Opt-in and opt-out are the two consent models for cookie and data collection. Opt-in requires a user to act before any non-essential data is collected; it is the default under GDPR and UK law. Opt-out defaults to collection and lets users stop it; it is the model most US state laws use. For most multi-region sites, the right answer is both, served by visitor location.
Below: what each model means, the laws that require each one, a side-by-side comparison, and how to implement the right model for your audience.
Opt-In vs Opt-Out Consent: What's the Difference?
The difference between opt-in and opt-out consent is the default state. Opt-in defaults to "nothing collected" until the user acts. Opt-out defaults to "collection running" until the user stops it. The user's action determines whether data flows, but the starting position is opposite.
Both models apply to website data consent, covering consent management for cookies, trackers, and personal data processing. They are also used in email marketing and healthcare research, but those contexts operate under different rules. This page covers the website and data-collection context only.
What Is Opt-In Consent?
Opt-in consent means a user must take a clear, affirmative action before any non-essential data collection begins. Nothing is collected by default. The user's active agreement is required first.
GDPR Art 4(11) requires a clear affirmative action for valid consent. Consent must be a freely given, specific, informed, and unambiguous indication of the user's wishes. Inferred consent does not meet that bar. (Confidence: High.)
How Opt-In Consent Works
An opt-in banner works through four steps.
- The page loads. All non-essential cookies and scripts are blocked.
- A consent banner appears, presenting "Accept" and "Decline" (or granular category toggles).
- The user clicks Accept or enables specific categories.
- Only then do the permitted scripts fire. Consent is logged with a timestamp.
Scripts and pixels remain blocked until the user acts. If the user closes the banner without choosing, no non-essential data is collected.
Where Opt-In Consent Is Required
Opt-in consent is required in the following jurisdictions.
- EU and EEA: GDPR (data processing) and the ePrivacy Directive (non-essential cookies) both require opt-in consent. The ePrivacy Directive is the specific legal basis for cookie consent in the EU.
- United Kingdom: UK GDPR mirrors the GDPR standard. The ICO states: "Consent requires a positive opt-in. Don't use pre-ticked boxes or any other method of default consent." (Confidence: High.)
- Brazil: The LGPD follows an opt-in model similar to GDPR for consent-based processing. (Confidence: Medium, iubenda secondary; LGPD primary statute not fetched this session.)
See the jurisdiction table in "Which Privacy Laws Require Opt-In vs Opt-Out?" for a fuller regional map.
Limitations of Opt-In Consent
Opt-in consent carries three genuine tradeoffs.
- Lower data yield. Only users who actively accept are tracked. A GDPR-compliant banner with a clear reject option typically collects consent from 40% to 70% of visitors, leaving the rest outside your measurement layer.
- Consent fatigue risk. Repeated prompts across visits frustrate users, especially when banners appear on every page load in frameworks with short consent expiry.
- Tag-blocking engineering. Every non-essential script must be blocked before consent and conditionally fired afterward. Google Tag Manager's consent mode, or a CMP that auto-blocks, handles this, but it requires correct setup.
What Is Opt-Out Consent?
Opt-out consent means data collection begins by default. The user is given a clear way to stop it. Processing runs until the user exercises their right to opt out.
Under the CCPA, consumers are assumed to have consented unless they exercise their right to opt out of sale or sharing of personal information. (Confidence: High.) The opt-out model is the default framework for most US state privacy laws.
How Opt-Out Consent Works
An opt-out setup works as follows.
- The page loads. Scripts and tracking run immediately.
- A notice informs visitors that data is collected and their rights.
- A "Do Not Sell or Share My Personal Information" link is displayed on the homepage.
- When a user clicks the link or activates the opt-out, data collection for sale and sharing stops within 15 business days (CCPA requirement).
- Browser signals such as Global Privacy Control (GPC) may also trigger the opt-out automatically where the law requires it to be honored.
The opt-out model does not mean "no notice required." A visible opt-out mechanism is mandatory.
Where the Opt-Out Model Applies
The opt-out model governs in these jurisdictions.
- California: CCPA and CPRA use opt-out for sale and sharing of personal information.
- Other US states: Virginia (CDPA), Colorado (CPA), Connecticut (CTDPA), Texas, and similar state laws follow broadly opt-out frameworks. Opt-in is required for sensitive data categories. (Confidence: Medium, iubenda secondary; individual statutes not fetched.)
- Other regions: Some jurisdictions outside North America permit opt-out for non-sensitive data categories. The US model is the primary context for this page.
Limitations of Opt-Out Consent
Opt-out consent has four specific conditions where it fails or creates risk.
- Invalid for EU/UK non-essential cookies. Using opt-out for cookie consent with EU or UK visitors violates GDPR and the ePrivacy Directive. The model is jurisdiction-bound, not global.
- Relies on notice visibility. A buried or hard-to-find "Do Not Sell" link does not meet the CCPA's "clear and conspicuous" standard.
- GPC signal obligations. Under CPRA (effective January 1, 2023), California businesses must honor the GPC browser signal as a valid opt-out. Sites that do not detect GPC may face enforcement exposure. Pixel-tracking lawsuits under laws like CIPA add further risk for US operators who collect data without a visible opt-out.
- Risk of confusion with inaction. Opt-out is not obligation-free. It still requires a visible opt-out link, a 15-business-day honoring window for requests, and GPC detection where CPRA applies.
Opt-In vs Opt-Out Consent: Side-by-Side Comparison
The choice between opt-in and opt-out is determined primarily by jurisdiction and by what data you process. The table below shows the two models across every root and differentiating attribute.
| Dimension | Opt-In | Opt-Out |
|---|---|---|
| Default state | Nothing collected until user acts (opt-in required) | Collection runs by default until user acts (opt-out required) |
| User action required | Act to consent (click Accept or granular enable) | Act to decline (click Do Not Sell or use GPC) |
| When data collection begins | After the user grants consent | Immediately on page load |
| Non-essential cookies | Blocked until consent is given | Active until user opts out |
| Level of user control | High (user decides before any data flows) | Moderate (user can stop, but data may already have flowed) |
| Typical regulatory regions | EU/EEA, UK, Brazil | US states (CCPA, CPRA, Virginia, Colorado, etc.) |
| Validity bar (what counts as consent) | Clear affirmative act; pre-ticked boxes, silence, and inactivity are all invalid | Notice + accessible opt-out mechanism; no affirmative act required for general processing |
| How users withdraw or decline | Withdraw consent via preference center; processing must stop immediately | Click "Do Not Sell or Share" link; business must honor within 15 business days |
| Business impact (data yield) | Smaller, fully consented, measured audience | Larger by default; volume decreases only for users who opt out |
Requirements, delivery cadence, and the validity bar are the primary factors driving this comparison.
Which Privacy Laws Require Opt-In vs Opt-Out?
Opt-in is required where the law treats consent as a clear affirmative act before processing begins. Opt-out is permitted where the law lets processing proceed with a right to decline. The deciding factor is not the type of data alone; it is the legal regime that governs your visitors.
| Region / Law | Model | What it requires |
|---|---|---|
| EU/EEA (GDPR + ePrivacy) | Opt-in | Clear affirmative act before non-essential cookies; pre-ticked boxes and silence are invalid |
| United Kingdom (UK GDPR) | Opt-in | "Positive opt-in"; ICO bans pre-ticked boxes and default consent |
| Brazil (LGPD) | Opt-in | Consent-based processing requires prior affirmative consent |
| California (CCPA/CPRA) | Opt-out (with opt-in exceptions) | Opt-out for sale/sharing; opt-in for minors under 16; GPC must be honored |
| Other US states (Virginia CDPA, Colorado CPA, etc.) | Broadly opt-out | Similar to CCPA for most processing; opt-in required for sensitive data |
| Canada (PIPEDA) | Hybrid | Opt-in for sensitive data; opt-out permitted for some non-sensitive processing |
| Switzerland (FADP) | Opt-out (with exceptions) | Opt-out for most processing; exceptions require explicit consent |
EU and UK: GDPR and the ePrivacy Directive (Opt-In)
GDPR Art 4(11) requires a clear affirmative action for valid consent. GDPR Recital 32 is blunter still. It states that silence, pre-ticked boxes, or inactivity do not constitute consent (gdpr-info.eu, Confidence High). This rule bars every form of implied or default consent for EU/EEA visitors.
The ePrivacy Directive is the specific legal instrument for cookie consent in the EU. It requires prior consent before storing or accessing non-essential cookies on a user's device. The GDPR sets the validity standard that consent must meet. Together, they produce the opt-in requirement that drives EU cookie banners.
UK GDPR retains the same standard post-Brexit. The ICO is explicit: "Consent requires a positive opt-in." Its guidance adds: do not use pre-ticked boxes or any other method of default consent. (Confidence: High, ico.org.uk consent guidance.) A default-accepted banner or scroll-as-consent pattern is non-compliant under both GDPR and UK GDPR.
GDPR Art 7 adds three conditions for valid consent. First, the controller must demonstrate consent was given. Second, withdrawal must be as easy as giving consent. Third, consent must not be bundled with contract performance as a condition of service.
United States: CCPA, CPRA, and State Laws (Opt-Out)
The CCPA grants California consumers the right to opt out of the sale and sharing of their personal information. Businesses that sell or share personal information must display a "Do Not Sell or Share My Personal Information" link on their homepage. They must honor opt-out requests within 15 business days and cannot require account creation to exercise the right. (Confidence: High, oag.ca.gov/privacy/ccpa.)
The US model is not purely opt-out. CCPA and CPRA require opt-in affirmative authorization in two situations.
- Consumers under 16: Businesses must obtain opt-in consent before selling or sharing data.
- Consumers under 13: Parental consent (opt-in) is required.
CPRA also mandates that businesses honor Global Privacy Control (GPC) signals as a valid opt-out request. GPC is a browser or OS-level signal that fires automatically for users who configure it. Businesses that do not detect GPC face enforcement exposure from California's CPPA.
Other US state laws (Virginia CDPA, Colorado CPA, Connecticut CTDPA) follow a broadly similar opt-out framework. Opt-in is required for sensitive personal information: health data, racial or ethnic origin, and precise geolocation.
Other Regions: LGPD, PIPEDA, and Beyond
Privacy laws outside the EU and US vary on the opt-in/opt-out axis.
- Brazil (LGPD): Opt-in model. Consent for data processing must be expressed and specific. Similar standard to GDPR. (Confidence: Medium.)
- Canada (PIPEDA): Hybrid. Opt-in for sensitive personal information; opt-out permitted for some less-sensitive, non-sale processing. (Confidence: Medium.)
- Switzerland (FADP): Broadly opt-out for most processing, but exceptions apply for particularly sensitive data categories. (Confidence: Medium, iubenda secondary.)
- Japan (APPI), Singapore (PDPA), South Africa (POPIA): Largely notice-and-opt-out frameworks for non-sensitive data, with stronger consent requirements for sensitive categories.
When your site serves visitors from multiple regions, a single global model cannot satisfy all of these requirements simultaneously.
Is Opt-Out Consent Legal?
The legality of opt-out consent depends on the jurisdiction and the type of data. There is no single global answer.
- EU/UK for non-essential cookies: No. Opt-out is not valid consent under GDPR and the ePrivacy Directive. Per gdpr-info.eu: "Opt-out consent, where silence or inaction is deemed to be consent, is no longer valid." An opt-out banner served to EU visitors collecting non-essential cookies violates these laws. EU data protection authorities have fined major publishers for using default-on banners.
- US under CCPA/CPRA: Yes, for sale and sharing. Opt-out is the statutory model. A "Do Not Sell or Share" link and a mechanism to honor the request are legally sufficient for most data-sharing activities.
- Pre-ticked boxes and silence: Never valid. GDPR Recital 32 explicitly bars pre-ticked boxes and inactivity as consent mechanisms. This is not a grey area. A banner that pre-selects all categories and requires the user to uncheck them is not valid opt-in, nor is it a permissible opt-out under GDPR; it is non-compliant.
The validity of the action itself is a separate question. Whether it meets the standard for explicit consent is covered in the explicit vs implied consent guide.
Opt-In vs Opt-Out: Which Is Better for Your Business?
Neither model is universally better. The better model is the one your jurisdiction requires, applied honestly.
Opt-in consent produces a smaller measured audience, but every visitor in that audience has actively agreed to be tracked. Ad platforms report that consent-mode modeling can recover some of the measurement gap, but consented audiences typically run 40% to 70% of total visitors. For businesses with EU/UK traffic, opt-in is not a choice; it is a legal requirement.
Opt-out consent maximizes data volume by default. You measure more of your audience immediately, and only the subset who exercise the opt-out disappears from your data. The tradeoff is trust. Visitors who notice they were tracked before being asked are more likely to opt out. US enforcement is also expanding.
For publishers and ad-tech operators, Google Consent Mode recovers modeled conversion data for users who decline cookies in opt-in regions. For programmatic publishers, IAB TCF provides a standardized signal for passing consent choices to ad vendors. Both are relevant regardless of which model your primary audience requires.
The practical question is not which model you prefer. It is what your visitors' jurisdictions require. For most businesses with EU or UK traffic, some form of opt-in consent is unavoidable.
Can You Use Both Opt-In and Opt-Out? Geotargeted Consent
Yes. A geotargeted consent setup detects each visitor's region and shows the appropriate banner automatically. EU and UK visitors see an opt-in experience; US visitors see an opt-out experience. All visitors are served from a single consent platform configuration.
This pattern is how multi-region sites meet both GDPR and CCPA from one tool. It removes the choice of picking a single global model.
Automatic geotargeting works through IP-based region detection. When a visitor from Germany loads the page, the opt-in banner fires and all non-essential scripts stay blocked until consent. When a visitor from California loads the same page, a "Do Not Sell or Share" notice and dismiss option appear and scripts run immediately.
Example setup with three visitor types:
- EU/UK visitor: Opt-in banner loads. Scripts blocked. Visitor clicks Accept or Decline. Consent logged.
- US visitor (California): Opt-out notice with "Do Not Sell or Share" link loads. Scripts run. Visitor may opt out.
- Rest of world (no specific law): A neutral notice or no banner, depending on configuration.
Geotargeted consent does not eliminate the need to understand both models. You still need to configure the opt-in template correctly for EU compliance and the opt-out template correctly for US compliance.
When to Use Opt-In vs Opt-Out: Choosing the Right Model
The model follows your visitors' locations, not a preference. Use the decision structure below.
Choose opt-in if any of these apply.
- Your visitors include anyone from the EU, EEA, or UK
- You run non-essential cookies or tracking pixels (analytics, advertising, retargeting)
- You process sensitive personal data under any framework
Choose opt-out if your situation matches all of these.
- Your audience is exclusively in US states under CCPA-style laws
- You are handling sale or sharing of personal information (not EU-type consent)
- You display the required "Do Not Sell or Share My Personal Information" link and honor opt-out requests within 15 business days
Use geotargeting (both) if any of these apply.
- Your visitors come from multiple regions, including both EU/UK and US
- You want one consent platform to serve the right model per visitor automatically
- You want to avoid configuring two separate consent setups
If you are unsure of your visitor locations, check your analytics data or default to opt-in. An opt-in setup satisfies GDPR and is acceptable in opt-out jurisdictions. The reverse is not true.
How Consently Serves the Right Consent Model by Region
Consently includes both a GDPR opt-in template and a CCPA/US opt-out template on every plan. Automatic geotargeting detects each visitor's region and serves the matching banner. Country code-based script loading fires the correct scripts for each region. The right model reaches the right visitor without separate tool configurations.
Consently for Opt-In (GDPR) Regions
The GDPR Opt-In Template blocks all non-essential cookies and scripts until the visitor grants consent. The banner presents clear Accept and Decline options with granular category controls. Consent is logged with a timestamp and a session identifier, producing an audit record.
Key features for EU/UK compliance include four building blocks.
- GDPR Opt-In Template: Available on all plans. Pre-built for GDPR and UK GDPR requirements.
- Automatic cookie and script blocking: Non-essential scripts do not fire before consent is granted.
- Preference center: Users can change their consent choices at any time, satisfying GDPR Art 7's withdrawal requirement.
- Consent logs: Each consent record is timestamped and stored, giving you a provable record for regulatory audits.
Teams using Google Analytics or Google Ads with EU visitors can set up Google Consent Mode v2. It passes Consently's consent signals to Google's measurement infrastructure. This enables modeled conversion data for the users who declined non-essential cookies.
Consently for Opt-Out (US) Regions
The CCPA/US State Laws Opt-Out Template surfaces a notice and a Dismiss/Close button for US visitors. Scripts run on page load as the opt-out model requires. The template includes the required opt-out messaging and the mechanism for visitors to exercise their rights.
Key features for US compliance include four building blocks.
- CCPA/US Opt-Out Template: Available on all plans. Pre-built for CCPA and similar US state law requirements.
- Dismiss/Close button: Matches the opt-out UX where no affirmative action is required to proceed.
- Automatic geotargeting: US visitors receive this template automatically. EU/UK visitors receive the opt-in template. No manual routing is needed.
- Country code-based script loading: Scripts are conditionally loaded by visitor country, letting you restrict or permit specific tracking by region.
One limitation to note: Consently does not currently detect or honor the GPC browser signal. Under CPRA, California businesses must honor GPC as a valid opt-out. If your California traffic is subject to CPRA's GPC requirement, verify separately how your stack handles this signal. Consently uses explicit consent only; implied or scroll-based consent is not supported, which keeps the platform aligned with GDPR's affirmative-action standard.
Start free with Consently and configure both opt-in and opt-out templates in one account. All plans include geotargeting, both consent templates, and a 14-day free trial with no credit card required.
FAQs
Does GDPR require opt-in or opt-out consent?
GDPR requires opt-in consent. Consent under GDPR must be a freely given, specific, informed, and unambiguous indication given by a clear affirmative act. Silence, pre-ticked boxes, and inactivity are explicitly barred by Recital 32. For non-essential cookies, the ePrivacy Directive also requires opt-in. Opt-out is not valid for EU/EEA processing based on consent.
Is opt-out consent legal in the EU?
Opt-out consent is not legal for non-essential cookies and tracking in the EU or UK. The ePrivacy Directive and GDPR both require a clear affirmative act before non-essential cookies are placed. Pre-ticked boxes and default-on consent are explicitly invalid. Opt-out is only the appropriate model in jurisdictions where the law permits it, such as US state laws.
What is the difference between opt-in consent and explicit consent?
Opt-in describes the model: the user must act to be included. Explicit consent describes the validity standard: the user's action must be expressed in a clear and specific statement rather than through ambiguous conduct. An opt-in can be valid without meeting the full explicit-consent standard if it is a clear affirmative act. For sensitive data categories under GDPR, explicit consent applies a higher bar. The distinction between explicit and implied consent is covered in the explicit vs implied consent guide linked earlier.
What is double opt-in?
Double opt-in is a two-step confirmation process used primarily in email marketing. The user provides their email address (step one), then confirms by clicking a verification link sent to that address (step two). It produces a stronger proof of consent and reduces invalid or mistyped signups. Double opt-in is legally required for email marketing in Germany, Austria, Greece, Switzerland, Luxembourg, and Norway. GDPR does not explicitly mandate double opt-in for most purposes, but it is recommended as a best-practice audit trail.
Do US-only websites need opt-in consent?
US-only websites generally do not need opt-in consent for cookie tracking, but obligations still apply. CCPA and similar state laws still require three things. You need a "Do Not Sell or Share My Personal Information" link and a process to honor opt-out requests within 15 business days. California also requires GPC detection under CPRA. Opt-in authorization applies before selling or sharing data of consumers under 16. Websites that do not sell personal information, or that fall below CCPA coverage thresholds, may have fewer obligations.
Is opt-in or opt-out better for conversions?
Neither model is inherently better for conversions. Opt-out yields more raw measurement data by default, because visitors are tracked before they decline. Opt-in yields a smaller but fully consented audience with better signal quality. For businesses subject to GDPR, opt-in is required regardless of the conversion-tracking impact. Google Consent Mode v2 can recover modeled conversion estimates for opt-in regions, partially closing the measurement gap. The model that produces the best compliant measurement is the one your jurisdiction requires, combined with consent-mode modeling where it applies.
What tool serves both opt-in and opt-out banners automatically?
A consent management platform with geotargeting handles both models from a single configuration. Consently includes both a GDPR opt-in template and a CCPA/US opt-out template on every plan. Automatic geotargeting detects each visitor's region and serves the correct banner. EU visitors receive the opt-in experience; US visitors receive the opt-out experience. No separate tools or manual routing are needed.
The Right Model Is the One Your Visitors' Laws Require
Opt-in and opt-out are both valid consent models in the jurisdictions that specify them. They are not competing philosophies; they are jurisdiction-specific legal requirements. GDPR and UK GDPR require opt-in with a clear affirmative act. CCPA and similar US laws require opt-out with a visible mechanism and timely honoring of requests.
For most sites with any EU or UK traffic, some form of opt-in consent is unavoidable. Sites with US traffic under CCPA-style laws need an opt-out setup. A "Do Not Sell or Share" link and GPC handling cover the core obligation.
Multi-region sites do not need to pick one model globally. Geotargeting serves the right banner to the right visitor automatically. Start with the consent management guide to understand the full consent lifecycle, or configure both templates in Consently free for 14 days.

