Skip to main content

Opt-in vs. Opt-out: Understanding the Two Consent Models

The world has two fundamentally different approaches to cookie consent. The European Union requires opt-in: no cookies until the user says yes. The United States (in most states) allows opt-out: cookies are placed by default, and the user can say no. Understanding these two models — their legal basis, their implications, and where each applies — is essential for any website with a global audience.

The Opt-in Model

Under the opt-in model, non-essential cookies may not be placed until the user has given explicit, affirmative consent. No action from the user means no cookies. This is the model required by the EU's ePrivacy Directive (Article 5(3)) as interpreted through the GDPR's definition of consent (Article 4(11)).

How Opt-in Works in Practice

  1. User visits the website for the first time.
  2. Only strictly necessary cookies are active. Analytics, marketing, and preference cookies are blocked.
  3. A consent mechanism appears, presenting cookie categories and asking the user to make a choice.
  4. The user actively selects which categories to accept (or clicks "Accept All" or "Reject All").
  5. Only the scripts corresponding to accepted categories are loaded.
  6. If the user takes no action, no non-essential cookies are set. The consent mechanism remains visible (or accessible) until the user makes a choice.

Legal Basis

The opt-in requirement stems from two sources:

  • ePrivacy Directive Article 5(3): Requires "consent" before storing information on a user's device.
  • GDPR Article 4(11): Defines consent as requiring a "clear affirmative action" — which excludes inaction, pre-ticked boxes, and implied agreement.
  • CJEU Planet49 ruling (C-673/17): Confirmed that active consent is required and pre-checked boxes do not constitute valid consent.

Where Opt-in Applies

All EU/EEA member states (27 EU countries plus Norway, Iceland, and Liechtenstein), plus the United Kingdom (which retained the ePrivacy rules post-Brexit via the Privacy and Electronic Communications Regulations, or PECR).

Implications for Website Operators

  • Expect significant consent rejection rates. Industry data suggests 30-50% of European visitors reject non-essential cookies when given a genuine choice.
  • Analytics data will be incomplete. You will only have data from users who consented. This is not a bug — it is the intended outcome of the regulation.
  • Script loading must be conditional. You need a technical mechanism that blocks scripts until consent is recorded. This cannot be done with a banner alone — it requires actual script management.

The Opt-out Model

Under the opt-out model, cookies can be placed by default. The user has the right to refuse or opt out, but unless they take action, tracking is permitted. This is the model used in the United States and several other jurisdictions.

How Opt-out Works in Practice

  1. User visits the website.
  2. All cookies — including analytics and marketing cookies — are placed immediately.
  3. A notice informs the user that cookies are in use and provides a way to opt out.
  4. If the user takes no action, cookies remain active.
  5. If the user opts out, their preferences are respected going forward (and in some jurisdictions, previously collected data may need to be deleted).

Legal Basis

The opt-out model is found in:

  • CCPA/CPRA (California): California consumers have the right to opt out of the "sale" or "sharing" of personal information. Cookies used for cross-context behavioral advertising constitute "sharing" under CPRA. The obligation is to provide an opt-out mechanism (often via a "Do Not Sell or Share My Personal Information" link), not to obtain prior consent.
  • CAN-SPAM Act and FTC guidance: The US federal approach to online tracking has historically been notice-and-choice rather than affirmative consent.
  • Various US state laws: Virginia (VCDPA), Colorado (CPA), Connecticut (CTDPA), and others follow variations of the opt-out model for targeted advertising and data sales.

Where Opt-out Applies

The United States (with variations by state), Canada (PIPEDA — though this may shift with proposed reforms), Australia (under the Privacy Act — also under review), and several other jurisdictions outside the EU/EEA.

Implications for Website Operators

  • More data collection by default. Since cookies are placed unless the user objects, analytics and advertising data is more complete.
  • Must provide a clear opt-out mechanism. Under CCPA/CPRA, this means a "Do Not Sell or Share My Personal Information" link that is easy to find and use.
  • Must honor Global Privacy Control (GPC). California law requires businesses to treat the GPC browser signal as a valid opt-out request.

Detailed Comparison

Aspect Opt-in (EU/GDPR) Opt-out (US/CCPA)
Default state Cookies blocked until consent Cookies active by default
User action required Must act to allow cookies Must act to stop cookies
Silence / inaction Means no consent (no cookies) Means consent assumed (cookies active)
Consent mechanism Granular per-category choice Opt-out link or toggle
Pre-checked boxes Not permitted (Planet49 ruling) Permitted (opt-out model)
Analytics impact 30-50% data loss from non-consent Minimal data loss (few opt out)
Withdrawal As easy as giving consent (GDPR Art 7(3)) Must be provided, no equal-ease requirement
Children Parental consent under 13-16 (varies) COPPA applies to under-13s
Key regulation ePrivacy Directive + GDPR CCPA/CPRA + state laws
Maximum fines EUR 20M or 4% global turnover $7,500 per intentional violation (CCPA)

Can You Use Different Models for Different Regions?

Yes, and many global websites do. This approach is called geo-targeted consent management. The website detects the visitor's location (typically via IP geolocation) and presents the appropriate consent model:

  • EU/EEA/UK visitors: Opt-in model with granular consent.
  • California visitors: Opt-out model with "Do Not Sell or Share" link.
  • Other US visitors: Notice-only (depending on state law applicability).
  • Other jurisdictions: Based on applicable local law.

Challenges of Geo-targeting

  • IP geolocation is not perfect. VPN users may be mislocated. Mobile users may move between jurisdictions.
  • Maintenance burden. You need to track regulatory developments in every jurisdiction you serve and update your consent flows accordingly.
  • Testing complexity. You must verify that each regional variant works correctly — different banners, different default states, different script blocking behavior.
  • GDPR applies extraterritorially. If you target EU users (Article 3(2)), GDPR applies regardless of where your business is located. "Targeting" includes offering goods or services to EU residents or monitoring their behavior.

Best Practice: Default to Opt-in

If managing multiple consent models seems overwhelming, there is a simpler path: default to the opt-in model globally.

Here is why this works:

  1. Compliance everywhere. The opt-in model satisfies the strictest requirements. If you comply with GDPR's consent requirements, you automatically exceed the requirements of CCPA, LGPD, and most other frameworks.
  2. Simplicity. One consent mechanism, one implementation, one set of tests. No geo-detection, no regional variants, no edge cases.
  3. Future-proofing. The global trend is toward stricter consent requirements. Proposed reforms in the US, Canada, Australia, and India all move in the direction of more explicit consent. Building for opt-in now means you will not need to retrofit later.
  4. User trust. Users worldwide respond positively to transparent, respectful consent practices. Offering genuine choice — even where the law does not strictly require it — builds trust and brand credibility.
  5. Data quality. Consented data is cleaner, more defensible, and more valuable than data collected through legal ambiguity.

The trade-off is real: you will collect less data globally. But the data you do collect will be legally sound, ethically clean, and increasingly valuable as third-party data becomes less accessible.

Emerging Developments

The consent landscape is not static. Several developments are worth monitoring:

  • ePrivacy Regulation. The EU has been working on a replacement for the ePrivacy Directive since 2017. When it passes, it will become a directly applicable regulation (like GDPR) rather than a directive requiring national transposition. The consent rules for cookies are expected to remain similar to or stricter than the current framework.
  • Global Privacy Control (GPC). This browser-level signal communicates a user's privacy preferences automatically. California law already requires honoring GPC. Colorado and Connecticut do as well. This may become a standard mechanism for communicating opt-out preferences.
  • Consent or Pay models. The EDPB's 2024 opinion on "consent or pay" (particularly in the context of Meta's approach) is shaping how regulators view the relationship between consent and access to services.
  • Browser-level consent. Some proposals would move consent management from individual websites to the browser itself, with users setting their preferences once rather than on every site. This would fundamentally change how consent works in practice.

Passiro helps you implement the right consent model for your audience, with automatic detection and categorization of all cookies on your site — whether you choose opt-in, opt-out, or a geo-targeted approach.

For our final section, let's look at consent best practices — the practical, actionable guidance for implementing consent that is both compliant and user-friendly.

Millal on noussolek nouutud? Parimad tavad

Kas sinu veebisait vastab kupsiste reeglitele?

Skanni oma veebisaiti tasuta ja leia koik kupsised monikuminutiga.

Skanni oma kupsiseid tasuta