Effectively Using an "I Agree to Privacy Policy" Checkbox

Last updated on 25 September 2019
Effectively Using an "I Agree to Privacy Policy" Checkbox

If you've published a shiny, new GDPR-compliant Privacy Policy for your online business, you're probably feeling relieved and accomplished, and rightly so! Don't close that laptop just yet, however. Now that the Privacy Policy is live, you need to make sure website visitors are seeing it and consenting to it before their personal information is collected.

That's right. A publicly accessible Privacy Policy may not be enough to ensure that your users' privacy rights are sufficiently protected. Failing to obtain proper consent for processing consumer information could result in sticky privacy allegations, lawsuits, or hefty fines.

Keep reading to learn the best practices for obtaining valid agreement to your Privacy Policy.

By now, it's likely that your business has taken measures to satisfy the requirements of the General Data Protection Regulation (GDPR) that went into effect in 2018. One of those measures should be a thorough, easy-to-understand Privacy Policy that covers everything from EU consumer rights to third-party advertising providers.

The Privacy Policy itself is important, but it may not be legally applicable if people claim that they never saw it.

For example, the GDPR requires that all European users give specific consent before a business can use their information to serve personalized advertising. If an EU user visits your online store, then your website uses their browsing data to serve them personalized ads without their prior consent, you may have a big problem with EU supervisory authorities.

This is just one of many reasons why a squeaky-clean Privacy Policy may not be enough on its own. For legal peace of mind, it is in your best interest to ensure that all users have the opportunity to understand and accept your privacy practices before you collect, store, or process their personal information.

Privacy Law and Consent

Gone are the days when a Privacy Policy link in the footer was enough to satisfy privacy law and consumers. Only a few years ago, a simple blanket statement ("By using this website you are agreeing to our Privacy Policy") could be used to assume the consent of any website visitors that submitted personal information to a business. This is no longer the case.

Throughout the world, privacy regulations are becoming more rigorous and specific about what does or does not constitute valid consent. The most notable of these is the European Union's GDPR, which specifically states that in order for consumer data to be collected or processed, their consent must be obtained in a manner that is:

  • Freely given
  • Verified using a clear, affirmative action
  • Informed
  • Specific
  • Unambiguous

While there are other allowable legal bases for processing consumer data under the GDPR (such as fulfilling a contract), specific consent will be required if you wish to use customer data for things like marketing analysis or personalized advertising. If each of your users specifically agrees to the terms of your Privacy Policy, that consent will extend to include the data processing practices that are described therein.

While the GDPR applies to processing the data of consumers that live in the EU, following its regulations can help to ensure sufficient privacy practices for customer relationships in any part of the world. Whether your organization serves European consumers or not, obtaining explicit consent for your Privacy Policy could provide the following legal benefits in any market:

  • To ensure, without a shadow of a doubt, that consumers were given every opportunity to read and understand the Privacy Policy before submitting personal information
  • To keep clear records indicating that each customer saw the Privacy Policy and agreed to it of their own free will
  • To avoid privacy disputes in which a consumer claims that they did not see or did not know about the Privacy Policy
  • To overturn claims from users they did not understand how your company was using their personal information

No matter where your business is located or who your customers are, it is clear that there is a legal advantage to requesting explicit consent from any user that submits personal information to your company.

The Correct (and Incorrect) Way to Request Privacy Policy Consent

It is important to note that there are right and wrong ways to request consent.

First, you should include a direct link to your Privacy Policy within the form where you're collecting information and asking for consent, as shown in this example from Living Clean:

Living Clean contact form with checkbox to agree to Privacy Policy

By including the Privacy Policy link in the form, you are ensuring that the user has ample opportunity to click through and read the policy before providing personal information and agreeing to your privacy practices.

Make sure the consent checkbox is unticked when the user accesses the page, so that they must make a clear, affirmative action to agree to the policy.

Hyopthesis provides us with a simple example of a consent checkbox that is unticked when the webform loads:

Hypothesis sign-up form with checkbox to agree to Privacy Policy and Terms

Note that Hypothesis goes so far as to request the user to agree that they both read and accept the Privacy Policy (and other Terms). This makes for an even more airtight agreement, since the user cannot claim they do not understand the terms of the Privacy Policy after clearly confirming that they read the policy and agreed to it.

Finally, the Article 29 Working Party advises that consent be granular, meaning that each request for consent be designated its own individual checkbox. In other words, if a webform is asking the user to agree to both the Privacy Policy and email marketing messages, each of these must be ticked off in a separate checkbox, as illustrated below by Walmart Canada:

Walmart Canada create account form with checkbox to agree to Privacy Policy and subscribe to emails

These examples illustrate the most valid and binding ways to obtain user consent of the Privacy Policy. There are some common methods that may not be as effective, however.

These are a few consent practices to avoid:

1. Do not pre-tick a consent checkbox. If the user does not actually click to accept the policy, consent will not be considered freely-given or unambiguous. Apple keeps checkboxes pre-ticked for marketing communications in this form, which would not be considered valid consent under the GDPR:

Apple Create ID form with pre-ticked checkboxes

2. Whenever possible, avoid making Privacy Policy acceptance an automatic condition of new user registration without an additional affirmative action on the part of the user. Although this is still a common practice, it may not be considered valid consent under some privacy laws, and it does not provide the business with proof of a user's explicit, unambiguous acceptance of the policy.

Here is an example of this type of consent form from Mailchimp:

Mailchimp Create Account form

3. Don't bundle different types of consent together. For example, email marketing consent should not be rolled in with the same checkbox as Privacy Policy acceptance, as McDonald's has demonstrated in this signup form:

McDonald's Join Email List form

To recap: You should use checkboxes to get consent, and use separate boxes for each thing you wish to get consent for. Make sure the boxes are clearly labeled, with links to any agreements included, and are left unchecked so your users can check them themselves.

Where to Implement Privacy Policy Consent

For best effect, implement the use of Privacy Policy consent in any webform or interface that requires the visitor to submit personal information. Below we've provided some examples of the most common and effective placements for Privacy Policy consent requests.

Contact Forms

The contact form is usually the first point of contact between a company and a prospective customer. Just remember that if the visitor submits so much as an email address, you will need to obtain consent if you intend to store that information and use it for analysis or marketing purposes.

This is an opportune moment to obtain consent for data processing, as the European Tour Operators Association has done here:

European Tour Operators Association Contact Form

You can see how when a user checks that box, they're explicitly agreeing to let ETOA use the personal information in order to contact the user. This may seem unnecessary or obvious since the user clearly wants to be contacted, hence filling out the contact form, but consent is a serious thing and you can never be too safe or assume you have it. It's best to just be very clear and make sure everyone is on the same page with how personal information will be used.

Marketing Sign-up Forms

Much like contact forms, marketing signup forms represent a submission of personal information from a consumer to a business. Even if the form has only one field for the email address, it would still be wise to include a Privacy Policy consent request.

Here's an example from Yelp:

Yelp sign-up form

Yelp places the Privacy Policy and Terms consent at the very top of the form, giving it more importance and prominence. This placement helps to differentiate Privacy Policy acceptance from other types of consent and may help to communicate the significance of the Privacy Policy to the user before they submit personal information.

Registration Forms

Registration forms are universal. They are used across all platforms and mobile devices and remain an integral component of doing business online. This is one of the most important places to include a Privacy Policy consent request since it represents the beginning of a potentially long-term data processing arrangement.

Even mobile apps should incorporate this feature into registration forms, as shown in the PayPal application's registration interface below:

PayPal app create account screen

Even on mobile apps you can have your users tap a checkbox to provide consent. Note that PayPal takes things a step deeper by having a user check a box that they "read, consent and agree to" instead of just agreeing to. By using the actual word "consent" it makes it even more clear that consent is obtained here.

Checkout Pages

Here is another situation that represents a business transaction and, in the case of an e-commerce checkout page, an exchange of sensitive payment information. It is very likely that you will use customer purchase history and data to perform various kinds of internal sales and marketing analyses, making it even more important to incorporate a Privacy Policy agreement into the process.

You can see a great example of this type of form here, from Bloomer Armada. Note the use of double checkboxes directly above the "Place Order" button. This helps ensure a user cannot miss these boxes as they'd be the final step in the process before formalizing the order:

Bloomer Armada checkout form

By following the guidelines above to incorporate Privacy Policy consent into every key place where you request personal information from your customers, you may be able to circumvent potential privacy disputes or allegations before they ever develop. This is one of many ways you can demonstrate to both customers and privacy authorities that your business is serious about internet privacy and transparency.

Article categories