Scanning your connection...
Default PrivacyDefault Privacy
Back to Glossary
Data Protection

What is Opt-Out vs. Opt-In?

Two fundamentally different approaches to privacy consent — opt-in requires your explicit permission before data is collected (the GDPR model), while opt-out assumes consent by default and puts the burden on you to find settings and refuse (the US model).

Also known as: Opt In vs Opt Out, Consent Models, Privacy Consent

The difference between opt-in and opt-out is the difference between a locked door and an open one. In an opt-in world, companies must ask before entering. In an opt-out world, they're already inside — and you have to figure out how to get them to leave.

The Two Models

Opt-In (Privacy-Respecting)

  • Nothing happens until you say yes
  • Companies must ask for explicit, informed consent before collecting data
  • No pre-checked boxes, no "by continuing you agree" tricks
  • The default state is: your data is not collected
  • Used by: GDPR (EU), ePrivacy Directive

Opt-Out (Surveillance-Friendly)

  • Everything happens until you say no
  • Companies collect your data by default
  • You must actively find and navigate opt-out mechanisms
  • The default state is: your data is being collected
  • Used by: CCPA/CPRA (California), most US state laws, most of the internet

Why This Distinction Matters

The 95% Rule

~95% of users never change default settings. Under opt-in, 95% are protected. Under opt-out, 95% are tracked. The default determines the outcome for nearly everyone.

The Burden Shifts

Opt-In Opt-Out
Who does the work? The company (must ask) The user (must refuse)
Default state Private Tracked
Who benefits from inaction? The user The company
Friction Company faces friction to collect User faces friction to protect

Dark Pattern Exploitation

Under opt-out regimes, companies exploit the system:

  • Bury opt-out settings in deep menus
  • Use confusing language ("Don't not unsubscribe from not receiving non-marketing communications")
  • Require multi-step processes — email verification, identity confirmation, waiting periods
  • Revert settings after app updates
  • Make opting out harder than opting in (bright "Accept All" button vs. grey "Manage Preferences" text)

Real-World Examples

Opt-In Done Right

  • Signal: Doesn't collect data. Period. Nothing to opt into or out of.
  • GDPR cookie banners (when properly implemented): Must get explicit yes before setting tracking cookies
  • Apple App Tracking Transparency: Apps must ask before tracking you across other apps

Opt-Out Done Wrong

  • Google: Location history, web & app activity, ad personalization all on by default — you must navigate to myactivity.google.com to disable each one
  • Facebook: Data sharing with partners enabled by default — buried in settings
  • Data brokers: Collect your data without asking — you must individually opt out of 600+ companies
  • ISPs: Can sell your browsing data unless you opt out (US, post-2017 FCC rollback)

How to Opt Out of Everything

Since most of the internet uses the opt-out model, here's what you need to do:

  1. Browser: Use Global Privacy Control (GPC) — a signal that automatically communicates your opt-out preference
  2. Data brokers: Use removal services at /remove to opt out of 635+ brokers
  3. Google: Visit myactivity.google.com and disable everything (or better — de-Google entirely)
  4. Advertising: Visit optout.aboutads.info and optout.networkadvertising.org
  5. Credit bureaus: Opt out of pre-screened offers at optoutprescreen.com
  6. Phone: Register at donotcall.gov, enable spam filtering
  7. Mail: Register at dmachoice.org to reduce junk mail
  8. Or: Switch to opt-in tools that don't require opting out of anything — Signal, ProtonMail, Brave, DuckDuckGo

Related Terms

CCPA

The California Consumer Privacy Act grants California residents rights over their personal information, including the right to know what data is collected, delete it, opt out of its sale, and not be discriminated against for exercising these rights.

Consent Fatigue

The exhaustion and desensitization that occurs from being bombarded with privacy consent requests — cookie banners, terms of service, app permissions — leading people to blindly accept everything just to make the prompts stop.

Consent Management

Systems and processes for collecting, recording, and managing user consent for data collection and processing, required by GDPR and similar laws.

Dark Patterns

Deceptive user interface designs that trick people into giving up privacy, making purchases, or agreeing to terms they didn't intend — such as hiding opt-out buttons, using confusing language, or making cancellation deliberately difficult.

GDPR

The General Data Protection Regulation is a comprehensive data protection law in the European Union that gives individuals control over their personal data. It establishes strict requirements for how organizations collect, process, store, and transfer personal information.

Global Privacy Control

A browser signal that tells websites you don't want your personal data sold or shared, legally enforceable under CCPA and recognized by some GDPR implementations.

Privacy by Default

The principle that systems, services, and technologies should ship with the most privacy-protective settings out of the box — requiring users to opt in to less private options rather than opt out of invasive ones. It means privacy is the starting point, not a hidden toggle.

Have more questions?

Use our guided flow to get the right next privacy step for Opt-Out vs. Opt-In.

Open Guided Flow