In short

The main thing to remember:

• Opt-In = active and prior consent required prior to data collection
• Opt-out = possibility to refuse or withdraw consent after a default collection
• The GDPR requires opt-in for most data processing in Europe
• Les sanctions can reach 4% of turnover or 20 million euros
• The double opt-in reinforces the validity of consent
• Each method responds to specific legal obligations depending on the context (B2B/B2C, email/phone)

1. What are opt-ins and opt-outs?

Definition of opt-in

THEOpt-In (or “prior consent”) is a mechanism that requires positive and explicit action from a user before their personal data can be collected or used for specific purposes.

Characteristics of the opt-in:

• Affirmative action required (check a box, click a button)
• Consent given front data collection
• Box not pre-checked by default
• Clear information on the use of data

Concrete examples of opt-ins:

• Voluntarily check a box “I agree to receive the newsletter”
• Click on “Accept all cookies” in a banner
• Validate your subscription to a marketing service by SMS
• Physically sign a form authorizing the use of data

Definition of the opt out

THEOpt-Out (or “right of withdrawal”) is a process where the user is included by default in a mailing list or a data processor, but has the possibility of refuse or withdraw his consent at any time.

Characteristics of the opt-out:

• Automatic inclusion by default
• Need to take action to unsubscribe
• Accessible and simple withdrawal mechanism
• Information on the mandatory right to refuse

Concrete examples of opt-outs:

• Click on “Unsubscribe” at the bottom of a marketing email
• Uncheck a pre-checked box in a form
• Use the “Do Not Sell My Personal Information” (CCPA) link
• Reject non-essential cookies via preferences

2. The fundamental differences between Opt-In and Opt-Out

Comparative table

The principle of reverse responsibility

With the opt-in:

• The company must prove That she obtained consent
• The user actively controls their data from the start
• Maximum privacy protection

With the opt-out:

• The user must act To protect your data
• The company can process the data up to the refusal
• It is up to the user to monitor the use of their data

3. The legal framework: RGPD, CCPA and other regulations

The RGPD (Europe): mandatory opt-in

The General Data Protection Regulation imposes strict conditions for consent to be valid:

The 5 criteria for GDPR consent:

1. Libre : without coercion, coercion or negative consequences in case of refusal
2. Specific : for each distinct purpose (no group consent)
3. Illuminated : the user understands what they are agreeing to
4. Univocal : clear positive action (no silence or inaction)
5. Revocable : possibility to withdraw consent easily

What is PROHIBITED by the RGPD:

• Pre-ticked boxes
• Group consent for several purposes
• Continued processing after withdrawal of consent
• Access to the service subject to consent (unless required)

The CCPA/CPRA (California): opt-out approach

California legislation takes a different approach:

Consumer rights:

• Right to know What data is collected
• Right to refuse selling or sharing data
• Right to suppressing his personal data
• Right to correct inaccurate data

Corporate obligations:

• Show a “Do Not Sell or Share My Personal Information” link
• Comply with opt-out requests within 15 days
• Do not discriminate against users who exercise their rights
• Treat minors under 16 differently (opt-in required)

Other important regulations

B2B vs B2C: different rules

In B2C (Business to Consumer):

• Email/SMS : mandatory opt-in (RGPD)
• Phone : no opt-in required, but respect for Bloctel (France)
• Postal mail : opt-in not required

In B2B (Business to Business):

• Professional email : opt-in NOT mandatory if linked to professional activity
• Opt-out option : right to object to be easily exercised
• Phone : prospecting authorized without prior opt-in

4. New in 2026: revolution in cold calling in France

Law of 30 June 2025 against public aid fraud

A major reform is radically transforming the rules of cold calling in France.

Since July 1, 2025 (in force)

Total ban on telephone and electronic canvassing (emails, SMS, social networks) for:

• Energy renovation: offer of services, sale of equipment, carrying out work to save energy or produce renewable energy.
• Housing adaptation: work related to disability or aging.

Exception: canvassing carried out under a contract already concluded.

Objective: fight against massive fraud in grants for energy renovation.

Starting in August 2026 (coming soon)

In principle, telephone canvassing is prohibited in all sectors.

New general rule:

Telephone canvassing with an individual will be prohibited if the company has not obtained its opt-in consent in advance.

Characteristics of the required consent:

• Free: without constraint.
• Specific: for telephone canvassing.
• Informed: clear information given.
• Unequivocal: explicit agreement.
• Revocable: possibility to withdraw at any time.

Methods for obtaining consent:

• During a purchase.
• During a store visit.
• Through an online or paper form.
• Proof of consent required by the company.

Exceptions maintained:

• Canvassing under an existing contract.
• Complementary products or services “likely to improve the performance or the quality” of the contract subscribed.

New obligations:

• If the consumer objects to the continuation of a call, immediate end is mandatory.
• Prohibition to contact again after opposition.
• Increased penalties for abuse of weakness.

Impact for businesses:

This law inverts the current logic:

• Before: opt-out system (Bloctel registration required to refuse).
• After August 2026: opt-in system (prior agreement mandatory).

Transition period:

July 2025 - August 2026: deadline for professionals to:

• Review their prospecting methods.
• Implement consent collection tools.
• Establish compliant databases.
• Forming teams.

Upcoming implementing decrees:

The precise modalities will be detailed by decree (calendar, possible sectoral exceptions, etc.).

B2B vs B2C: different rules

In B2C (business to consumer):

• Email/SMS: mandatory opt-in (RGPD).
• Phone:
  
  Currently: no opt-in required, but compliance with Bloctel (France) .From August 2026: mandatory opt-in (law of June 30, 2025).
• Postal mail: opt-in not required.

In B2B (business to business):

• Professional email: opt-in not mandatory if linked to professional activity.
• Opt-out option: right to object to be easily exercised.
• Telephone: prospecting authorized without prior opt-in.

4. Opt-in: When and how to use it?

Situations requiring opt-in

The opt-in is obligatory in the following contexts:

1. B2C commercial prospecting by email or SMS

Before sending any marketing message to an individual, you need to get their explicit consent.

How to do it:

☐ I agree to receive commercial offers from [Company] by email

☐ I agree to receive commercial offers from [Company] partners

2. Non-essential cookies

All cookies that are not strictly necessary for the operation of the site require an opt-in.

Types of cookies concerned:

• Analytical cookies (Google Analytics, etc.)
• Advertising cookies
• Social media cookies
• Personalization cookies

3. Sensitive data

The processing of sensitive data always requires an explicit opt-in:

• Health data
• Political and religious opinions
• Sexual orientation
• Biometric data
• Genetic data

4. Data of minors

Age of digital consent:

• Under 16 (RGPD): mandatory parental consent
• Under 13 (COPPA, US): parental consent required
• Under 16 (CCPA): opt-in required (opt-out between 13-16 years old)

Opt-In Best Practices

✅ TO DO

1. Making consent obvious

• Use clear and simple language
• Avoid excessive legal jargon
• Clearly separate each consent request

Example:

☐ I want to receive the weekly newsletter with news and advice

By checking this box, you agree that we may use your email address

to send you our newsletter. You can unsubscribe at any time.

2. Link to the privacy policy

Always provide a link to your privacy policy near the opt-in form.

3. Retain proof of consent

Save:

• Date and time of consent
• Exact text shown
• IP address (with care)
• Collection method

4. Facilitate withdrawal

Withdrawing consent should be as simple as giving it.

❌ TO AVOID

• Pre-ticked boxes
• Consent drowned in the general conditions
• Ambiguous or misleading language (“by continuing, you agree...”)
• Difficult or hidden refusal
• Consent required to access the service (unless required)
• Bundling (grouping several consents)

5. Opt-out: application contexts and implementation

When should you use the opt-out?

The opt-out is appropriate in certain specific contexts:

1. B2B email marketing

In professional prospecting, opt-in is not mandatory if:

• The email targets a professional address
• The offer is linked to the professional activity of the recipient
• An opt-out mechanism is clearly available

2. Under certain jurisdictions (CCPA, etc.)

American laws often prefer to opt out for:

• The sale of personal data
• Sharing with third parties
• Targeted advertising
• Profiling

3. Existing customer (soft opt-in)

Soft opt-in exception:

If you have an existing business relationship, you can:

• Send offers similar to products already purchased
• Without prior opt-in
• Provided you have informed the customer
• With an easy opt out in every message

Strict conditions:

• Email collected during a sale or negotiation
• Information given at time of collection
• Similar products/services only
• Your own offers (not those of partners)

Implementation of the opt-out

The unsubscribe link in emails

Legal requirements:

• Visible and easily identifiable
• Functional in a maximum of one click
• Immediate treatment (max 48-72h)
• No justification request
• No login required to unsubscribe

Example of formulation:

You are receiving this email because you are a customer of [Company].

If you no longer wish to receive our communications,

click here to unsubscribe

The “Do Not Sell” link (CCPA)

To comply with the CCPA:

1. Placing the link

• In the footer of the website
• In the privacy policy
• Exact wording or clear equivalent

2. Landing page

• Simple and clear form
• Treatment within 15 days
• Confirmation of consideration
• No discrimination after opting out

Preference center

Best practice: create a comprehensive preference center where users can:

• Manage their subscriptions by theme
• Choose the frequency of calls
• Change their personal details
• Exercise their RGPD rights (access, rectification, deletion)

6. Cookies: Opt-In or Opt-Out?

Distinction according to the type of cookie

Strictly necessary cookies

Characteristics:

• Essential for the functioning of the site
• No consent required
• Mandatory information in the cookie policy

Examples:

• Session cookie
• Shopping cart cookie
• Authentication cookie
• Language preference cookie

Non-essential cookies

Mandatory opt-in for:

• Analytical cookies (Google Analytics, Matomo)
• Advertising cookies (Facebook Pixel, Google Ads)
• Social media cookies
• Advanced personalization cookies

The compliant consent banner

A RGPD-compliant cookie banner must:

1. Appear before cookies are deposited

• Blocking third-party cookies until the user consents
• Cookies that are only essential on initial load

2. Offer granular choices

Cookie management panel:

☐ Essential cookies (mandatory)

☐ Analytical cookies - Help us improve the site

☐ Marketing cookies - For relevant advertising

☐ Social media cookies - Sharing on networks

3. Respect decisions

• Accept = all cookies allowed
• Reject = only essential cookies
• Validity period of consent: 6-13 months maximum

The Planet49 judgment of the CJEU

Key points of this major decision:

1. Forbidden pre-ticked boxes : consent must result from positive action
2. Separate consent : impossible to group several purposes
3. Full information : lifespan and purpose of each cookie
4. Before filing : consent must be obtained prior to installation

Practical impact:

This case law has reinforced the opt-in obligation for all non-essential cookies in Europe.

7. Double Opt-in: enhanced security

What is double opt-in?

The double opt-in (or “confirmed opt-in”) is a two-step process:

Step 1: The user fills out a form and checks the opt-in box

Step 2: He receives a confirmation email with a link to click on to definitively validate his registration.

Benefits of double opt-in

For the company

1. Database quality

• Guaranteed valid email addresses
• Improved deliverability rate
• Fewer hard bounces
• Spam reduction

2. Strengthened legal protection

• Strong evidence of consent
• Full traceability
• Strengthened GDPR compliance
• Defence in case of litigation

3. User engagement

• Really interested subscribers
• Higher opening rates
• Fewer unsubscriptions
• Improved marketing ROI

For the user

• Confirmation of his email address
• Protection against fraudulent registrations
• Increased control over your data

Is double opt-in mandatory?

Answer: NO, but highly recommended.

Depending on the country:

• RGPD : not mandatory, but considered good practice
• Germany, Austria, Switzerland : practically mandatory in practice
• france : not mandatory, but recommended by the CNIL
• u.s. : not mandatory

Attention: Double opt-in alone is NOT enough for GDPR compliance. It must be accompanied by:

• Checkboxes not pre-checked
• Link to the privacy policy
• Clear information on the use of data

Important technical points:

• Unique and secure confirmation link
• Expiry of the link after a delay (24-72 hours)
• No permanent registration without a click
• Relaunch possible if no confirmation

8. Compliance best practices

Audit your current practices

Questions to ask yourself:

1. What type of data do you collect?
2. On what legal basis (consent, legitimate interest, contract...)?
3. Are your forms compliant (boxes not pre-ticked)?
4. Do you keep proof of consent?
5. Can users easily withdraw their consent?
6. Are your subcontractors compliant?
7. Have you appointed a DPO if necessary?

Technical tools and solutions

Consent Management Platforms (CMP):

• OneTrust : complete business solution
• Cookiebot : specialized cookies, RGPD compliant
• Axeptio : modern UX interface, French
• Didomi : European solution, multi-regulations
• Quantcast Choice : free, specialized TCF 2.0
• Termly : accessible, for SMEs

For email marketing:

• Mailchimp : native double opt-in
• Sendinblue (Brevo): RGPD compliant
• ActiveCampaign : automation and compliance
• GetResponse : advanced preference center

Advantages of a CMP:

• Automatic blocking of cookies
• Customizable preferences interface
• Registration of consents
• Ongoing regulatory update
• Geolocation and automatic adaptation

9. Consequences of non-compliance

GDPR sanctions

La CNIL (Commission Nationale de l'Informatique et des Libertés) may impose severe sanctions:

Administrative fines:

• Level 1 (less serious offences): up to €10 million or 2% of global annual turnover
• Level 2 (major offences): up to €20 million or 4% of global annual turnover

The higher amount applies

Opt-in/Opt-Out Offences:

• Lack of valid consent: category 2 (up to €20M or 4% CA)
• Non-compliance with the right to object: category 2
• Pre-checked boxes: category 2
• Difficulty withdrawing consent: category 2

Examples of real sanctions

Notable cases:

1. Google (2019) : €50 million by the French CNIL
   
   
   
   Reason: Insufficiently explicit consent for targeted advertising
2. Amazon (2021) : €746 million by Luxembourg authority
   
   
   
   Reason: data processing without valid consent
3. Facebook/Meta (2023) : €390 million
   
   
   
   Reason: forced consent for targeted advertising
4. French online store (2020) : €35,000
   
   
   
   Reason: pre-ticked boxes and prospecting without consent

‍

Other consequences

Reputational damage

• Publication of sanctions by the CNIL
• Negative media coverage
• Loss of customer trust
• Impact on brand image
• Decrease in conversions

Commercial consequences

• Prohibition of processing certain data
• Obligation to purge databases
• Loss of mailing lists
• Compliance costs
• Disputes with customers

Personal responsibility

Managers can be held personally liable for serious breaches.

10. FAQ: frequently asked questions

What is the main difference between opt-in and opt-out?

Opt-In requires active consent BEFORE collection, while Opt-Out allows collection by default with the possibility of refusal.

Is the opt-out forbidden in Europe?

No, but opt-in is mandatory for most treatments under RGPD. The opt-out remains the mechanism for WITHDRAWING consent already given.

Can I use pre-ticked boxes?

NOT under RGPD. Consent must be the result of positive and clear action by the user.

How long is consent valid for?

There is no fixed legal period, but the CNIL recommends requesting consent again every 13 months. For cookies, 13 months maximum.

Can I send a confirmation email without an opt-in?

Yes, ONLY one confirmation email following a user action (order, registration) is authorized. But no commercial prospecting without opt-in.

Can I send commercial B2B emails without opt-ins?

Yes in France, if the offer is linked to the professional activity of the recipient and an opt-out is available.

Can I buy an email database with opt-in?

Very risky. Consent is generally not transferable. The people consented to Company A, not to you (Company B).

Conclusion

Managing consent through opt-ins and opt-outs has become a core element of personal data protection compliance. While regulations may seem complex, they are based on a simple principle: respect the choice and privacy of users.

Key points to remember

1. Always opt in for personal data, especially in Europe
2. Document all consents to prove your compliance
3. Facilitate the opt-out : withdrawing consent should be as easy as giving it
4. Be transparent on the use of data
5. Adapt to the regulations of each jurisdiction where you operate
6. Audit regularly your collection and processing practices

‍

Compliance as a competitive advantage

Beyond the legal obligation, ethical consent management:

• Builds trust of your customers and prospects
• Improves quality of your databases
• Optimize your conversion rates (real commitment)
• Protect your reputation and avoid scandals
• ‍Differentiate your brand in a context of growing distrust

‍