Opt-in vs. opt-out

Opt-in and opt-out are two methods for exercising the choice principle of fair information practices. The choice principle states that personal information should not be collected for one purpose and shared or used for other purposes that are unrelated to the reason the information was originally collected unless the individual consents. For example, if a company collects customer information to complete a sale and subsequently uses that information to send the customer advertisements, or if it sells or rents its customer mailing list to other companies, it needs to offer the customer a choice.
With opt-out, consent is implied unless the individual objects to the new use, which means that it is the individual’s responsibility to notify the organization that he or she objects to having personal information used or shared for other purposes. With opt-in, organizations may not share or use personal information for unrelated purposes unless the individual gives explicit consent. One form of opt-in is “permission marketing,” where marketers ask permission before they send advertisements to prospective customers. On the Internet, some of the distinctions between opt-out and opt-in have blurred, as both forms of choice may be provided as part of any online transaction; the individual decides whether or not to check a single box.
In the United States, there is a general consensus that opt-in should be used in cases where sensitive personal information is involved. Opt-out is viewed as appropriate for marketing uses of personal information, except when medical information or information collected from children is involved. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires that all organizations covered by the law obtain written authorization for any use or disclosure of protected health information that is not related to health care treatment, payment, or operations of the health care organization. Opt-in is required, for example, before health information may be disclosed to an employer or used for marketing. The Children’s Online Privacy Protection Act of 1998 (COPPA) requires any website targeting children under 13 years of age to obtain parental consent before the child’s information may be disclosed to third parties.
Recent U.S. laws, for example, mandate opt-out for certain third-party uses of financial information (e.g., the Financial Services Modernization Act of 1999, also known as the Gramm-Leach-Bliley Act), commercial electronic mail unrelated to a transaction or a subscription (CAN-SPAM Act), and most telemarketing calls (the Federal Trade Commission’s Do-Not-Call Registry). The Direct Marketing Association’s Privacy Promise is a self-regulatory program that requires all DMA members to honor consumer requests to opt out of having their customer information transferred to others for marketing purposes or receiving solicitations from the member company.
For global commerce, the U.S. Department of Commerce negotiated Safe Harbor principles with the European Union (EU) in 2000 to allow American companies to transfer personal information from European citizens outside of the EU. The Safe Harbor agreement requires companies to offer opt-out if personal information is to be disclosed to a third party or used for any purpose that is incompatible with the purpose for which the information was originally collected. For sensitive information, opt-in must be offered. The European definition of sensitive information is broader than the American definition and includes information on health, racial or ethnic origin, political opinions, religious beliefs, union membership, or an individual’s sex life.