Every privacy law on the books boils down to one question: does a website need permission before collecting personal data, or can it collect first and let users object later? That split - opt-in versus opt-out - shapes how cookie banners work, what scripts load on page visit, and how much legal exposure a site carries.
What Opt-In Consent Actually Means
Opt-in consent means no non-essential cookies or trackers fire until the visitor takes a deliberate action - clicking an accept button, toggling specific categories, or ticking an unchecked box. Until that moment, the browser receives only strictly necessary cookies such as session tokens and load balancers.
The GDPR defines valid consent as freely given, specific, informed, and unambiguous, delivered through a clear affirmative action. Pre-ticked checkboxes do not count. Neither does scrolling, continued browsing, or closing the banner without making a choice. The 2019 Planet49 ruling by the Court of Justice of the European Union confirmed this explicitly: pre-checked boxes fail the standard set by Article 5(3) of the ePrivacy Directive.
Under opt-in, a cookie banner must present real choices with equal prominence. A large green "Accept All" button next to a barely visible "Manage Settings" link is exactly the kind of design that regulators target. The CNIL in France has been particularly aggressive here, issuing combined fines of over 139 million euros between December 2022 and December 2024 for breaches of Article 82 of the French Data Protection Act, which implements the ePrivacy Directive. In September 2025, the CNIL went further still, fining Google 325 million euros and Shein 150 million euros for cookie consent violations including setting advertising cookies before obtaining valid consent.
What Opt-Out Consent Means
Opt-out consent flips the default. Data collection starts the moment a user arrives. Cookies load, scripts fire, and tracking begins unless the visitor actively objects - typically through a settings panel, a "Do Not Sell" link, or a browser-level signal.
The California Consumer Privacy Act (CCPA), as amended by the CPRA, is the most prominent opt-out regime. It does not require prior consent for most data collection. Instead, businesses must provide a clearly labelled "Do Not Sell or Share My Personal Information" link and honour opt-out requests for at least 12 months before asking the user to reconsider.
Most US state privacy laws follow this same pattern. By the end of 2025, twenty states had comprehensive privacy laws in effect, and nearly all of them rely on an opt-out model for general personal data. The exception is sensitive data - health information, precise geolocation, biometric identifiers, and children's data - which typically requires opt-in consent even under US laws.
Opt-In vs Opt-Out: A Side-by-Side Comparison
| Factor | Opt-In | Opt-Out |
|---|---|---|
| Default state | No data collection until consent is given | Data collection begins immediately |
| User action required | Affirmative action to allow (click, toggle) | Affirmative action to refuse (opt-out link, settings) |
| Cookie behaviour | Non-essential cookies blocked until accepted | All cookies load by default |
| Banner design | Accept and Reject must have equal prominence | "Do Not Sell" link sufficient in many cases |
| Key regulations | GDPR, ePrivacy Directive, UK GDPR, LGPD, Quebec Law 25 | CCPA/CPRA, Virginia VCDPA, Colorado CPA, most US states |
| Sensitive data | Opt-in required | Opt-in also required in most US states |
| Withdrawal | Must be as easy as giving consent | Opt-out must be honoured for 12+ months |
Which Laws Require Opt-In?
The opt-in model dominates outside the United States. The GDPR and ePrivacy Directive require it across all EU and EEA member states. The UK GDPR paired with the Privacy and Electronic Communications Regulations (PECR) applies the same standard in the United Kingdom. Brazil's LGPD mandates opt-in for personal data processing, with the ANPD stepping up enforcement since its first fine in 2023.
Quebec's Law 25, fully in force since September 2024, requires explicit consent for cookies and identifiers, with penalties climbing to CAD 25 million or 4% of global revenue. South Africa's POPIA follows the same opt-in approach for direct marketing and cookies. Japan's APPI, while not treating all cookies as personal data, requires consent when cookies are used to identify individuals or when cookie data is transmitted to third parties under the Telecommunications Business Act.
India's DPDPA will add another major jurisdiction to the opt-in column once enforcement begins, with a Consent Manager registration requirement set for November 2026.
Which Laws Allow Opt-Out?
The opt-out model is primarily a US phenomenon. The CCPA/CPRA opt-out framework set the template, and subsequent state laws in Virginia, Colorado, Connecticut, Utah, Iowa, Indiana, Kentucky, Rhode Island, and others have largely followed it. PIPEDA in Canada allows implied consent for some low-risk, clearly explained purposes, though Quebec operates under stricter rules.
A critical development is the rise of universal opt-out mechanisms. The Global Privacy Control (GPC) is a browser-level signal that tells websites the user wants to opt out of data sales and targeted advertising. As of January 2026, at least twelve US states - including California, Colorado, Connecticut, Delaware, Maryland, Minnesota, Montana, New Jersey, New Hampshire, Nebraska, Oregon, and Texas - require businesses to honour GPC signals. California, Colorado, and Connecticut announced a joint investigative sweep targeting non-compliant businesses, signalling that enforcement is moving from guidance to action.
The Hybrid Reality: Geo-Targeted Consent
Most websites serve visitors from multiple jurisdictions. A visitor from Germany needs an opt-in banner with granular category controls and an equally prominent reject button. A visitor from Texas needs a "Do Not Sell" link and GPC signal recognition. A visitor from a country with no specific cookie law might see a simplified notice.
This is where geo-targeted consent becomes essential. A consent management platform detects the visitor's location and applies the correct consent model automatically - opt-in for EU and UK visitors, opt-out for most US states, and the appropriate local standard for other regions. Without geo-targeting, the safest approach is to default to opt-in everywhere, since it satisfies the strictest standard. The trade-off is lower consent rates and reduced analytics data for visitors who might not legally require prior consent.
What Happens When You Get It Wrong
Enforcement is no longer theoretical. The CNIL alone issued 486.8 million euros in fines during 2025 - nearly nine times its 2024 total - with cookie violations among its top priorities. Twenty-one organisations were sanctioned specifically for storing trackers without valid consent. Across the Atlantic, the California Privacy Protection Agency issued its largest penalty of 1.35 million dollars in 2025, focused on data-sharing transparency and opt-out failures. Honda was fined for requiring excessive verification steps for opt-out requests and using asymmetric cookie controls where opting in was easier than opting out.
How to Configure Your Cookie Banner Correctly
Setting up compliant consent means more than choosing a template. The banner needs to match the legal model that applies to each visitor.
For opt-in jurisdictions (EU, UK, Brazil, Quebec, South Africa)
Block all non-essential cookies until the visitor makes a choice. Present Accept All, Reject All, and a granular category selector on the first layer. Reject All must be a single-click action, not buried behind a preferences panel. Store a timestamped consent record that logs which categories were accepted, what banner version was shown, and the visitor's general location. Respect withdrawal immediately - if a visitor revokes consent, non-essential cookies must stop and previously set cookies should be deleted or expired.
For opt-out jurisdictions (US states)
Display a clear privacy notice informing visitors about data collection. Provide a "Do Not Sell or Share" link accessible from every page. Honour GPC signals automatically without requiring any additional user action. Log opt-out preferences and ensure they propagate to downstream systems - ad networks, analytics tools, and data processors must all respect the signal.
For mixed audiences
Use geo-detection to serve the correct banner per jurisdiction. Run a cookie scan to identify every cookie and script on your site, then categorise them properly. Configure Google Consent Mode v2 so that Google tags respect the consent state and fall back to cookieless pings when consent is denied.
Frequently Asked Questions
Can I use an opt-out model for visitors from the EU?
No. The GDPR and ePrivacy Directive require opt-in consent for non-essential cookies. Loading tracking or advertising cookies before a visitor actively consents violates Article 5(3) of the ePrivacy Directive, regardless of whether an opt-out mechanism is available.
Does the CCPA require a cookie consent banner?
Not in the GDPR sense. The CCPA requires a privacy notice and a "Do Not Sell or Share My Personal Information" link. You do not need to block cookies before they load, but you must honour opt-out requests and recognise Global Privacy Control signals in states that mandate it.
What is Global Privacy Control and do I need to support it?
Global Privacy Control (GPC) is a browser-level signal that communicates a user's opt-out preference. As of 2026, at least twelve US states legally require businesses to honour it. California, Colorado, and Connecticut have launched joint enforcement sweeps targeting non-compliant sites.
Are pre-ticked consent checkboxes legal under any privacy law?
No major privacy law considers pre-ticked checkboxes valid consent. The GDPR explicitly prohibits them, the Planet49 CJEU ruling confirmed this, and US state laws that require opt-in for sensitive data also demand affirmative action from the user.
How does opt-in consent affect my analytics data?
Opt-in reduces the volume of analytics data because visitors who decline or ignore the banner are not tracked. Google Consent Mode v2 partially mitigates this by using cookieless pings to model conversions, but reported traffic will be lower than actual traffic in opt-in regions.
Can I show different consent banners to visitors from different countries?
Yes. Geo-targeted consent is considered best practice. A consent management platform can detect visitor location and serve an opt-in banner to EU visitors and an opt-out notice to US visitors automatically, ensuring compliance without applying the strictest rules everywhere.
What happens if a user opts in and later wants to opt out?
Under the GDPR, withdrawing consent must be as easy as giving it - typically a single click from a persistent settings icon or footer link. Under US opt-out laws, the business must honour the opt-out for at least 12 months before requesting the user to reconsider.
Take Control of Your Cookie Compliance
Getting opt-in and opt-out right is not just about picking a banner template - it requires matching the consent model to each visitor's jurisdiction, blocking scripts until the right moment, and keeping auditable records of every choice. Kukie.io handles geo-targeted consent, cookie scanning, and consent logging out of the box, so your site stays compliant regardless of where your visitors are.
