The U.S. government and several individual states have chosen opt-out consent for private information as it is the more business friendly option to personal data protection. However, opt-out consent is disfavored by many other nations as it may not provide adequate privacy protections for personal data. This misalignment between U.S. and global consent standards creates appreciable challenges for U.S. global and multinational businesses attempting to navigate the complex privacy compliance landscape. Affected companies must therefore consider whether opt-in consent or a hybrid consent option best meets their needs for global compliance, product offerings, marketing activities, and other business objectives.
California’s privacy laws, the CCPA and later CPRA, are a leading U.S. consumer privacy model that introduced the data sell/share concept to the privacy arena. Sell/share of personal data accommodates the free secure flow of individual personal data between businesses based on the individual’s opt-out consent choices.[1] California likely implemented an opt-out consent protocol because experts at the time opined an opt-out consent procedure provided adequate privacy protection based on an individual’s informed choice. However, this sell/share distinction does not address whether personal data is processed compliant with applicable laws, instead focusing on whether an individual’s informed consent to process personal data indicates that the individual unequivocally consented to this personal data processing. The increasingly globally accepted standard of an opt-in and/or hybrid consent process often provides clearer and more transparent mechanisms to unequivocally obtain the individual’s informed consent, eliminating the need for the business to interpret the individual’s choice based on their interaction with the business.[2]
Opt-in privacy regimes do not rely on user consent selections, but rather make companies assess their collection and use of an individual’s personal information within applicable regulatory boundaries. Opt-in privacy regimes pose significant burdens on companies, including the need to affirmatively address numerous regulatory hurdles and to implement expensive and often challenging technical and procedural mechanisms to address the collection, use, storage, transmission, maintenance, and deletion of personal information data. However, opt-in privacy or hybrid consent regimes can yield informed individual consent without requiring the individual to opt-out of certain activities or review extensive privacy notices and security policies. This is because these opt-in or hybrid consent regimes focus on how personal information is collected and used versus how consent was obtained, managed, and monitored. In contrast to the U.S., the European Union, United Kingdom, Brazil, Canada, India, Colombia, Chile, Morocco, Malaysia, South Africa, South Korea, Japan, and Taiwan all have opt-in regimes built into their regulations.
U.S. companies must evaluate whether opt-in, opt-out, or a hybrid consent regime is the better option for regulatory compliance and facilitating use of individual personal information by the company, its service providers, and other business partners. Opt-in consent places more onus on the business that initially collects and uses personal information. Companies that primarily process data for others are also affected, frequently through evaluating and negotiating data protection agreements with their business partners. Companies choosing to use opt-out consent for activities like direct sales or data sharing for cross context behavioral advertising risk violating some U.S. or other national laws because the passive nature of an opt-out consent mechanism does not allow for an individual’s informed choice in making personal data processing selections. An opt-in or hybrid consent protocol allows an individual to make informed choices as can be seen by California’s requirement of having a “Do Not Sell My Information” option. The individual’s website interactions or choices to accept targeted advertising or various tracking technologies helps prove the individual made informed choices.
Even after selecting a consent model, the implementation methods can also pose a challenge. For example, opt-out, soft opt-in, default opt-in, assumed, deduced, deemed, or implicit consent data protection models may run afoul of certain domestic or global privacy regulations. A common key is whether the individual’s choices were informed, thereby providing adequate consent. Similarly, failing to seek sufficient individual permissions for a particular or new business use may require a company to seek additional individual consent. Inadequate collection and storage of individual consents may limit the utility of receiving previous individual consents, while failure to properly store and protect such consents may lead to additional privacy and security concerns. Teams involved in selecting, evaluating, implementing, and reviewing a consent model should include technical, legal, and executive representatives to ensure compliance, implementation, and adequate internal enforcement of the internal privacy regime. Sales and product team members are usually key partners as well, providing vital insights into how individual data is utilized by the company and its business partners
Providentia exists to help scaling tech companies foresee the regulatory requirements that shape their business, build compliance into their products, and make access to quality, tech-experienced legal support a competitive advantage. Providentia’s rich experience in the Silicon Valley tech industry guides every aspect of what we do, from the practice areas we focus on to our startup-accessible fee structure. We understand the unique environment that rapidly scaling technology companies face and have oriented our services towards providing the most practical, actionable, and tech-relevant counsel. To get in touch with the team at Providentia to help you navigate your company’s legal challenges, please contact us.
[1] Opt-out consent is described as soft opt in, default opt in, assumed, deduced, deemed, or implicit consent. Jane Clyne, CIPP, “Privacy Consent Glossary”. IAPP https://iapp.org/news/a/2009-09-privacy-consent-glossary/; California Privacy Rights Act of 2022 §14: Definitions; defining the terms sell/share based on valuable consideration where if no monetary or valuable consideration is exchanged than the business has “shared” consumer personal data.
[2] Sarah Rippy, “Opt-in Versus opt out approaches to personal information processing”. IAPP https://iapp.org/news/a/opt-in-vs-opt-out-approaches-to-personal-information-processing/