Opt-in explained
Opt-in is a consent model requiring individuals to actively agree before data is collected or used, the standard required by GDPR, ePrivacy, and similar regulations worldwide.
Opt-in is a consent model requiring individuals to actively agree before data is collected or used, the standard required by GDPR, ePrivacy, and similar regulations worldwide.
Concept | Explicit, proactive consent before data collection or use |
Purpose | To ensure individuals actively agree before their data is processed |
Applies to | Cookies, marketing communications, app permissions, and data sharing |
Consent method | Clicking “Accept,” checking an unchecked box, or actively granting permission |
Key principle | No pre-checked boxes, no assumed consent, no action equals no consent |
Related frameworks | GDPR, ePrivacy Directive, CCPA/CPRA, and other national privacy laws |
Opt-in is a consent model in data privacy that requires individuals to take a deliberate action to agree to the collection, processing, or use of their personal data before it occurs.
Under an opt-in model, data collection or processing does not begin until the individual actively signals their agreement, such as clicking “Accept all” on a cookie banner or checking an unchecked subscription box.
Opt-in consent is the standard required by strict privacy regulations such as the GDPR, where consent must be freely given, specific, informed, and unambiguous. It contrasts with opt-out models, where data collection begins by default, and the individual must take action to stop it.
The meaning of opt-in centres on explicit, informed consent. Consent cannot be inferred from silence, pre-ticked boxes, or inaction.
For consent to qualify as opt-in under data privacy law, it must be:
Actively given by the individual
Based on clear information about what data is collected and why
Specific to a defined purpose
Revocable at any time
Opt-in applies across a wide range of data processing activities, including tracking cookies, email marketing, app permissions, and data sharing with third parties.
The term “opted in” refers to the state of having already given that consent, meaning data processing is permitted for that individual until they withdraw.
Opt-in consent follows a defined process that supports obtaining the individual’s genuine and legally valid agreement.
Present a clear, specific request. Before any data is collected, the organisation presents the individual with an explicit request. This must describe what data will be collected, for what purpose, and who will have access to it.
Require a positive, unbundled action. The individual must take an affirmative step to consent, such as clicking an “Accept” button or checking an unchecked checkbox. Consent cannot be bundled with acceptance of terms and conditions and cannot be pre-selected.
Record the consent event. Once given, the consent must be recorded with a timestamp, the version of the consent notice shown, and the specific purposes consented to. This record is required for accountability under GDPR Article 5(2).
Enable easy withdrawal. Individuals must be able to withdraw consent at any time, and it must be as easy to withdraw as it was to give. Consent preference centres or account settings typically handle this.
Honour the preference across systems. Once consent is given or withdrawn, the preference must propagate to all downstream systems, analytics platforms, advertising tools, CRM systems, and third-party processors. Consent management platforms (CMPs) handle this technically through signals such as TCF strings and Google Consent Mode parameters.
Opt-in | Opt-out | |
|---|---|---|
Default state | No data collected until consent given | Data collected by default |
User action required | To start data collection | To stop data collection |
Privacy standard | High, explicit agreement required | Lower, assumed consent unless objected |
Applicable regulation | GDPR, ePrivacy Directive, PECR | CCPA/CPRA (some uses) |
Cookie consent | Required for non-essential cookies in the EU | Not sufficient under GDPR |
Email marketing | Required in the EU (PECR/ePrivacy) | Allowed in some US contexts |
Burden on the individual | Low, nothing happens without agreement | Higher, must act to avoid data use |
Proof of consent | The organisation must hold a consent record | The organisation must show opt-out option is available |
In plain terms: Opt-in puts privacy first by default. Opt-out puts data collection first by default. Regulatory direction globally is moving towards opt-in, even in jurisdictions that historically relied on opt-out.
Yes, where consent is the chosen legal basis for processing. The GDPR does not mandate that organisations use consent as their legal basis for every data activity, but where they do, the consent must meet opt-in standards under Article 7 and Recital 32.
The GDPR also mandates opt-in consent specifically for non-essential cookies and tracking technologies under the ePrivacy Directive, which applies to any organisation targeting users in the EU.
Regulation | Maximum penalty |
|---|---|
€20 million or 4% of global annual turnover, whichever is higher | |
ePrivacy Directive / PECR (UK) | Up to £500,000 (ICO); enforcement actions ongoing |
$2,500 per unintentional violation; $7,500 per intentional violation | |
DMA (EU Digital Markets Act) | Up to 10% of the global annual turnover for gatekeepers |
Opt-in consent under GDPR specifically helps organisations meet:
Article 6: lawful basis for processing (consent)
Article 7: conditions for consent (freely given, specific, informed, unambiguous)
Article 9: explicit consent for processing special categories of personal data
Article 17: right to erasure (data must be deleted if consent is withdrawn)
Article 5(2): accountability (organisations must demonstrate compliance)
Recital 32: confirmation that pre-ticked boxes do not constitute consent
The GDPR and California's CCPA/CPRA use different consent frameworks. Understanding the distinction matters for organisations operating across both jurisdictions.
GDPR (EU) | CCPA/CPRA (California) | |
|---|---|---|
Default model | Opt-in required for consent-based processing | Opt-out for sale/sharing of personal data |
Cookies | Opt-in required for non-essential cookies | No explicit opt-in requirement for cookies |
Marketing | Opt-in required before sending marketing communications | Opt-out right (Do Not Sell/Share) must be provided |
Children's data | Opt-in required; parental consent under 16 | Opt-in required for under-16s |
Withdrawal | Must be as easy as giving consent | Right to opt out at any time |
Consent records | Organisation must hold and demonstrate consent records | Opt-out requests must be honoured within 15 business days |
Organisations targeting both EU and US users often implement an opt-in approach globally as the safest compliance baseline, since it satisfies GDPR requirements and exceeds the CCPA minimum opt-out standard.
Opt-in consent appears across many common digital interactions:
Cookie banners: Requiring users to click “Accept all” or select specific categories, rather than allowing tracking by default. Under GDPR and ePrivacy, a pre-ticked “Accept” or a banner with no reject option does not constitute a valid opt-in.
Email marketing subscriptions: Presenting an unchecked checkbox for newsletter sign-ups. Double opt-in (confirming via a follow-up email) is considered best practice and provides stronger proof of consent.
App permissions: Requesting access to location, camera, microphone, or contacts before activating a feature, not as a condition of downloading the app.
Data sharing agreements: Asking users to confirm before their data is shared with third-party advertisers, analytics providers, or partners.
Push notifications: Requesting permission before sending browser or mobile notifications.
In each case, no data processing begins until the user takes a clear, affirmative action.
Scenario | Expected behaviour | Technical outcome |
|---|---|---|
User closes cookie banner without accepting | Non-essential cookies must not be set | No analytics, advertising, or tracking scripts should fire |
User declines marketing consent | No marketing emails should be sent | Contact must not be added to marketing lists |
User withdraws consent after opting in | Data collected under that consent must cease to be processed | Downstream systems (CRM, ad platforms) must be notified |
User does not respond to app permission request | A feature requiring permission must not activate | Default state treated as non-consent |
A compliant opt-in process requires more than a button. Organisations need:
Granular consent options: Users should be able to consent to specific purposes (analytics, personalisation, advertising) separately
Plain-language notices: Consent requests must be written in clear, accessible language, not buried in legal text
No consent walls: Access to a service cannot generally be made conditional on consenting to non-essential processing
Timestamp and version logging: Each consent event must be recorded with the date, time, and version of the consent notice shown
Preference centre: Users must be able to review and update their consent preferences at any time
Withdrawal mechanism: Withdrawing consent must be as simple as giving it, typically via the same preference centre
Proof of consent storage: Records must be retained and producible for regulatory audit
Cross-system propagation: Consent signals must reach all tools and processors that depend on them
Opt-in consent is one component of a wider digital compliance framework. Organisations typically need to address multiple related areas alongside their consent mechanism.
Compliance area | What it covers | Relationship to opt-in |
|---|---|---|
Cookie consent | Non-essential tracking cookies | Opt-in is required before cookies fire |
Consent management platform (CMP) | Technical infrastructure for collecting and storing consent | The mechanism through which opt-in is collected and logged |
Data privacy | Overall framework for personal data handling | Opt-in is one of six GDPR lawful bases for processing |
GDPR compliance | EU data protection regulation | Sets the legal standard that opt-in must meet |
Email compliance (PECR / CAN-SPAM) | Marketing communication rules | Requires opt-in consent before sending in most jurisdictions |
Opt-out | The alternative consent model | Relevant for CCPA compliance and providing withdrawal rights |
Clym provides a unified digital compliance platform that combines cookie consent management, consent storage, preference centres, and privacy rights handling in a single solution, supporting organisations in implementing compliant opt-in across all channels. See how Clym’s Consent Management Platform supports consent collection and preference management.
Opt-in is a consent model that requires individuals to actively agree before their personal data is collected, processed, or used. No data collection occurs until the individual takes a clear, affirmative action, such as clicking “Accept” or checking an unchecked box.
“Opted in” means an individual has already given their explicit consent. They have taken an active step to agree to a specific data processing activity, and that agreement is on record. Data processing may proceed unless and until they withdraw.
Opt-in requires action before data collection begins, nothing happens without agreement. Opt-out allows data collection by default, requiring individuals to take action to stop it. Opt-in is the higher privacy standard and is required by GDPR; opt-out is more common under US regulations such as the CCPA.
Yes, where an organisation uses consent as its legal basis for processing personal data. GDPR Article 7 requires that consent be freely given, specific, informed, and unambiguous, meaning opt-in is the only approach that qualifies. Pre-ticked boxes and implied agreement do not meet the standard.
A valid opt-in requires a clear affirmative action (clicking “Accept” or checking an unchecked box), a plain-language explanation of what data will be collected and why, and a recorded consent event. It must be unbundled from other agreements, not be a precondition of service, and be as easy to withdraw as it was to give.
No. Under GDPR Recital 32, pre-ticked boxes do not constitute valid consent. The individual must make an active choice. Using pre-checked boxes for cookie consent or marketing sign-ups has resulted in regulatory enforcement across the EU.
Yes. Under the ePrivacy Directive, and its national implementations such as the UK's PECR, opt-in consent is required before placing non-essential cookies (analytics, advertising, tracking) on a user's device. Essential cookies required for the site to function are exempt.
In marketing, an opt-in model means individuals must actively subscribe or give permission before receiving marketing communications, emails, SMS, push notifications, or targeted ads. This is required under PECR and the ePrivacy Directive for EU users and is considered best practice globally. It results in higher-quality, more engaged audiences compared to opt-out lists.