Clym Logo

Opt-in

Published
Updated
AS
AuthorAdam Safar

Opt-in explained

Opt-in is a consent model requiring individuals to actively agree before data is collected or used, the standard required by GDPR, ePrivacy, and similar regulations worldwide.

Summarize full article with:

What does opt-in mean? Opt-in is a data privacy model that requires individuals to take an explicit, affirmative action before their personal data is collected or used. Under GDPR and the ePrivacy Directive, opt-in consent is the legally required standard; silence, inaction, and pre-ticked boxes do not count. An individual must actively agree, and that agreement must be specific, informed, and freely given.

Key facts about opt-in

Concept

Explicit, proactive consent before data collection or use

Purpose

To ensure individuals actively agree before their data is processed

Applies to

Cookies, marketing communications, app permissions, and data sharing

Consent method

Clicking “Accept,” checking an unchecked box, or actively granting permission

Key principle

No pre-checked boxes, no assumed consent, no action equals no consent

Related frameworks

GDPR, ePrivacy Directive, CCPA/CPRA, and other national privacy laws

What is opt-in?

Opt-in is a consent model in data privacy that requires individuals to take a deliberate action to agree to the collection, processing, or use of their personal data before it occurs.

Under an opt-in model, data collection or processing does not begin until the individual actively signals their agreement, such as clicking “Accept all” on a cookie banner or checking an unchecked subscription box.

Opt-in consent is the standard required by strict privacy regulations such as the GDPR, where consent must be freely given, specific, informed, and unambiguous. It contrasts with opt-out models, where data collection begins by default, and the individual must take action to stop it.

Opt-in meaning

The meaning of opt-in centres on explicit, informed consent. Consent cannot be inferred from silence, pre-ticked boxes, or inaction.

For consent to qualify as opt-in under data privacy law, it must be:

  • Actively given by the individual

  • Based on clear information about what data is collected and why

  • Specific to a defined purpose

  • Revocable at any time

Opt-in applies across a wide range of data processing activities, including tracking cookies, email marketing, app permissions, and data sharing with third parties.

The term “opted in” refers to the state of having already given that consent, meaning data processing is permitted for that individual until they withdraw.

How does opt-in work?

Opt-in consent follows a defined process that supports obtaining the individual’s genuine and legally valid agreement.

  1. Present a clear, specific request. Before any data is collected, the organisation presents the individual with an explicit request. This must describe what data will be collected, for what purpose, and who will have access to it.

  2. Require a positive, unbundled action. The individual must take an affirmative step to consent, such as clicking an “Accept” button or checking an unchecked checkbox. Consent cannot be bundled with acceptance of terms and conditions and cannot be pre-selected.

  3. Record the consent event. Once given, the consent must be recorded with a timestamp, the version of the consent notice shown, and the specific purposes consented to. This record is required for accountability under GDPR Article 5(2).

  4. Enable easy withdrawal. Individuals must be able to withdraw consent at any time, and it must be as easy to withdraw as it was to give. Consent preference centres or account settings typically handle this.

  5. Honour the preference across systems. Once consent is given or withdrawn, the preference must propagate to all downstream systems, analytics platforms, advertising tools, CRM systems, and third-party processors. Consent management platforms (CMPs) handle this technically through signals such as TCF strings and Google Consent Mode parameters.

Opt-in vs opt-out: what is the difference?

Opt-in

Opt-out

Default state

No data collected until consent given

Data collected by default

User action required

To start data collection

To stop data collection

Privacy standard

High, explicit agreement required

Lower, assumed consent unless objected

Applicable regulation

GDPR, ePrivacy Directive, PECR

CCPA/CPRA (some uses)

Cookie consent

Required for non-essential cookies in the EU

Not sufficient under GDPR

Email marketing

Required in the EU (PECR/ePrivacy)

Allowed in some US contexts

Burden on the individual

Low, nothing happens without agreement

Higher, must act to avoid data use

Proof of consent

The organisation must hold a consent record

The organisation must show opt-out option is available

In plain terms: Opt-in puts privacy first by default. Opt-out puts data collection first by default. Regulatory direction globally is moving towards opt-in, even in jurisdictions that historically relied on opt-out.

Is opt-in required under GDPR?

Yes, where consent is the chosen legal basis for processing. The GDPR does not mandate that organisations use consent as their legal basis for every data activity, but where they do, the consent must meet opt-in standards under Article 7 and Recital 32.

The GDPR also mandates opt-in consent specifically for non-essential cookies and tracking technologies under the ePrivacy Directive, which applies to any organisation targeting users in the EU.

Compliance penalty table

Regulation

Maximum penalty

€20 million or 4% of global annual turnover, whichever is higher

ePrivacy Directive / PECR (UK)

Up to £500,000 (ICO); enforcement actions ongoing

$2,500 per unintentional violation; $7,500 per intentional violation

DMA (EU Digital Markets Act)

Up to 10% of the global annual turnover for gatekeepers

Opt-in consent under GDPR specifically helps organisations meet:

  • Article 6: lawful basis for processing (consent)

  • Article 7: conditions for consent (freely given, specific, informed, unambiguous)

  • Article 9: explicit consent for processing special categories of personal data

  • Article 17: right to erasure (data must be deleted if consent is withdrawn)

  • Article 5(2): accountability (organisations must demonstrate compliance)

  • Recital 32: confirmation that pre-ticked boxes do not constitute consent

Opt-in under GDPR vs CCPA: key differences

The GDPR and California's CCPA/CPRA use different consent frameworks. Understanding the distinction matters for organisations operating across both jurisdictions.

GDPR (EU)

CCPA/CPRA (California)

Default model

Opt-in required for consent-based processing

Opt-out for sale/sharing of personal data

Cookies

Opt-in required for non-essential cookies

No explicit opt-in requirement for cookies

Marketing

Opt-in required before sending marketing communications

Opt-out right (Do Not Sell/Share) must be provided

Children's data

Opt-in required; parental consent under 16

Opt-in required for under-16s

Withdrawal

Must be as easy as giving consent

Right to opt out at any time

Consent records

Organisation must hold and demonstrate consent records

Opt-out requests must be honoured within 15 business days

Organisations targeting both EU and US users often implement an opt-in approach globally as the safest compliance baseline, since it satisfies GDPR requirements and exceeds the CCPA minimum opt-out standard.

Common examples of opt-in consent

Opt-in consent appears across many common digital interactions:

  • Cookie banners: Requiring users to click “Accept all” or select specific categories, rather than allowing tracking by default. Under GDPR and ePrivacy, a pre-ticked “Accept” or a banner with no reject option does not constitute a valid opt-in.

  • Email marketing subscriptions: Presenting an unchecked checkbox for newsletter sign-ups. Double opt-in (confirming via a follow-up email) is considered best practice and provides stronger proof of consent.

  • App permissions: Requesting access to location, camera, microphone, or contacts before activating a feature, not as a condition of downloading the app.

  • Data sharing agreements: Asking users to confirm before their data is shared with third-party advertisers, analytics providers, or partners.

  • Push notifications: Requesting permission before sending browser or mobile notifications.

In each case, no data processing begins until the user takes a clear, affirmative action.

What happens when a user does not opt in?

Scenario

Expected behaviour

Technical outcome

User closes cookie banner without accepting

Non-essential cookies must not be set

No analytics, advertising, or tracking scripts should fire

User declines marketing consent

No marketing emails should be sent

Contact must not be added to marketing lists

User withdraws consent after opting in

Data collected under that consent must cease to be processed

Downstream systems (CRM, ad platforms) must be notified

User does not respond to app permission request

A feature requiring permission must not activate

Default state treated as non-consent

Key features of a modern opt-in mechanism

A compliant opt-in process requires more than a button. Organisations need:

  • Granular consent options: Users should be able to consent to specific purposes (analytics, personalisation, advertising) separately

  • Plain-language notices: Consent requests must be written in clear, accessible language, not buried in legal text

  • No consent walls: Access to a service cannot generally be made conditional on consenting to non-essential processing

  • Timestamp and version logging: Each consent event must be recorded with the date, time, and version of the consent notice shown

  • Preference centre: Users must be able to review and update their consent preferences at any time

  • Withdrawal mechanism: Withdrawing consent must be as simple as giving it, typically via the same preference centre

  • Proof of consent storage: Records must be retained and producible for regulatory audit

  • Cross-system propagation: Consent signals must reach all tools and processors that depend on them

Opt-in as part of a broader digital compliance strategy

Opt-in consent is one component of a wider digital compliance framework. Organisations typically need to address multiple related areas alongside their consent mechanism.

Compliance area

What it covers

Relationship to opt-in

Cookie consent

Non-essential tracking cookies

Opt-in is required before cookies fire

Consent management platform (CMP)

Technical infrastructure for collecting and storing consent

The mechanism through which opt-in is collected and logged

Data privacy

Overall framework for personal data handling

Opt-in is one of six GDPR lawful bases for processing

GDPR compliance

EU data protection regulation

Sets the legal standard that opt-in must meet

Email compliance (PECR / CAN-SPAM)

Marketing communication rules

Requires opt-in consent before sending in most jurisdictions

Opt-out

The alternative consent model

Relevant for CCPA compliance and providing withdrawal rights

Clym provides a unified digital compliance platform that combines cookie consent management, consent storage, preference centres, and privacy rights handling in a single solution, supporting organisations in implementing compliant opt-in across all channels. See how Clym’s Consent Management Platform supports consent collection and preference management.

Related terms

Commonly asked questions

Opt-in is a consent model that requires individuals to actively agree before their personal data is collected, processed, or used. No data collection occurs until the individual takes a clear, affirmative action, such as clicking “Accept” or checking an unchecked box.

“Opted in” means an individual has already given their explicit consent. They have taken an active step to agree to a specific data processing activity, and that agreement is on record. Data processing may proceed unless and until they withdraw.

Opt-in requires action before data collection begins, nothing happens without agreement. Opt-out allows data collection by default, requiring individuals to take action to stop it. Opt-in is the higher privacy standard and is required by GDPR; opt-out is more common under US regulations such as the CCPA.

Yes, where an organisation uses consent as its legal basis for processing personal data. GDPR Article 7 requires that consent be freely given, specific, informed, and unambiguous, meaning opt-in is the only approach that qualifies. Pre-ticked boxes and implied agreement do not meet the standard.

A valid opt-in requires a clear affirmative action (clicking “Accept” or checking an unchecked box), a plain-language explanation of what data will be collected and why, and a recorded consent event. It must be unbundled from other agreements, not be a precondition of service, and be as easy to withdraw as it was to give.

No. Under GDPR Recital 32, pre-ticked boxes do not constitute valid consent. The individual must make an active choice. Using pre-checked boxes for cookie consent or marketing sign-ups has resulted in regulatory enforcement across the EU.

Yes. Under the ePrivacy Directive, and its national implementations such as the UK's PECR, opt-in consent is required before placing non-essential cookies (analytics, advertising, tracking) on a user's device. Essential cookies required for the site to function are exempt.

In marketing, an opt-in model means individuals must actively subscribe or give permission before receiving marketing communications, emails, SMS, push notifications, or targeted ads. This is required under PECR and the ePrivacy Directive for EU users and is considered best practice globally. It results in higher-quality, more engaged audiences compared to opt-out lists.

Adam Safar

Head of Digital Marketing

Adam is the Head of Digital Marketing at Clym, where he leverages his diverse expertise in marketing to support businesses with their compliance needs and drive awareness about data privacy and web accessibility. As one of the company’s original team members, Adam has been instrumental in shaping its journey from the very beginning. When he’s not diving into marketing strategies, Adam can be found cheering on his favorite sports teams or enjoying fishing.

Find out more about Adam