The distinction between opt-in and opt-out is one of the most practically consequential concepts in EU data protection law. Get it wrong and the consequences are concrete: in 2024 alone, the CNIL issued 21 enforcement actions related to cookie and consent mechanisms, targeting organizations that stored trackers without prior consent, failed to inform users adequately, or did not honor refusals (CNIL 2024 sanctions report). This guide explains when GDPR requires opt-in, when opt-out is permissible, and how to implement each correctly across common scenarios.
Definitions: Opt-In and Opt-Out
Opt-in means the individual must take an affirmative action before processing begins. No data is collected or used until the person actively consents. Under GDPR, this takes the form of a clear affirmative act — ticking an unchecked box, clicking a dedicated consent button, or selecting specific preferences. Silence, pre-ticked boxes, and inactivity do not constitute consent (Recital 32).
Opt-out means processing proceeds by default, and the individual can object or withdraw at a later point. The right to opt out is typically associated with processing based on legitimate interest (Article 6(1)(f)) or direct marketing (Article 21(2)), where the data subject has a right to object rather than a right to give prior consent.
The distinction is not merely procedural. It determines who bears the burden of action: in opt-in, the controller must obtain consent before processing; in opt-out, the data subject must take steps to stop processing that is already underway.
When GDPR Requires Opt-In
GDPR mandates opt-in (consent as lawful basis under Article 6(1)(a)) in several situations:
Cookies and tracking technologies. The ePrivacy Directive (Directive 2002/58/EC, Article 5(3)) requires prior consent before placing non-essential cookies or similar trackers on a user’s device. This is an opt-in requirement implemented across the EU. The CJEU confirmed in Planet49 (C-673/17, 2019) that pre-ticked boxes do not satisfy this requirement. The proposed Digital Omnibus regulation would integrate these rules directly into GDPR through a new Article 88a, requiring browser-level consent signals and prohibiting dark patterns in cookie interfaces.
Email marketing to individuals. Under the ePrivacy Directive (Article 13), sending marketing emails to individuals requires prior consent — opt-in. The only exception is the “soft opt-in” for existing customers (see below). Most EU member states have transposed this strictly.
Processing of special categories of data. Health data, biometric data, political opinions, trade union membership, and other categories listed in Article 9 require explicit consent under Article 9(2)(a) unless another exception applies. “Explicit” is a higher bar than standard consent — it demands an unambiguous, specific statement of agreement.
Automated decision-making and profiling. Where processing involves solely automated decisions that produce legal or similarly significant effects (Article 22), explicit consent is one of the limited lawful bases available.
Cross-border data transfers to inadequate countries. When no adequacy decision or appropriate safeguards exist, explicit consent under Article 49(1)(a) can serve as a derogation — but only if the individual is informed of the risks and consents specifically.
When Opt-Out Is Permissible
Opt-out mechanisms are appropriate when processing relies on a lawful basis other than consent:
Legitimate interest (Article 6(1)(f)). When the controller has conducted a legitimate interest assessment and concluded that the processing is necessary and does not override the data subject’s rights, opt-out is the correct model. The data subject has the right to object under Article 21(1), and the controller must cease processing unless it demonstrates compelling legitimate grounds.
Direct marketing to existing customers (“soft opt-in”). Article 13(2) of the ePrivacy Directive allows electronic marketing to existing customers who provided their email during a sale, provided the marketing relates to similar products and each message includes an easy opt-out. This is the only scenario where email marketing can operate on an opt-out basis.
Postal direct mail. In most EU jurisdictions, physical mailings can be sent on a legitimate interest basis with an opt-out mechanism. The triple test (purpose, necessity, balancing) must still be satisfied.
Analytics based on legitimate interest. Some DPAs accept that basic, privacy-friendly analytics (no cross-site tracking, no individual profiling) can rely on legitimate interest with an opt-out, though the trend — especially after the Austrian and French DPA decisions on Google Analytics — is toward requiring consent for most analytics tools.
Practical Examples
Email Marketing
| Scenario | Model | Legal Basis | Implementation |
|---|---|---|---|
| New subscriber, never purchased | Opt-in | Consent (Art. 6(1)(a)) | Unchecked checkbox at signup: “Yes, send me the weekly newsletter.” Double opt-in recommended. |
| Existing customer, similar products | Opt-out (soft opt-in) | Legitimate interest + ePrivacy Art. 13(2) | Email collected during purchase. Each email includes one-click unsubscribe. |
| Third-party list | Opt-in | Consent obtained by the list provider must be specific to your use | Verify that the provider obtained consent naming your organization and purpose. |
Cookie Consent
Opt-in is the default for all non-essential cookies. The implementation must provide:
- An “Accept All” and “Reject All” button of equal visual prominence
- Granular category selection (analytics, marketing, functional)
- No cookie wall (making site access conditional on accepting all cookies — the EDPB has stated this is generally not valid consent)
- Consent stored and retrievable for audit purposes
The CNIL’s 2020 cookie guidelines and its subsequent enforcement wave (including the EUR 150 million fine against Google and EUR 60 million fine against Facebook in January 2022) established that a “Continue browsing” action does not constitute valid consent. Only a clear affirmative click on a dedicated acceptance button qualifies.
Data Sharing with Third Parties
Sharing personal data with a third party for that third party’s own purposes almost always requires opt-in consent. The consent must name the specific third party (or category of third parties) and the purpose of sharing. Blanket statements like “we share data with our partners” fail the specificity requirement.
Phone Marketing
Rules vary by member state, but the general GDPR position under the ePrivacy Directive is:
- B2C calls: Most member states require opt-in consent (France, Germany) or at minimum an opt-out register check (UK TPS, France Bloctel).
- B2B calls: Generally permissible on a legitimate interest basis with opt-out, though this varies.
Country-Specific Rules
While GDPR provides the baseline, national implementations of the ePrivacy Directive create variations:
France (CNIL). Strict opt-in for cookies and email marketing. The CNIL’s 2020 guidelines require that refusing cookies must be as easy as accepting them. Commercial phone calls must check against the Bloctel opt-out register. The CNIL has been the most active enforcer of cookie consent rules, with over EUR 400 million in cookie-related fines since 2020.
Germany (Federal and State DPAs). The Telecommunications-Telemedia Data Protection Act (TDDDG, formerly TTDSG) transposes the ePrivacy cookie consent rules into German law. Germany applies a strict opt-in standard for cookies and email marketing. The Unfair Competition Act (UWG) adds additional restrictions on unsolicited commercial communications.
UK (ICO). Post-Brexit, the UK GDPR and PECR (Privacy and Electronic Communications Regulations) maintain similar standards. The ICO requires opt-in for marketing emails and non-essential cookies. The ICO’s 2024 updated guidance on cookies emphasized that cookie walls and “implied consent” approaches are not compliant. The soft opt-in exception for existing customers is available under PECR Regulation 22.
Italy (Garante). The Italian DPA issued comprehensive cookie guidelines in 2021, requiring granular consent, no scroll-as-consent, and a visible “reject all” option. Italy has actively enforced these requirements, including a EUR 20 million fine against Clearview AI where consent failures were central to the case.
Common Mistakes
Treating opt-out as a universal fallback. Some organizations default to opt-out for all processing, assuming they can rely on legitimate interest. But legitimate interest requires a documented assessment, and certain processing (special category data, cookies, email marketing to prospects) simply cannot use this basis.
Missing the withdrawal mechanism. Article 7(3) requires that withdrawing consent must be as easy as giving it. If subscribing takes one click but unsubscribing requires navigating three pages and confirming via email, the consent is defective.
Confusing consent with contract. Accepting terms of service is not the same as giving consent for data processing. Bundling consent with contractual acceptance violates the “freely given” requirement. If refusing consent means the user cannot use the service — and the processing is not necessary for the service — the consent is not valid (Article 7(4)).
Ignoring the “soft opt-in” conditions. The soft opt-in exception is narrowly defined: it applies only to existing customers, only to similar products or services, only when the email was collected in the context of a sale, and only if each message includes an easy opt-out. Marketing a new product line to old customers may not qualify.
FAQ
When does GDPR require opt-in rather than opt-out?
GDPR requires opt-in (consent) when there is no other applicable lawful basis. The main scenarios are: placing non-essential cookies (ePrivacy Directive Article 5(3)), sending marketing emails to non-customers (ePrivacy Article 13), processing special category data (Article 9), and automated decision-making with legal effects (Article 22). Whenever consent is the lawful basis, it must be obtained before processing begins — not after.
Can I use opt-out for email marketing?
Only in the narrow “soft opt-in” scenario defined by ePrivacy Directive Article 13(2): the recipient is an existing customer, their email was collected during a sale, the marketing concerns similar products or services, and every email includes an easy unsubscribe mechanism. For all other email marketing — including newsletters to prospects — you need prior opt-in consent.
What is the difference between consent and legitimate interest in practice?
Consent (Article 6(1)(a)) requires the individual to affirmatively agree before processing starts — opt-in. Legitimate interest (Article 6(1)(f)) allows processing without prior agreement, but the individual has a right to object — opt-out. The controller must document a legitimate interest assessment showing that the processing is necessary, proportionate, and does not override the individual’s rights. If the balancing test fails, legitimate interest cannot be used and consent (opt-in) is required.
Are cookie walls (blocking site access until consent is given) legal under GDPR?
The EDPB’s Opinion 5/2019 stated that cookie walls generally do not constitute valid consent because they make site access conditional on accepting all cookies, undermining the “freely given” requirement. Some DPAs, including the French CNIL, have taken a nuanced position allowing cookie walls only where a genuine equivalent alternative (such as a paid subscription) is offered. In practice, the safest approach is to allow full site access regardless of cookie choices, using only strictly necessary cookies for users who decline.
Automate your GDPR compliance
Save 340+ hours per year on compliance work. Legiscope provides AI-powered GDPR management trusted by compliance professionals.
Discover Legiscope
