Opt-In and Opt-Out Comparison

There are two main ways that businesses can comply with privacy laws like GDPR and CCPA (California Consumer Privacy Act) — by getting users to opt-in or opt-out of data collection and processing activities. In this article, we’ll explain what these terms mean in email marketing and which of the two methods (opt-in vs opt-out) you need to implement to stay compliant with the law.

What are opt-in and opt-out and what is the difference between them

The data protection laws are a major concern for any business operating online. Depending on the regulations in place, you will either need to get explicit consent from each customer before sending them marketing messages (opt-in) or provide them with a way to opt out of receiving these messages after they have been sent (opt-out).

To stay compliant with data protection laws, you must understand the difference between opt-in and opt-out consent.

Opt-in meaning and examples

An opt-in is when someone specifically agrees to receive communications from you. In other words, the individual must take a clear and affirmative action signifying that they agree to have their data collected and processed. This means they’re much more likely to be interested in what you have to say.

The trend set by the GDPR is applicable to most of the data protection laws around the world. However, there’s one exception: the US takes an opt-out approach instead. That is, companies are not legally required to obtain explicit consent from users — they can simply provide a notice informing users of their right to opt out of data collection and usage.

Here’s a closer look at the opt-in approach:

Opt-in form example
Source: MailerLite

The registration page above requests that users consent to have their data saved and subscribe to email notifications. By default, neither option is selected, so users have to actively opt in.

When it comes to opt-in approaches, there are single opt-in and double opt-in. 

Single opt-in means that a person becomes a subscriber simply by submitting their email to your sign-up form.

With the double opt-in approach, not only do you have explicit permission to contact someone, but they also have to take an additional step to confirm that they want to hear from you. This is usually done by sending a confirmation email afterwards and requiring the recipient to click on a link in that email before they’re added to your list.

Email verifying example
Source: Really Good Emails

What does it mean to opt-out

Opting out means that you take back your consent. To offer opt-outs, there are two main ways. 

  1. With a pre-emptive opt-out, you offer your users the chance to indicate that they don’t want any more information or offers from you by unchecking any marked box.
Pre-emptive opt out form example
Source: Formisimo

In this example, the user is presented with two boxes that are already checked. These represent the user’s consent to something. The user then has the opportunity to opt out of this consent by unchecking the boxes. 

Keep in mind, this approach is not allowed under the GDPR because people’s consent cannot be assumed through something like a pre-ticked box.

  1. If someone changes their mind about something they consented to, they can withdraw that consent. This is called consent withdrawal. It’s when someone is given the opportunity to take back their permission or change their preferences after they originally agreed to something.
Consent withdrawal form example
Source: Piwik PRO

In the example above, the company provides users with the option to unsubscribe from future marketing contact by directing them to a preference manager through the opt-out link. This allows users to have more control over the types of communications they receive from the company.

The unsubscribe link is a common way to opt out of receiving emails. This is probably something you are familiar with and may even use yourself. When you click the unsubscribe link, it means you no longer want to receive emails from that sender.

Unsubscribe link in email
Source: Really Good Emails

How to opt-in or opt-out in compliance with data privacy regulations

Understanding which approach (opt-in or opt-out) is required by privacy regulations is essential for ensuring email compliance.

Privacy regulations in the United States are generally based on an opt-out consent framework. California’s CCPA and Virginia’s CDPA require users to opt out of the agreement that their data may be sold, which is different from European Union GDPR or Brazilian LGPD laws where a user must first give permission before any processing can occur.  

In the United States, children’s data can only be collected and used with parental consent. This is known as the opt-in approach, and it is required by federal law (COPPA) and some state laws. The California Consumer Privacy Act also has opt-in requirements for selling children’s data, and the California Data Privacy Act requires opt-in consent for any data processing activities involving children.

The future of data privacy may involve a mix of opt-in and opt-out approaches. For example, the General Data Protection Regulation (GDPR) in the European Union and the Lei Geral de Proteção de Dados Pessoais (LGPD) in Brazil both use an opt-in framework, where users must give their explicit consent before their data can be collected. Indian law takes the same approach. India’s draft Personal Data Protection (PDP) takes the same approach.

In contrast, the California Privacy Rights Act (CPRA), which is the successor to the California Consumer Privacy Act (CCPA), uses an opt-out framework, where users must specifically indicate if they do not want their data to be collected. Draft legislation in other U.S. states, such as Washington, also generally uses the opt-out framework. It is likely that different jurisdictions will continue to experiment with different approaches in the future.

Opt-in vs opt-out: how and when to use

The key to understanding when and where you should use opt-in or opt-out lies in the specific situation that requires compliance with privacy laws.

Opt-in use cases

There are some cases where you must use an opt-in form for your website visitors:

If you outlined data collection in your privacy policy

Businesses must get explicit consent from users before collecting any personal information. This includes not only privacy policies and terms & conditions but also emails or other communications with customers where they might ask for details like names, addresses, etc. Companies that fail to receive user consent will be subject to the fines under GDPR. 

Privacy policies are often overlooked and ignored, but there is a simple way to make them more visible. One method of drawing attention includes displaying an opt-in consent banner when your user first visits the site. This will direct them towards where they can find more information about what kind of data you collect from each visitor. By checking the box, they agree to the terms outlined in the policy.

If you collect data from EU citizens

The GDPR requires businesses that collect data from EU citizens to get consent for marketing purposes before collecting their data. There are six legal bases for collecting data under GDPR: user consent, legitimate interests, contractual necessity, vital interest of the user, legal obligation, and public interest.

In order to process data lawfully under the GDPR email marketing, you must have the user’s consent. This consent must be given through a clear and affirmative action to avoid facing penalties.

Amazon, for example, was issued a total of €746 million of fines because their processes did not follow these rules when collecting user consent under GDPR law.

In case you sell data of California minors

The CCPA is a privacy law that was enacted in California in 2018. It applies to businesses that collect data from California residents, regardless of whether those businesses are located within the state or not. The law went into effect in 2020.

The law includes a section on the rights of minors regarding the sale of their data. According to this section, businesses are not allowed to sell or share the personal information of users under the age of 16, unless they have received explicit permission from the user (or the user’s parent or guardian, if the user is under 13). To get this permission, businesses need to implement opt-in measures at the beginning of their data collection process.

If you want to make it clear that you are asking for permission to sell someone’s data, you can add a pop-up to your sign-up page. This pop-up will appear if the user enters their age as under 16 years old. There will be an unchecked box where the user can offer their consent to having their information sold.

The penalties for violating the CCPA can be hefty. You could face fines as high as $2,500 per unintentional violation and up to $7,500 if you are found guilty of intentional infractions.

If you use cookies and market to EU citizens

The GDPR requires that website owners get explicit consent from users before collecting any data, including through cookies. This means offering users the chance to opt into specific types of cookies, like advertising or analytics. Having separate opt-in checkboxes for each category ensures that users can make an informed choice about which data they’re comfortable sharing.

You can get consent for cookie use through a banner that appears when someone accesses your site. This will stay on their screen until they opt in or manage preferences. The banner should give users the chance to set their cookie preferences and also tell them where they can find your cookie policy.

Netflix JobisJob cookie settings
Source: Netflix

If you want more targeted emailing lists

While opt-ins may be required for legal compliance, they can also be a great marketing tool. By placing opt-in forms in strategic locations on your website, you can encourage users who are interested in your product to sign up for email updates. This makes it easier to target your email campaigns and improve your overall marketing strategy. Some good places to include a subscription form are shown below:

pic
pic

Using opt-out consent

While it is required by the CCPA and GDPR to have an opt-in option, you may also need users to be able to choose whether or not they want their information shared with third parties. You should offer them all available means of opting out:

If you sell data of California residents

The CCPA gives Californian users the right to say no to the selling of their personal data. This means that businesses are not allowed to sell personal information about a consumer unless they have explicit permission. 

Consumers can exercise this right by clicking on a “Do Not Sell My Personal Information” link that should be prominently displayed on a business’s homepage or privacy policy page. The process for opting out must be clear and simple, without any confusion or obstacles.

Opting out of selling personal information
Source: Costco Wholesale Corporation
Opting out form example
Source: Costco Wholesale Corporation

If you send marketing emails

The CAN-SPAM Act and GDPR requires that all commercial emails include an opt-out link, typically in the form of an “unsubscribe” button. This ensures that recipients have the ability to unsubscribe from future emails if they so choose.

If using third-party platforms or tools

When using any third-party platform that involves collecting and using personal information, be sure to review their terms of service or privacy policy. They will most likely require an opt-out method which you should include in your own policies as well.

To build trust with consumers, give them the option of opting in and out. This will keep your company compliant and allow you more freedom when sending direct marketing messages that could potentially be seen as aggressive or too pushy.

Email marketing laws to keep in mind

Legal restrictions on email marketing vary from country to country, but it is illegal for companies or individuals to send unsolicited emails without consent. Let’s briefly denote what is considered legal email marketing according to GDPR and CCPA laws.

GDPR

The GDPR requires any company that works with Europeans to take measures ensuring data privacy and security:

  1. Companies must get explicit consent from subscribers, explain why data is being collected, and inform subscribers of data breaches within 72 hours. 
  2. Access to subscriber data must be granted upon request. 
  3. Only data necessary for marketing campaigns should be collected, with justification if needed.

To make sure you are following all of the GDPR regulations, it is useful to have a checklist to refer to. The fines for not complying with GDPR rules can be significant, up to 4% of annual global turnover or €20 million. Therefore, it is important to make sure you are aware of the regulations and take steps to comply with them.

CCPA

The California Consumer Privacy Act (CCPA) provides consumers in California with a number of basic rights. Businesses that collect email addresses from California residents must comply with CCPA. This includes: 

  • Getting explicit consent from consumers before adding them to any email marketing lists
  • Providing customers with the option to opt out of receiving marketing emails
  • Including information about email collection and usage in their privacy notices

This ensures that consumers are aware of how their personal information is being used and gives them the opportunity to exercise their rights under the CCPA.

Opt-in vs opt-out: pros and cons of methods

Make sure that the emails are not being blacklisted. One way to avoid this is by using opt-in and out options so customers can indicate whether or not they want certain types of mailings.

There are pros and cons to both opt-in and opt-out marketing. Here are some things to consider when deciding which practices are best for your business:

Opt-in pros

➕ Building a mailing list can be done quickly by using a single opt-in. With this method, prospects can sign up for your mailing list from any website. Single opt-in is a one-step process, which makes it easy for people to register through a signup form.

➕Opt-in mailing lists are more permission-based, which means they’re less likely to be considered spam. This can help improve your deliverability rates and ensure that more of your messages get through to your subscribers.

➕ You’ll get more accurate contact information from people who actively choose to sign up for your mailing list. This allows the company to create promotional content that is tailored to the interests of its subscribers.

➕ People who opt-in are generally more interested in what you have to say and are more likely to engage with your emails. Thus, you are more likely to get people to actually open and read your emails.

Opt-in cons

➖ It can be difficult to get people to opt-in to your mailing list, especially if you don’t have a strong incentive.

➖ You may miss out on potential subscribers if your opt-in form is not prominently displayed.

➖ The probability of incorrectly typing an email address is quite high. This can happen for a number of reasons, such as human error or a typo when inputting the email address. Incorrectly written emails can worsen deliverability, as they are more likely to be rejected by the server. Trying to send an email to the wrong address will not only fail to deliver the message but can also cause the bounce rate to increase. It is for this reason that double opt-in is essential when collecting email addresses. 

Opt-out pros

You can always email your customers until they tell you to stop.

If people are filling out a form on your website, they may expect to be signed up for email notifications automatically. Thus, if you send them your first email, they likely won’t be surprised to see it.

Opt-out forms can also be a good way to grow your mailing list quickly since people don’t have to actively choose to sign up and take action.

Opt-out cons

People may accidentally sign up for your mailing list if the opt-out form is not clearly displayed. As a result, you may end up with a lot of inactive subscribers who never open or engage with your emails.

➖ You may get more spam complaints with an opt-out form since people didn’t actively choose to sign up for your emails.

Conclusion

Opt-in is when a customer specifically agrees to share their data with a company. This could be through a sign-up form on a website or ticking a box to say they’re happy to receive marketing communications. Opt-in (especially double opt-in) is considered to be a more ethical way of collecting data, as it gives customers explicit control over what information they share.

There are a few reasons why you might want to use opt-in consent:

  1. To outline data collection in your privacy policy.
  2. To collect data from EU citizens.
  3. To sell the data of minors in California.
  4. To get explicit consent from EU users before collecting any data, including through cookies. 
  5. To create more targeted mailing lists. 

Opt-out is when businesses collect customer data by default, unless the customer tells them not to. This could be through pre-ticked boxes on forms, or by collecting data through cookies when someone visits a website. Opt-out is considered to be less ethical than opt-in, as it doesn’t give customers a clear choice over whether they want to share their data.

Opt-out consent is necessary when:

  1. Selling the data of California residents.
  2. Sending marketing emails.
  3. Using third-party platforms or tools that involve collecting and using personal information.

Which approach is right for you?

Answer in comments
unisender

Comments