Articles on: Consentik Cookies

Consent Models Explained: Opt-in, Opt-out, and Notice

Consent models explained: Opt-in, Opt-out, and Notice

If you sell internationally, your visitors live under very different privacy laws. A shopper in Berlin, a shopper in California, and a shopper in Tokyo each have different legal rights over how their data is collected — and each expects a different kind of cookie banner. To make this manageable, privacy laws around the world can be grouped into three consent models: Opt-in, Opt-out, and Notice.
This article explains what each model means, which laws use it, and how your banner behaves under each one. Consentik’s Smart Geo-targeting feature uses these three models to automatically serve every visitor the banner their local law requires.
Note: This article is for general information and is not legal advice. If you’re unsure which rules apply to your business, please consult a legal professional.


🟢 Opt-in — ask before you track

The idea: nothing is tracked until the visitor actively agrees. Consent must be a real choice, which is why the law also dictates how the banner looks and behaves.
Where it applies: the EU/EEA under GDPR, the UK, and a growing list of countries with GDPR-style laws (Brazil’s LGPD, Switzerland’s FADP, and many others). It’s also the safest default for regions with no specific law.
What the banner must do:

  • Show Accept and Reject with equal prominence — declining must be as easy as accepting.
  • Block all managed tracking scripts until the visitor makes a choice. Embedded elements (videos, maps, widgets) show a placeholder until consent is given.
  • Stay on screen — the banner has no close icon and can’t be dismissed without a choice.
  • Optionally offer a Preferences popup so visitors can grant consent per category (analytics, marketing…). Necessary cookies always stay on.

After the choice: Accept unblocks everything immediately; Decline keeps non-essential tracking off. Either way, the choice is remembered and a small re-open button lets the visitor change their mind later.


🟠 Opt-out — track, but respect the visitor’s right to say no

The idea: tracking may run by default, but visitors have the right to stop their personal data from being sold or shared — and that control must always be within reach.
Where it applies: US states with privacy laws, led by California’s CCPA/CPRA and followed by a growing list of states (Texas, Virginia, Colorado, and more). Consentik treats each US state individually.
What the banner must do:

  • Show a “Do not sell/share my personal data” control — in Consentik this is a checkbox on the banner, with a label you can customize.
  • Keep that control reachable at any time — after the banner is closed, the re-open button serves as the way back.
  • Honor Global Privacy Control (GPC): if the visitor’s browser sends a GPC signal, Consentik registers the opt-out automatically.

After an opt-out: scripts that sell or share personal data are stopped, and ad-related consent signals (Google Consent Mode’s ad_storage, ad_user_data, ad_personalization) switch to denied. Analytics unrelated to data sales keeps running.


🔵 Notice — inform, and carry on

The idea: the law requires transparency, not permission. Visitors must be told that cookies and tracking are in use, but tracking doesn’t have to wait for their approval.
Where it applies: Japan, Australia, New Zealand, and other notice-based jurisdictions.
What the banner does:

  • Shows a simple informational banner with one Accept button and a close icon.
  • Tracking runs from the first page view — accepting or closing the banner doesn’t change anything; the banner is purely informational.
  • Once dismissed, the banner doesn’t come back, and no re-open button is needed.

Because visitors in Notice regions don’t have to approve anything, serving them a strict Opt-in banner would only add friction (and lower your measurable traffic) without any legal benefit — which is exactly why one global banner is rarely the best setup.


Side-by-side comparison


🟢Opt-in

🟠Opt-out

🔵 Notice

Consent logic

"Ask first" — no tracking until the visitor agrees

"Track, but let me stop you" — tracking runs until the visitor objects

"Just tell me" — inform the visitor, no permission needed

Example laws

GDPR (EU/EEA), UK GDPR, LGPD, and other GDPR-style laws

CCPA/CPRA (California) and other US state laws

APPI (Japan), Privacy Act (Australia), New Zealand

Tracking before a choice

Blocked

Runs immediately

Runs immediately

Required controls

Accept + Reject, equally prominent

Accept + an always-reachable "Do not sell/share my personal data" control

Accept

Can the banner be dismissed?

No — a choice is required

Yes

Yes

Banner type in Consentik

Simple Banner or Banner with Categories (your choice)

Always Simple Banner

Always Simple Banner

Re-open button

Yes

Yes — the way back to the Do-Not-Sell control

Not needed

GPC signal

Honored automatically


How Consentik applies these models

With Smart Geo-targeting (Advanced plan) turned on in the Geolocation tab, Consentik detects each visitor’s location across 284 regions — countries plus individual US states — and looks up the consent model their region requires:

  • 187 regions have a specific privacy law and are locked to the model that law requires — for example Germany is always Opt-in, California is always Opt-out, Japan is always Notice. This protects you from misconfiguration.
  • 31 US states without their own privacy law are set to Opt-out, inferred from the GPC requirement — you can adjust these.
  • 66 regions with no detected privacy law default to Opt-in as the safe choice — you can switch them to Opt-out or Notice if you prefer less friction there.

If a visitor’s location can’t be determined at all, Consentik falls back to Opt-in, the strictest model. The law mapping is maintained and versioned by Consentik and updated as new laws phase in — no app update or action needed on your side.
One thing that stays the same everywhere: your content. All three models share one set of titles, messages, and button labels — what changes between them is which buttons appear and how tracking behaves, not the wording.


Why this matters for your store

  • Compliance without micromanagement — every visitor automatically gets the banner their law requires, even as new laws take effect.
  • Better consent and conversion rates — a global Opt-in banner blocks tracking for visitors who never needed to be asked. Serving Opt-out and Notice banners where the law allows keeps your analytics and ads data flowing for those regions.
  • Cleaner data for ads — Google Consent Mode v2 receives the right signals per region: consent updates are sent automatically on page load in Opt-out and Notice regions, while Opt-in regions wait for the visitor’s real choice.


FAQ

  1. Which model is “best”? None — they’re legal frameworks, not options to rank. The right model is the one the visitor’s local law requires, which is exactly what Smart Geo-targeting resolves for you.
  2. Can I use one model for the whole world? You can (leave Smart Geo-targeting off), but it forces a trade-off: a global Opt-in banner sacrifices consent rates in regions that don’t require it, while a lighter global banner risks non-compliance in the EU.
  3. Why can’t I change the model for some regions? Regions whose law mandates a model are locked on purpose — changing Germany to Notice, for instance, would put your store out of compliance. Only regions with no specific law are adjustable.

Related article: Smart Geo-targeting — show every visitor the right consent banner for their region.

Updated on: 09/07/2026

Was this article helpful?

Share your feedback

Cancel

Thank you!