Due to the exponential expansion of the Internet accompanied by the emergence of data-driven technologies in the past decade, the privacy of users in digital space has come under scrutiny many times in the last few years. Most recently, the vigilant organizations, as well as, advocates of the right to privacy raised their voices to address the matter of consent. Therefore, lawmakers have focused their attention to provide individuals the control over how information about them is collected, used, and shared.

The call for the protection of the privacy of consumers in the digital space has made the governments include the principles of choice, access, and security in international laws. These laws include European Union's General Data Protection and Regulation (GDPR) which was introduced in 2018. The debate while framing these laws has always centered around the appropriate consent standard to allow individuals to express their consent. Thus, two standards were proposed namely Opt-in and Opt-out, respectively.

Difference between Opt-in and Opt-out

Opt-in means that the user is willing to take action to offer their consent for data collection or any other services that the website/technology wishes to offer. Opt-in is generally implemented through the use of empty checkboxes or action buttons on the application and selecting them indicates that the user is willing to accept the offer.

Opt-out means that the user is not interested in and will take action to withdraw their consent from participating or accepting services that the technology provides. Opt-out is generally implemented through a preemptive opt-out or undo a confirmation and deselecting them indicates that the user does not wish to accept the activity the platform is presenting them.

Where to use Opt-in and Opt-out?

The aforementioned strategies have their own utility in certain situations, and inclusion of both is necessary to remain compliant with privacy laws hence,

Opt-in should be used in:

• When you outline legal policies: It is always beneficial to get consent to legal policies as well as terms and conditions through opt-ins.
• You wish to collect data from users: Collection of information of users mandates you to present an opt-in by the law, failing to do so will result in monetary penalties. One such example is GDPR who imposed a fine on Google worth EUR 50 million back in 2019 on grounds of violation of their policy.
• You use cookies to provide personalized content: When implementing this form of opt-in, always keep in mind that users should always be given the chance to consent to certain types of cookies, and the best practice is through the use of a cookie consent banner.

An example of Opt-in could be:

[caption id="attachment_134130" align="aligncenter" width="399"] (fig 1: The options dictate how you would like to share data to Microsoft during installation of Windows 10 to provide personalized experiences)[/caption]

Opt-out should be used in:

• You want to send electronic newsletters or marketing emails: If you send newsletters to your user or marketing emails, it is mandated by the law that you include an opt-out link in every email.
• You wish to share data with 3rd Party sources: If your platform shares the user's data with 3rd party sources for personalization or analytics, you are mandated by the law to present an opt-out.

An example of Opt-out could be:

[caption id="attachment_134131" align="aligncenter" width="400"] (fig 2: End of marketing email sent to my personal email address by Rapido)[/caption]

Conclusion

Both opt-in and opt-out schemes emphasize giving control to users in data and privacy-related scenarios for online services, and any organization that wishes to remain compliant with these laws will need to employ both methods. Also, wherever an opt-in is implemented, an opt-out should be present as a counterpart so that users can withdraw their consent at any time.

Written By: Mridul Wadhwa, Sem VI student of B.Tech in CSE with Specialization in Cyber Security and Forensics.