Library / Glossary

Opt-in vs. Opt-out

Two consent models — opt-in requires affirmative agreement before processing; opt-out permits processing until the data subject objects.

Opt-in and opt-out describe two ways a controller can structure a data subject's choice over processing.

  • Opt-in. Processing is not permitted until the data subject affirmatively agrees. Pre-ticked boxes don't count. Silence doesn't count. The default is "no processing."
  • Opt-out. Processing happens by default; the data subject can object and stop it. The default is "processing."

What jurisdictions require

The choice between opt-in and opt-out is dictated by the lawful basis and the jurisdiction:

  • GDPR consent (Article 7) is opt-in. Consent must be "freely given, specific, informed and unambiguous" — pre-ticked boxes were explicitly ruled out by the Planet49 judgment (CJEU 2019).
  • GDPR legitimate interests is functionally opt-out. Processing is lawful by default; the data subject has a Right to Object (Article 21) which the controller must honour for direct marketing without question, and absent compelling legitimate grounds for other processing.
  • CCPA/CPRA was traditionally opt-out for sale or sharing of personal information; CPRA strengthened it for sensitive personal information and added an opt-in default for minors under 16.
  • Most other US state laws (VCDPA, CPA, TDPSA) are opt-out by default, with opt-in for sensitive data and minors.
  • Cookie/tracker consent (ePrivacy Directive) is opt-in across the EU, with limited exceptions for strictly necessary cookies.

How to design the choice

Where opt-in is required, the choice has to be granular (separate consent per purpose), specific (identifying the controller and the processing), informed (the data subject knows what they're agreeing to), and freely given (no coercion, including not bundling consent into a service contract where the consent isn't necessary for the contract).

Where opt-out is permitted, the right to object must be:

  • Prominent. Easy to find, not buried in a privacy policy footer.
  • Functional. "Click here to opt out" must actually stop the processing, not just suppress one outbound email channel.
  • Ongoing. A data subject who opts out today must remain opted out indefinitely, which means the opt-out has to propagate to every system and every vendor that holds the data.

Vendors that re-add data subjects to marketing lists after a CRM sync, or whose unsubscribe link only suppresses one channel, are creating compliance failures the controller will be on the hook for.

Related terms