Opt In & Opt Out Consent Software for CCPA and U.S. Businesses
Business are going to need to adopt privacy software for opt in and opt out consent for compliance with the wave of new privacy laws in the United States, including the California Consumer Privacy Act (CCPA). As a result of the Facebook – Cambridge Analytica scandal, the European Union General Data Protection Regulation (GDPR), and California’s new privacy law, companies will need to track consumer consent and preferences for privacy online on a larger scale than ever before.
There is still some time until comprehensive privacy legislation will go into effect in the United States. California is likely to be the soonest with an effective date for the start of compliance of January 1, 2020 and an unknown later deadline for the start of enforcement by the California Attorney General – as late as July 1, 2020. The White House privacy proposal has not even been announced yet; it has been suggested that the preliminary proposal would be released by Fall 2018 but that did not happen in any meaningful way. Instead, NIST is working on a voluntary Privacy Framework and NTIA is soliciting feedback for a potential law. There are also a variety of Congressional proposals that have been introduced into the U.S. House and Senate.
Nevertheless, the contours of the proposals so far suggest that it could involve a substantial increase in consent management for most tech and online businesses.
California businesses already have a preview of what they must do in the future concerning this issue. The California privacy law – CCPA – provides for the ability to opt out of the sale of personal information for individuals 16 years of age or older while requiring businesses to gather opt-in consent for children younger than 16 years old from either the child (if they are 13+ years old) or from their parent or guardian.
Businesses that decide to buy a solution could take one of two approaches with privacy software. They could either decide to use a limited solution for each new law that pops up internationally and domestically. Or they could use an enterprise consent management solution to track all of the consents for their email, SMS and other marketing as well as their opt ins and opt outs for privacy compliance. The latter would be more robust but involve greater configuration at the outset. The former would likely be cheaper at the beginning but more expensive in the long run.
It will also be critical for businesses to have an automated process to obtain reconsent for individuals if they decide to opt out at some point. Email marketing has historically treated customers who opt out of a list as lost. Individuals would only opt back in if they had another interaction with the company where they reverse their decision. However, companies that are handling their customer’s data privacy are likely to have an ongoing relationship with the individual and could reconsent easier. That is probably one reason that the California law says that the company must honor the consumer’s decision to opt out for one year. The easiest solution for businesses will be to automate the reconsent request, and this should be baked into the consent management software.
Businesses might also decide to adopt a wide range of other privacy software modules beyond consent in order to fulfill their compliance needs. But that is beyond the scope of this page. Instead, let’s take a deeper look at how opt in and opt out work.
What is Opt In?
An example of an implied opt-in involves the use of an email address for a business communication when the primary purpose for which the company received that email was not to send the email at hand. For example, a consumer that gives an email to a company to receive a white paper. The business might contend that it was an implied opt-in for other marketing communications about the software that the company is trying to sell with the white paper.
Express consent involves explicitly asking for and receiving permission to engage in the practice. For example, if the white paper contact form had an additional box that offered to subscribe the individual to the company’s email newsletter if the consumer checks the box, then the checking of the box and the submission of the form would be an example of opt-in consent.
What is Opt Out?
Opt out reverses the natural order of the permission. The individual is or will be subscribed unless they take an action. For example, an opt out example would be a box on the white paper form that said: “You will be subscribed to our email newsletter unless you check the box to opt out.” Another opt out example would be the unsubscribe link at the bottom of an email. The individual has been subscribed to the newsletter but has the right to stop receiving it by following the unsubscribe instructions.
Opt in and opt out requests have for a long time been found in the domain of permission based marketing.
The Telephone Consumer Protection Act of 1991 (TCPA) required companies soliciting over the phone to maintain a list of people who did not want to be contacted. It was known as a “do-not-call” list, maintained by each company, and it was to be honored for five years. The National Do Not Call Registry centralized the process so that one list is maintained for the entire nation, resulting from the Do-Not-Call Implementation Act of 2003.
Opt out was brought into email marketing around the time of the CAN-SPAM Act, which established certain rules for commercial email and gave recipients the right to have businesses stop sending them messages. Following the law, companies must provide a visible unsubscribe mechanisim in emails and honor opt-out requests within a certain period of time.
However, opt in and opt out have not been exclusive to marketing in the United States. The Children’s Online Privacy Protection Act (COPPA) requires opt-in from parents or guardians before collecting personal information online for children. It was originally enacted by Congress in 1998 and went into effect on April 21, 2000.
The Privacy Law Debate Over Opt In vs Opt Out
Much of the debate over a new federal privacy law in the United States has revolved around the question of what type of protections should be offered. The European Union in the General Data Protection Regulation (GDPR) decided that opt in consent for data collection, processing and sharing was the best model to protect the privacy of EU citizens. California, on the other hand, decided that the right to opt out was sufficient to protect adults against the dangers of the sale of their personal information.
The debate over whether opt in or opt out is more appropriate is at the heart of the questions being considered by the federal government. Opt in consent is considered toughest for businesses to obtain. The scope of such consent is also difficult to manage. The text of the GDPR would suggest that any reliance on consent should involve an individual opt in to each case of data processing rather than a broad opt in. If the opt in is broad, is the consent really informed and better than the current system of privacy?
Opt out consent is easier for business compliance but largely puts responsibility for maintaining privacy squarely on the consumer. That may work well for some types of data that are not particularly significant, but could pose privacy concerns for more sensitive personal information. It is for this reason that some of the laws that Congress is considering define sensitive personal information and other non-sensitive personal information.
GET OUR FREE WHITE PAPER ON THE NEW CALIFORNIA LAW:
Implications for Privacy Software
The Clarip consent management software is built to handle both opt in and opt out consent so only small modifications should be needed to handle any particular case. For a demo of the software, please call 1-888-252-5653.
Consent Management Software Platform
Preference Management Software Solution
Opt In & Opt Out Consent Software for CCPA
Right to Opt Out in CCPA
Mobile App Consent Manager
Service Providers and the Right to Opt Out under the California Consumer Privacy Act
Opt In Consent for Children in CCPA
How to Obtain Consent Under GDPR
Best Practices for GDPR Consent
GDPR’s Special Categories of Personal Data
Verbal Consent Under GDPR
GDPR-K: Children’s Data and Parental Consent