🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays 🎙⏯ GDPR, AI & Cybersecurity: Upcoming webinars and replays
Call us on +(33)4 28 70 91 81
Log in

Understand everything about opt-in and opt-out

Home GDPR Understand everything about opt-in and opt-out

Our articles follow our episodes d’1min to understand everything . These are short videos during which our lawyers who are experts in personal data protection offer you simple definitions of key concepts of the General Regulation on the Protection of Personal Data (GDPR) and give you concrete examples. Follow us on LinkedIn so you don't miss any news!  

Today we discuss opt-in and opt-out techniques. Sit comfortably with your coffee and a biscuit, we'll explain everything to you in 5 minutes! ☕️?

What is opt-in?

This is a method of obtaining consent intended for data subjects in the context of processing based on this legal basis (find our article dedicated to this subject here). To do this, the person is asked to consent to the processing of their data using a check box. If the box is not checked, the data controller cannot process the data for the intended purpose (consent to authorize the processing based on this legal basis has not been obtained). For example, this could be a checkbox accompanied by a note such as "I accept that my email address is used for company X to send me its offers by email".  

There is a passive opt-in method which consists of pre-checking the box in question. This method should be avoided because the consent thus obtained does not result from a positive act of the person. The conditions for the validity of consent are then not met to the extent that the consent is not unambiguous. The CNIL recommends active opt-in tools for which the person checks the box themselves.  

Remember that it is necessary for the collection of consent to be valid that it be:  

Free (neither constrained nor influenced). The person must really have a choice, which they can make without fear of suffering negative consequences in the event of refusal.  

Specific. That is to say consent by purpose. It is not possible to obtain consent for several distinct purposes through a single box such as I accept that my data will be processed to receive the newsletter from company X and be transmitted to the company's commercial partners X with a view to sending me commercial prospecting.  

Enlightened. The person must be informed in advance of the terms of the processing to which they are asked to consent (mandatory information under the articles 13 and 14 the GDPR) and in particular the identity of the data controller, the purposes pursued, the categories of data collected, the right to withdraw consent and, where applicable, the fact that the data will be used in the context of a decision automated individual decision and/or the existence of a transfer outside the European Union and the guarantees associated with this transfer.  

Univocal. Consent is obtained by a clear positive act devoid of ambiguity.  

To go further, there is a double opt-in method. Let's take the example of subscribing to a newsletter. The person registers on the issuer's showcase website and their consent is subject to an initial opt-in. To register, the person must check a box such as "I accept that my personal data (last name, first name, email address) will be processed to receive the X newsletter". Once the person's consent has been obtained, the double opt-in consists of having their registration confirmed by the person. This is generally done by sending a confirmation email with a clickable link. For example "To finalize your registration, please click on the following link [...]". This makes it possible to verify that the person's email address has not been used fraudulently and that they are the originator of this registration.

Is opt-in mandatory?

Opt-in is mandatory in certain cases when the processing in question is based on the consent (there are 5 other possible legal bases, find our article on the subject here). This is the case, for example, when the purpose of collecting personal data is to send commercial prospecting emails in BtoC. This data processing is subject to the prior consent of the persons concerned, unless the person is already a customer and the prospecting concerns goods or services  

analogues. This obligation is set by article L. 34-5 of the Postal and Electronic Communications Code which provides: Direct prospecting by means of an automated electronic communications system within the meaning of 6° of article L. 32 is prohibited, a fax or e-mail using the contact details of a natural person, subscriber or user, who has not previously expressed consent to receive direct prospecting by this means. "  

On the contrary, commercial prospecting emails sent in BtoB, as long as the good or service has a direct link with the professional activity of the person contacted, are not subject to a mandatory opt-in. They may fall under a legal basis other than consent and be based on legitimate interest (find our article on the subject here). If the professional does not object, the data controller may send him requests. In BtoB, people must on the one hand be informed, at the time of collection, that their professional data will be used for commercial prospecting purposes; and on the other hand be able to exercise their right of opposition at any time. In this hypothesis, people must be able to access an opt-out mechanism.

What is opt out?

This method applies to processing based on legitimate interest. This is a mechanism for exercising the right to object. In this case, the prior consent of the person to the processing of their data has not been obtained, since this is not the legal basis for the processing. In other words, the data controller may process the data for the purpose in question as long as the data subject has not objected to the processing. Until she says "no", it's "yes". This is the opposite logic of consent.  

The data controller must provide data subjects with a means of objecting to the processing in a simple and free manner from the moment the data is collected, and at any time thereafter. This opt-out can for example be implemented in the form of a check box such as "I refuse to allow my postal address to be used to receive commercial prospecting from company X". Note that it is also appropriate to organize an opt-out by purpose.  

Prospecting by post or telephone can be sent without prior consent of the people. In this case, no opt-in method is to be implemented. However, the person must be able to exercise their right of opposition by an opt-out at the time of collecting their data which will be used for the aforementioned purposes. Subsequently, if the person no longer wishes to receive these requests, they must also be able to object to the processing at any time. This is also the case in terms of electronic BtoB advertising as mentioned above and BtoC for products or services similar or similar to those that the person has already ordered from the data controller who will carry out the prospecting operations.  

Would you like to know more about this? To understand everything about compliance with the GDPR in the context of commercial prospecting, find our dedicated webinars: "Respect the GDPR in your BtoC prospecting: how to do it? and "Respect the GDPR in your BtoB commercial prospecting: how to do it? "

Request a demo

Other articles
on the same subject