Chapter 4: Information Management and Privacy Risk Management
Opt-In, Opt-Out, and No Option
U.S. laws differ on consent: opt-in (COPPA parental consent, HIPAA PHI disclosure, FCRA credit report release); opt-out (GLBA third-party transfers, VPPA, CAN-SPAM, Do Not Call); and no option for commonly accepted practices like order fulfillment.
| Model | Examples |
|---|---|
| Opt-in (affirmative/express) | COPPA parental consent before collecting a child's PI; HIPAA before disclosing PHI to third parties; FCRA before a credit report is provided to an employer/lender; EU/GDPR for marketing; sensitive data like geolocation |
| Opt-out (consumer choice) | GLBA before transferring PI to an unaffiliated third party for its own use; VPPA before sharing rental data; CAN-SPAM Act for marketing email; Do Not Call for telemarketing |
| No option (commonly accepted) | Order fulfillment (shipping, card processing); internal operations, fraud prevention, legal compliance, first-party marketing |
Opt-out (consumer choice) is less stringent than opt-in but still creates an enforceable promise - selling opted-out individuals' data can draw FTC or state action under unfair/deceptive trade practices laws. For 'no option,' the 2012 FTC final report framed it as practices 'consistent with the context of the transaction,' the company-consumer relationship, or as required/specifically authorized by law.
Key terms - quick answers
What is “Opt-in (affirmative/express consent)”?
Consumer must affirmatively agree before data is collected or used.
What is “Opt-out (consumer choice)”?
Data may be used unless the consumer affirmatively declines; still creates an enforceable promise.
What is “Double opt-in”?
Email practice where a subscriber indicates interest and then confirms via a follow-up email before receiving marketing.
What is “No option / commonly accepted practices”?
Situations where implied authority lets an organization use data without opt-in or opt-out, e.g., order fulfillment.