As technology continues to make it easier for businesses across the globe to collect, maintain, and use personally identifiable information (“PII”), securing PII has become increasingly important. For most businesses, having a customer-facing privacy notice is now a standard business practice, and is often a legal requirement. Businesses must ensure that consumers are able to express their consent to certain uses of their PII. Generally speaking, there are two methods businesses may use to obtain such consent: “opt-in” and “opt-out.” The choice of method can have significant consequences.

WHAT’S THE DIFFERENCE?

Under the “opt-in” method, a consumer must affirmatively give permission (“opt-in”) before their PII can be shared or used in accordance with a company’s privacy policy and notice. In contrast, a company using the “opt-out” method is free to share or use a consumer’s PII without express permission until the consumer takes certain steps to prevent it (“opting-out”). In either method, consent may be given in any number of ways, including checking a box online, calling a toll-free number, or returning a form by mail. What is important is that the choice is explained, the language is clear, and the process is transparent.

WHY IT MATTERS

Various laws mandate different requirements regarding the collection and use of PII. In California, some examples are the California Online Privacy Protection Act of 2003, Cal. Bus. & Prof. Code §§ 22575-22579, and the California Financial Information Privacy Act, Cal. Fin. Code §§ 4050-4060. It is important for businesses to understand how their privacy policies and notices fit into each legal structure, and ensure that they comply with all laws and regulations to which they are subject.

While “opt-out” is generally the more prevalent method used in the United States, both methods have been incorporated into legislation. For example, the Gramm-Leach-Bliley Act, a federal statute covering how “financial institutions”[1] may share the PII of individuals, has incorporated the “opt-out” method. It requires companies to both give consumers privacy notices that explain their information sharing practices and allow consumers the opportunity to opt out of the sharing of their information with non-affiliated third parties. In contrast, California’s Financial Information Privacy Act requires that a consumer must “opt-in” before a financial institution may share PII with a non-affiliated third party.

Preferences also differ across the globe. For example, the prevailing privacy regulations throughout the European Union tend to employ the “opt-in” approach. Privacy laws and regulations are constantly evolving, so businesses and consumers should consult qualified privacy practitioners before collecting, using, storing and sharing PII.

[1] “Financial institutions” include not only banks, but also accounting firms, investment advisors, and other companies engaged in the financial activities covered by the Gramm-Leach-Bliley Act.