When it comes to relying on consent as a lawful basis of data processing, global privacy regulations can be classified as either opt-in or opt-out consent regimes.
Opt-in consent regime
In an opt-in consent regime, the data subject’s consent is required before the collection and processing of personal data. Such jurisdictions function on explicit consent requirements, meaning that the data subjects are explicitly asked for their consent to personal data processing and are free to grant or deny consent.
Opt-out consent regime
In an opt-out consent regime, the data subject’s consent is not required before processing personal data. However, organizations are still required to inform data subjects about the types of personal data to be collected and their purposes and provide them an option to object to data processing.
To successfully implement an opt-in consent, organizations must:
Process personal data only once consent has been obtained from data subjects,
Provide data subjects equally prominent choices of “accepting” and “rejecting” the processing of personal data,
Provide sufficient information to data subjects about why the organization collects their personal data and what the organization will use it for.
Avoid using any dark pattern to obtain the data subject’s consent, including pre-ticked checkboxes and cookie walls.
To successfully implement an opt-out consent, organizations must:
Provide sufficient information to data subjects about personal data categories to be collected and its purposes, including sensitive personal data and its objectives.
Inform data subjects whether or not their personal data is sold or shared.
Inform data subjects if their data will be sold or shared and the total time their data will be retained by the organization. This is also known as the data retention period.
Avoid using any dark pattern, such as not making the “opt-out” or “Do Not Sell My Personal Information” option prominent enough for the data subject to notice on the webpage.