Browsewrap Versus Clickwrap

by Nicole O. Legal writer.
Browsewrap Versus Clickwrap

Do you include legal documents like a Privacy Policy or Terms of Service on your website?

If so, you probably also use a form of consent to make your terms enforceable.

The two most common types of digital consent for websites are browsewrap and clickwrap. But only one of these is likely to make your contracts enforceable and keep you compliant with privacy laws like the GDPR.

Clickwrap is quickly becoming the new standard in contract agreements. If you're not yet using it, then you should be. Keep reading to learn about the differences between browsewrap and clickwrap and see examples of how real companies use each format on their sites.


Browsewrap vs. Clickwrap: The Differences and Why They're Changing

Browsewrap and clickwrap are two ways of agreeing to a contract hosted online.

Browsewrap was the previous standard for agreement to legal contracts because it was simple and designed to cover everyone all the time. It best embodied the shrink wrap agreement often found elsewhere in the software industry.

With a shrink wrap agreement, the legal agreement is inside a package. Opening the package (removing the shrink wrap) binds the customer to the agreement. On the internet, browsewrap agreements effectively state that by using a site or app, you agree to its Terms & Conditions and Privacy Policy by default.

It usually says something like "your Use of our Site constitutes your acceptance of these Terms of Use and your agreement to be bound by them."

In other words, you are already on the site, so you agree. If you don't like it, don't use the site.

By putting a link to your legal documents on the site, you gather consent or agreement to those documents from everyone who uses the site - even if they never click on the link to your document.

What does browsewrap look like?

If you sign-up for the viral morning newsletter from TheSkimm, you encounter browsewrap. When you enter your email (and allow The Skimm to contact you), you do so without clicking a consent form:

TheSkimm email sign-up form

If you visit The Skimm's Privacy Policy page, you see that it uses the browsewrap format:

TheSkimm Privacy Policy: Browsewrap clause

Another example of browsewrap still exists on Expedia's Terms of Use page. It argues that if you use the service to book a reservation or contact the call center, then the Terms of Use apply. If you don't agree, then don't use the site.

Expedia Terms of Use: Browsewrap clause

Cash App also uses browsewrap for both its Privacy Policy and Terms of Service:

Cash App Privacy Notice: Browsewrap clause

Although the cookie notice links to the Privacy Policy, it doesn't provide a consent mechanism for you to agree to the cookies or control your cookie options. You can either provide the cookies or not use the site. Those are your two options:

Cash App cookie notice: Browsewrap section

Finally, Airbnb's U.S. site uses browsewrap.

Its Terms of Service says that "By accessing or using the Airbnb Platform, you agree to comply with and be bound by these terms."

Airbnb Terms of Service: Browsewrap clause

Clickwrap agreements require more from both you (the website owner) and your customers. They have two components that make a real difference in consent:

First, they provide notice by providing a link or even a short summary of the legal contract.

Second, they offer a chance for informed and actionable consent (usually with an "I agree" checkbox or a button).

When a site uses clickwrap, it requires the user to provide expressed consent to the entire agreement before proceeding by forcing them to click "Ok," "I agree" or "I accept," or check a box either on a dialog box or within a pop-up window.

It also gives the customer the chance to decline or not give consent. The user can close the window or click a "Cancel" button. Alternatively, they can choose not to sign-up at all.

You can also make the agreements more granular. For example, you can use different mechanisms for marketing emails, agreeing to a Privacy Policy, and cookie options.

Trello uses a form of clickwrap on its account creation page. It doesn't use a checkbox or dedicated button, but instead links to its Terms of Service and Privacy Policy and clearly states that it uses the "Create New Account" button as a replacement for "Ok" or "I agree."

Trello account sign-up form

Like Trello, Etsy also uses clickwrap at account creation. Instead of using a dedicated button or checkbox, Etsy considers clicking "Register" or logging in with Google, Facebook or Apple to be an acknowledgment of your consent to both its Terms of Service and Privacy Policy:

Etsy create account form - Updated

WeTransfer is the first example that uses clickwrap with an "I agree to" checkbox. Its checkbox is found on its account upgrade page, which requires you to enter billing details:

WeTransfer checkout form with Agree checkbox

These checkboxes are better suited to GDPR compliance because they require new users to complete two actions: first you agree to Terms of Service then you complete your order.

The Washington Post takes a different method largely targeted towards EU IP addresses. It addresses the site's cookie use, and you need to click the "I agree" checkbox to even reach the site much less manually provide any personal information. Although the page links to the site's Privacy Policy and Terms of Service, this page isn't asking for consent to these yet. It only deals with cookies:

Washington Post cookie notice

The best approach really is to use a checkbox, even if you aren't specifically required to comply with the GDPR. As more privacy laws arise and get stricter, this is surely the way of the future of consent.

Why Browsewrap No Longer Suffices and What's Next

Why Browsewrap No Longer Suffices and What's Next

For a long time, browsewrap was the default mode of consent. And many sites still rely on it - sometimes erroneously and always at their own risk. At present, there are no lawful requirements that require you to make your Terms and Conditions or Terms of Service more visible or use an "I agree" checkbox to gather consent.

Your Privacy Policy is another matter entirely.

Two different laws require (in not so many words) you to seek a high level of consent for your Privacy Policy.

Let's start with the law with the widest scope and the largest fines: the GDPR. Then, we'll talk about an emerging need with CalOPPA.

Why You Need Clickwrap to Comply with the GDPR

If you fall under the jurisdiction of the GDPR (and most businesses do unless you block your site in the EU), then you need to use clickwrap with your Privacy Policy at a minimum.

The GDPR requires you to seek consent from all data subjects before you process certain types of personal data.

Although some say the browsewrap model still applies, it flies in the face of the GDPR in two ways (though, the GDPR doesn't expressly name either format of consent). First, the GDPR sets new standards for consent.

The conditions for consent are explicitly laid out in Article 7.

To show you have obtained freely-given consent, you must:

  • Have proof of consent from every data subject
  • Have proof of granular consent for the Privacy Policy (they must agree explicitly to your Privacy Policy)
  • Offer a consent mechanism written "in an intelligible and easily accessible form, using clear and plain language"

Article 7 also states that you need to provide a way for data subjects to withdraw their consent and the withdrawal should be as easy as it was to provide consent.

Finally, because consent must be freely given, you can't punish someone who doesn't give consent or withdraws their consent for processing that doesn't have anything to do with the service you provide.

All of these are difficult when you use browsewrap because you don't have proof that a data subject consented to your Privacy Policy. You just know they used your site. And the GDPR demands explicit agreement.

The last issue - allowing someone to withdraw consent without limiting your service - is also one of the data subject rights under the GDPR.

Because browsewrap doesn't allow for granular consent or proof of consent and instead relies on wholesale implied consent, it's difficult for individual data subjects to maintain their rights under the option.

Why You Should Use Clickwrap to Comply with CalOPPA

CalOPPA is the new California-based privacy law. And although it largely targets residents of California, your business falls under its purview if you have site visitors or app users from the state.

CalOPPA is less clear on its consent policies compared to the GDPR, but generally speaking, clickwrap is still a safer bet when creating a CalOPPA Privacy Policy.

The law requires you to have a Privacy Policy. But for your policy to meet legal expectations, it needs to declare itself as a Privacy Policy with the word Privacy in the name and be both visible and accessible for visitors.

You can get away with a link to your Privacy Policy in your footer, but it does mean you take a risk due to the visibility of the link.

Clickwrap is a good idea because it puts your Privacy Policy directly in front of the user rather than forcing them to hunt it down by themselves. It also prepares your site for changes to the law, which are inevitable.

It's Not Just Privacy Laws - Case Law Loves Clickwrap, Too

Although the GDPR and CalOPPA made the biggest assaults on browsewrap, it's worth understanding that the courts are leaving browsewrap behind as well.

For example, in a case settled in Florida's Ninth Circuit in 2017, the court argued that the browsewrap agreement used by the defendant for its Terms and Conditions had two problems. The first was that the hyperlink, while available, appeared only at the bottom of the page and required effort on behalf of the plaintiff to find it.

The court also argued that the defendant's link was obvious enough because it said "Terms and Conditions" - not "Terms and Conditions of Sale."

Florida's Ninth Circuit also referred back to a previous case (Nguyen v. Barnes & Noble Inc. 2014) and noted that there was a precedent for declining the applicability of browsewrap:

"[u]niformly, courts have declined to enforce browsewrap agreements when the hyperlink to the terms and condition is buried at the bottom of the page, and the website never directs the user to review them."

However, in Hubbert v. Dell Corp. (2005), the court did allow browsewrap to stand.

But these are different times, and much more now hinges on our use of the internet than it did previously. And when you combine the trajectory of U.S. case law with the fines that accompany CalOPPA and the GDPR, it becomes clear that it's safer and easier to go with clickwrap the first time around.

Summary

In the past, you could choose between browsewrap and clickwrap at will. Both counted as legal ways of collecting consent to your legal documents, like your Privacy Policy and Terms of Service. Times have changed.

As both customers and regulators begin to grapple with the power of personal data, the need for clear, unambiguous consent to data processing is now much stronger. The GDPR all but demands clickwrap from those under its jurisdiction and CalOPPA's Privacy Policy demands make it a good idea, too.

The bottom line: You can still use browsewrap for things like your Terms and Conditions agreement. However, regulated documents like your Privacy Policy need to come with a clickwrap agreement if you want to avoid fines and earn customer and regulator trust.

Last updated on 04 May 2020

Article categories

Nicole O.

Legal writer.