Skip to main content
Data Protection / GDPR

Opt-in / opt-out

Opt-in and opt-out describe two opposing consent models: under opt-in the data subject must actively agree to the processing, whereas under opt-out the processing is presumed permitted until the person objects to it.

Opt-in and opt-out describe how a person's agreement to a data processing operation or marketing approach is obtained. Under the opt-in model, processing only becomes lawful once the data subject has agreed through an active, clearly affirmative action - for example by deliberately ticking a box. Under the opt-out model, by contrast, the processing is presumed to be permitted as long as the person does not object; the burden of taking action therefore rests with the data subject.

Under the GDPR, opt-out is generally not permitted for consent within the meaning of Art. 4(11) and Art. 7 GDPR. Consent must be given freely, for the specific case, in an informed manner and unambiguously; pre-ticked boxes or inactivity expressly do not suffice under Recital 32 and the case law of the CJEU (Planet49, C-673/17). Wherever processing is based on consent - such as for non-essential cookies or email marketing - a genuine opt-in is therefore mandatory.

Opt-out mechanisms nevertheless retain their place, though on a different legal footing: where processing relies on legitimate interest under Art. 6(1)(f) GDPR, the person may object under Art. 21 GDPR - for direct marketing even without giving reasons and with absolute effect. The narrowly defined existing-customer marketing under Section 7(3) of the German Act against Unfair Competition (UWG) also works as an opt-out. Controllers must therefore determine cleanly for each processing operation whether they need an upfront opt-in or whether a downstream opt-out (objection) is sufficient.

Legal Basis

Art. 4(11), Art. 6(1), Art. 7 and Art. 21 GDPR; Recital 32; Section 7(2) and (3) UWG (German Act against Unfair Competition); CJEU, judgment of 1 Oct 2019, C-673/17 (Planet49)

Practical Example

An online retailer wants to send a newsletter and set analytics cookies. The data protection coordinator implements a double opt-in for the newsletter: the address is only added once the confirmation link in an email has been clicked, and every message contains an unsubscribe link (opt-out). For the analytics cookies she displays a consent banner with equally weighted, non-pre-selected buttons. Existing customers who have already purchased may receive product recommendations under Section 7(3) UWG as long as she points out the right to object - here an opt-out is sufficient.

FAQ

No. Valid consent under Art. 4(11) and Art. 7 GDPR requires an active, affirmative action. Pre-ticked boxes or mere inactivity are not sufficient under Recital 32 and the CJEU's Planet49 judgment. Wherever consent is the legal basis, an opt-in is therefore always required.
A simple opt-in requires only an active agreement, such as ticking a box. A double opt-in additionally requires the person to confirm their agreement in a second step, typically via a link in a confirmation email. The double opt-in mainly serves as proof and prevents sign-ups using someone else's address.
An opt-out is permissible when the processing is not based on consent but on another legal basis - for example legitimate interest under Art. 6(1)(f) GDPR with a right to object under Art. 21 GDPR. Existing-customer marketing under Section 7(3) UWG also works as an opt-out, provided the right to object is pointed out.

How preeco supports you

Learn how our software supports you with this topic.

Learn more

Related Terms

Consent Cookie consent Right to object Direct marketing Legal basis
Back to Glossary