- Add information about your business: your website and/or app.
- Select the country:
- Answer the questions from our wizard relating to what type of information you collect from your users.
What is Clickwrap?
The Evolution of Browsewrap
Over time, websites have standardized the way policies such as Privacy Policies and Terms and Conditions are displayed by placing links to them in the site's footer. The links allowed site visitors to click at will to read those policies. However, doing so was not required in order to use the site or its services.
Another common place to display policy links is in the sidebar. Here's an example from Facebook:
This passive approach of showing policies, known as browsewrap, gives site visitors the option to find and read your policies. Up until recently, this was a generally accepted approach to obtaining implied consent. In other words, if a visitor wanted to enjoy the benefits of your site, their consent to your policies was implied by simply using your site.
Stricter Consent Laws Require More Active Consent
Clickwrap is an active approach to obtaining consent. It helps limit your legal liability by requiring users to click or check something to confirm that they've read, acknowledged understood and consented to your policy.
To see clickwrap in use, take a look at this example from IntelliWHiTE:
CalOPPA requires that you write your policies in simple language your average visitor can understand. You'll also need to present your policy conspicuously, and provide users with the option to opt out as easily as it is to opt in.
In the EU, a particularly strong privacy protection law went into effect in May of 2018. This new set of laws, called the General Data Protection Regulation (GDPR), requires websites to collect informed consent from website visitors. The passive browsewrap method discussed earlier does not meet this new standard.
See this from Article 5(3) of the GDPR:
The requirement to give the site visitor the option to refuse to provide their personal information, therefore, requires websites to actively collect informed consent with clickwrap.
The GDPR applies to all companies that offer products or services to citizens of the EU, or collect personal information from citizens of the EU. It doesn't matter where your business is located. If you meet either of those requirements, the GDPR will apply to you.
GDPR rules stipulate the privacy protection processes websites must use, as well as how to communicate those processes to website visitors.
- Concise, transparent, easy to understand and easily accessible.
- Written for your typical website visitor, in clear and plain language, particularly if written for a minor under the age of 16.
Another important requirement of the GDPR is that website users who provide consent must be able to revoke that consent as easily as they granted it. Another requires websites to provide users who grant consent to get a copy of their data in electronic format or instruct you to transfer their data to another website controller. It is your obligation to inform your website visitors of these rules, their rights, and your procedures for complying with the laws.
Here, Facebook uses a simple paragraph to meet these obligations, and give users one-click access to tools to modify previously granted consent:
Most privacy laws also require you to inform your website visitors about how you collect and share information with third parties such as Google Analytics, AdSense and others. You must clearly explain the current and possible third parties collecting information from your site and give your site visitors the option to refuse their consent to this.
Facebook provides a comprehensive but easy to understand summary of its third party relationships and the options users have for opting out:
Third parties such as Google Analytics, AdSense and email marketing platforms require you to follow their policies as well as the laws in the jurisdictions where you operate.
MailChimp is an example of a third party that requires you to inform your users of certain policies and obtain consent to these policies from users who opt in to your email campaigns.
The Compliance with Laws clause requires you to agree to follow all applicable laws when using the MailChimp service:
Always check the Terms and Conditions of any third-party services you use to see exactly what's required of you and what you're agreeing to do when you sign up.
How Clickwrap Protects You
With increasing rules designed to protect privacy and avoid incidents of data breaches, it is wise to take every precaution to protect your website from legal liability.
Examples of Clickwrap
Multiple methods may be used to collect informed consent from your website visitors.
You can see that Etsy also allows registration through third parties - Google and Facebook. This is an increasingly popular method to provide user-friendly sign-up and prevent lost registrations.
Autotrader lets users use their Facebook accounts to sign in. When tools such as this are used for registration, purchases, ads, etc. the policies of the third party vendor as well as the business itself will apply. Here, Autotrader clearly acknowledges the information it will receive from Facebook and stipulates that consent does not imply consent to post to Facebook.
Many websites use an all-in-one opt-in box to give users one-click access to policies and to provide informed consent.
This example from Microsoft does just that, and uses colors to conspicuously distinguish hyperlinked policies from the opt-in consent statement.
PayPal uses a stepped clickwrap protocol where the user is presented with the option to provide informed consent to finalize sign-up.
In this example, the user registered with minimal information but in order to proceed to use the PayPal service, she must complete required fields and click to provide her consent:
How the notification will be made is not clear. Many websites are deploying a new strategy of displaying a popup to return visitors requiring the user to click to read and/or acknowledge a change to the site's policies.
This example from Twitter created some backlash because it limited registered users from continuing to use the site without accepting changes to the Privacy Policies. However, in doing so, Twitter protected itself from legal liability and properly informed its users of important information should should know.
Twitter accomplished four important goals with this simple popup:
- Conspicuous Presentation - The popup displayed automatically the first time the registered user visited the site once the new policies were in effect. It is bright and visually appealing, ensuring users will see it.
- Plain and Simple Language - The language in the popup speaks plainly to Twitter's typical user in casual, clear and succinct language you can easily understand.
- Consent - A bold white button clearly distinguishes itself, allowing the user to provide informed consent. The user cannot proceed to the site without providing that consent, thus preventing Twitter from failing to collect informed consent. Until the user confirms consent, Twitter assumes previously provided consent no longer exists, thus automating opt-out.
- Easy Opt-out - The Review Settings button provides the user with one-click access to review policies and make changes to current settings. This ensures Twitter meets laws requiring that users can opt out as easily as they originally opted in.
The popup was presented to new and registered users the next time they visited the WeTransfer site, ensuring that new and former users would have easy access to all of the affected policies from one place.
It also meets other legal requirements:
- The popup meets rules for conspicuous display.
- The bold blue button meets rules for confirming informed consent.
Implementing Clickwrap Functionality
Several tools exist to help you create popups to collect or update informed consent. OptinMonster offers several styles and rules for triggering popups. This one uses yes/no toggles the user must adjust to yes in order to proceed on your site:
In addition to controlling the method for collecting informed consent, OptinMonster also allows you to control the timing of the popup so you can trigger the notice when a new or registered user lands on your site, navigates to a certain page, after viewing a page for a specified amount of time or when they exit.
With steep fines for failure to comply with GDPR, CalOPPA and other privacy rules, the more you do to ensure your website visitors have knowingly provided you with informed consent to collect their data, the better protected you will be from legal liability.