Consent Models Explained: Opt-in, Opt-out, and Notice
Consent models explained: Opt-in, Opt-out, and Notice
If you sell internationally, your visitors live under very different privacy laws. A shopper in Berlin, a shopper in California, and a shopper in Tokyo each have different legal rights over how their data is collected — and each expects a different kind of cookie banner. To make this manageable, privacy laws around the world can be grouped into three consent models: Opt-in, Opt-out, and Notice.
This article explains what each model means, which laws use it, and how your banner behaves under each one. Consentik’s Smart Geo-targeting feature uses these three models to automatically serve every visitor the banner their local law requires.
Note: This article is for general information and is not legal advice. If you’re unsure which rules apply to your business, please consult a legal professional.
🟢 Opt-in — ask before you track
The idea: nothing is tracked until the visitor actively agrees. Consent must be a real choice, which is why the law also dictates how the banner looks and behaves.
Where it applies: the EU/EEA under GDPR, the UK, and a growing list of countries with GDPR-style laws (Brazil’s LGPD, Switzerland’s FADP, and many others). It’s also the safest default for regions with no specific law.
What the banner must do:
- Show Accept and Reject with equal prominence — declining must be as easy as accepting.
- Block all managed tracking scripts until the visitor makes a choice. Embedded elements (videos, maps, widgets) show a placeholder until consent is given.
- Stay on screen — the banner has no close icon and can’t be dismissed without a choice.
- Optionally offer a Preferences popup so visitors can grant consent per category (analytics, marketing…). Necessary cookies always stay on.
After the choice: Accept unblocks everything immediately; Decline keeps non-essential tracking off. Either way, the choice is remembered and a small re-open button lets the visitor change their mind later.
🟠 Opt-out — track, but respect the visitor’s right to say no
The idea: tracking may run by default, but visitors have the right to stop their personal data from being sold or shared — and that control must always be within reach.
Where it applies: US states with privacy laws, led by California’s CCPA/CPRA and followed by a growing list of states (Texas, Virginia, Colorado, and more). Consentik treats each US state individually.
What the banner must do:
- Show a “Do not sell/share my personal data” control — in Consentik this is a checkbox on the banner, with a label you can customize.
- Keep that control reachable at any time — after the banner is closed, the re-open button serves as the way back.
- Honor Global Privacy Control (GPC): if the visitor’s browser sends a GPC signal, Consentik registers the opt-out automatically.
After an opt-out: scripts that sell or share personal data are stopped, and ad-related consent signals (Google Consent Mode’s ad_storage, ad_user_data, ad_personalization) switch to denied. Analytics unrelated to data sales keeps running.
🔵 Notice — inform, and carry on
The idea: the law requires transparency, not permission. Visitors must be told that cookies and tracking are in use, but tracking doesn’t have to wait for their approval.
Where it applies: Japan, Australia, New Zealand, and other notice-based jurisdictions.
What the banner does:
- Shows a simple informational banner with one Accept button and a close icon.
- Tracking runs from the first page view — accepting or closing the banner doesn’t change anything; the banner is purely informational.
- Once dismissed, the banner doesn’t come back, and no re-open button is needed.
Because visitors in Notice regions don’t have to approve anything, serving them a strict Opt-in banner would only add friction (and lower your measurable traffic) without any legal benefit — which is exactly why one global banner is rarely the best setup.
Side-by-side comparison
🟢Opt-in | 🟠Opt-out | 🔵 Notice | |
|---|---|---|---|
Consent logic | "Ask first" — no tracking until the visitor agrees | "Track, but let me stop you" — tracking runs until the visitor objects | "Just tell me" — inform the visitor, no permission needed |
Example laws | GDPR (EU/EEA), UK GDPR, LGPD, and other GDPR-style laws | CCPA/CPRA (California) and other US state laws | APPI (Japan), Privacy Act (Australia), New Zealand |
Tracking before a choice | Blocked | Runs immediately | Runs immediately |
Required controls | Accept + Reject, equally prominent | Accept + an always-reachable "Do not sell/share my personal data" control | Accept |
Can the banner be dismissed? | No — a choice is required | Yes | Yes |
Banner type in Consentik | Simple Banner or Banner with Categories (your choice) | Always Simple Banner | Always Simple Banner |
Re-open button | Yes | Yes — the way back to the Do-Not-Sell control | Not needed |
GPC signal | — | Honored automatically | — |
How Consentik applies these models
With Smart Geo-targeting (Advanced plan) turned on in the Geolocation tab, Consentik detects each visitor’s location across 284 regions — countries plus individual US states — and looks up the consent model their region requires:
- 187 regions have a specific privacy law and are locked to the model that law requires — for example Germany is always Opt-in, California is always Opt-out, Japan is always Notice. This protects you from misconfiguration.
- 31 US states without their own privacy law are set to Opt-out, inferred from the GPC requirement — you can adjust these.
- 66 regions with no detected privacy law default to Opt-in as the safe choice — you can switch them to Opt-out or Notice if you prefer less friction there.
If a visitor’s location can’t be determined at all, Consentik falls back to Opt-in, the strictest model. The law mapping is maintained and versioned by Consentik and updated as new laws phase in — no app update or action needed on your side.
One thing that stays the same everywhere: your content. All three models share one set of titles, messages, and button labels — what changes between them is which buttons appear and how tracking behaves, not the wording.
Why this matters for your store
- Compliance without micromanagement — every visitor automatically gets the banner their law requires, even as new laws take effect.
- Better consent and conversion rates — a global Opt-in banner blocks tracking for visitors who never needed to be asked. Serving Opt-out and Notice banners where the law allows keeps your analytics and ads data flowing for those regions.
- Cleaner data for ads — Google Consent Mode v2 receives the right signals per region: consent updates are sent automatically on page load in Opt-out and Notice regions, while Opt-in regions wait for the visitor’s real choice.
FAQ
- Which model is “best”? None — they’re legal frameworks, not options to rank. The right model is the one the visitor’s local law requires, which is exactly what Smart Geo-targeting resolves for you.
- Can I use one model for the whole world? You can (leave Smart Geo-targeting off), but it forces a trade-off: a global Opt-in banner sacrifices consent rates in regions that don’t require it, while a lighter global banner risks non-compliance in the EU.
- Why can’t I change the model for some regions? Regions whose law mandates a model are locked on purpose — changing Germany to Notice, for instance, would put your store out of compliance. Only regions with no specific law are adjustable.
Related article: Smart Geo-targeting — show every visitor the right consent banner for their region.
Updated on: 09/07/2026
Thank you!