to include a subscription form are shown below:
While it is required by the CCPA and GDPR to have an opt-in option, you may also need users to be able to choose whether or not they want their information shared with third parties. You should offer them all available means of opting out:
If you sell data of California residents
The CCPA gives Californian users the right to say no to the selling of their personal data. This means that businesses are not allowed to sell personal information about a consumer unless they have explicit permission.
Consumers can exercise this right by clicking on a “Do Not Sell My Personal Information” link that should be prominently displayed on a business’s homepage or privacy policy page. The process for opting out must be clear and simple, without any confusion or obstacles.
If you send marketing emails
The CAN-SPAM Act and GDPR requires that all commercial emails include an opt-out link, typically in the form of an “unsubscribe” button. This ensures that recipients have the ability to unsubscribe from future emails if they so choose.
If using third-party platforms or tools
When using any third-party platform that involves collecting and using personal information, be sure to review their terms of service or privacy policy. They will most likely require an opt-out method which you should include in your own policies as well.
Legal restrictions on email marketing vary from country to country, but it is illegal for companies or individuals to send unsolicited emails without consent. Let’s briefly denote what is considered legal email marketing according to GDPR and CCPA laws.
The GDPR requires any company that works with Europeans to take measures ensuring data privacy and security:
The California Consumer Privacy Act (CCPA) provides consumers in California with a number of basic rights. Businesses that collect email addresses from California residents must comply with CCPA. This includes:
This ensures that consumers are aware of how their personal information is being used and gives them the opportunity to exercise their rights under the CCPA.
Make sure that the emails are not being blacklisted. One way to avoid this is by using opt-in and out options so customers can indicate whether or not they want certain types of mailings.
There are pros and cons to both opt-in and opt-out marketing. Here are some things to consider when deciding which practices are best for your business:
➕ Building a mailing list can be done quickly by using a single opt-in. With this method, prospects can sign up for your mailing list from any website. Single opt-in is a one-step process, which makes it easy for people to register through a signup form.
➕Opt-in mailing lists are more permission-based, which means they’re less likely to be considered spam. This can help improve your deliverability rates and ensure that more of your messages get through to your subscribers.
➕ You’ll get more accurate contact information from people who actively choose to sign up for your mailing list. This allows the company to create promotional content that is tailored to the interests of its subscribers.
➕ People who opt-in are generally more interested in what you have to say and are more likely to engage with your emails. Thus, you are more likely to get people to actually open and read your emails.
➖ It can be difficult to get people to opt-in to your mailing list, especially if you don’t have a strong incentive.
➖ You may miss out on potential subscribers if your opt-in form is not prominently displayed.
➖ The probability of incorrectly typing an email address is quite high. This can happen for a number of reasons, such as human error or a typo when inputting the email address. Incorrectly written emails can worsen deliverability, as they are more likely to be rejected by the server. Trying to send an email to the wrong address will not only fail to deliver the message but can also cause the bounce rate to increase. It is for this reason that double opt-in is essential when collecting email addresses.
➕ You can always email your customers until they tell you to stop.
➕ If people are filling out a form on your website, they may expect to be signed up for email notifications automatically. Thus, if you send them your first email, they likely won’t be surprised to see it.
➕ Opt-out forms can also be a good way to grow your mailing list quickly since people don’t have to actively choose to sign up and take action.
➖ People may accidentally sign up for your mailing list if the opt-out form is not clearly displayed. As a result, you may end up with a lot of inactive subscribers who never open or engage with your emails.
➖ You may get more spam complaints with an opt-out form since people didn’t actively choose to sign up for your emails.
Opt-in is when a customer specifically agrees to share their data with a company. This could be through a sign-up form on a website or ticking a box to say they’re happy to receive marketing communications. Opt-in (especially double opt-in) is considered to be a more ethical way of collecting data, as it gives customers explicit control over what information they share.
There are a few reasons why you might want to use opt-in consent:
Opt-out is when businesses collect customer data by default, unless the customer tells them not to. This could be through pre-ticked boxes on forms, or by collecting data through cookies when someone visits a website. Opt-out is considered to be less ethical than opt-in, as it doesn’t give customers a clear choice over whether they want to share their data.
Opt-out consent is necessary when:
