How to use Clickwrap with a Privacy Policy

How to use Clickwrap with a Privacy Policy

Clickwrap is a website design feature that requires site visitors to actively acknowledge their understanding and acceptance of certain policies, such as your Terms and Conditions, Cookies Policy and Privacy Policy.

Increasingly strict privacy protection laws make it important to collect informed consent rather than passive consent from your website visitors. Utilizing clickwrap in your Privacy Policy will help ensure you limit your liability and meet the most stringent rules governing privacy protection.

This article will discuss laws and standards favoring the use of clickwrap in your Privacy Policy, and methods to incorporate best use of clickwrap to limit your liability.

Need a Privacy Policy? Our Privacy Policy Generator will help you create a custom policy that you can use on your website and mobile app. Just follow these few easy steps:

  1. Click on "Start creating your Privacy Policy" on our website.
  2. Select the platforms where your Privacy Policy will be used and go to the next step.
  3. Privacy Policy Generator - Select platforms - Step 1

  4. Add information about your business: your website and/or app.
  5. Privacy Policy Generator - Add your business info - Step 2

  6. Select the country:
  7. Privacy Policy Generator - Add your business info - Step 2

  8. Answer the questions from our wizard relating to what type of information you collect from your users.
  9. Privacy Policy Generator - Answer questions from our wizard - Step 3

  10. Enter your email address where you'd like your Privacy Policy sent and click "Generate". Privacy Policy Generator - Enter your email address - Step 4

    And you're done! Now you can copy or link to your hosted Privacy Policy.

What is Clickwrap?

The Evolution of Browsewrap

Over time, websites have standardized the way policies such as Privacy Policies and Terms and Conditions are displayed by placing links to them in the site's footer. The links allowed site visitors to click at will to read those policies. However, doing so was not required in order to use the site or its services.

Here's an example of a standard website footer from Gap. It displays links to important policies, including the company's Privacy Policy:

Gap website footer with links

Another common place to display policy links is in the sidebar. Here's an example from Facebook:

Facebook sidebar showing policy links

This passive approach of showing policies, known as browsewrap, gives site visitors the option to find and read your policies. Up until recently, this was a generally accepted approach to obtaining implied consent. In other words, if a visitor wanted to enjoy the benefits of your site, their consent to your policies was implied by simply using your site.

While you should display links to your Privacy Policy, simply doing that is not enough to meet new privacy protection laws.

Clickwrap is an active approach to obtaining consent. It helps limit your legal liability by requiring users to click or check something to confirm that they've read, acknowledged understood and consented to your policy.

To see clickwrap in use, take a look at this example from IntelliWHiTE:

IntelliWHiTE Sign-up form with agree checkboxes for emails and Privacy Policy

People are presented with two checkboxes to confirm their consent to receive emails and offers, as well as to agree to the company's Privacy Policy.

Why Clickwrap is Needed for Your Privacy Policy

Most jurisdictions around the world require a Privacy Policy to protect their citizens' personal data and privacy. In some jurisdictions, such as California and the EU, laws are particularly strict, requiring specific disclosures and opt-in/opt-out protocols.

In 2003, the state of California enacted the California Online Privacy Protection Act (CalOPPA) to improve privacy protection for residents. The law applies to all websites that collect personally identifiable information from California residents, whether the information is collected directly, such as by entering information into a form, or indirectly, such as through the use of cookies.

CalOPPA requires that you write your policies in simple language your average visitor can understand. You'll also need to present your policy conspicuously, and provide users with the option to opt out as easily as it is to opt in.

In the EU, a particularly strong privacy protection law went into effect in May of 2018. This new set of laws, called the General Data Protection Regulation (GDPR), requires websites to collect informed consent from website visitors. The passive browsewrap method discussed earlier does not meet this new standard.

See this from Article 5(3) of the GDPR:

Article 5(3) of the GDPR

The requirement to give the site visitor the option to refuse to provide their personal information, therefore, requires websites to actively collect informed consent with clickwrap.

The GDPR applies to all companies that offer products or services to citizens of the EU, or collect personal information from citizens of the EU. It doesn't matter where your business is located. If you meet either of those requirements, the GDPR will apply to you.

What Should a Privacy Policy Include

With the increasing legal regulations protecting consumer privacy, particularly CalOPPA and the GDPR, it is critical that your Privacy Policy include certain specific information and be presented to your website visitors in a way that makes it easy for them to access and understand.

GDPR rules stipulate the privacy protection processes websites must use, as well as how to communicate those processes to website visitors.

Specifically, the GDPR requires your Privacy Policy to be:

  1. Concise, transparent, easy to understand and easily accessible.
  2. Written for your typical website visitor, in clear and plain language, particularly if written for a minor under the age of 16.

Because the GDPR requires that your Privacy Policy be conspicuously presented and easy to understand, it is increasingly popular to present your Privacy Policy in user-friendly sub-sections. This allows your visitors to access the information they need to understand in order to provide informed consent to share their data with you.

This example from Facebook represents a modern approach to presenting a Privacy Policy in user-friendly sub-sections. It also can act as a guide for what specific information you should consider including in your Privacy Policy.

Facebook Privacy Policy subsections

Another important requirement of the GDPR is that website users who provide consent must be able to revoke that consent as easily as they granted it. Another requires websites to provide users who grant consent to get a copy of their data in electronic format or instruct you to transfer their data to another website controller. It is your obligation to inform your website visitors of these rules, their rights, and your procedures for complying with the laws.

Here, Facebook uses a simple paragraph to meet these obligations, and give users one-click access to tools to modify previously granted consent:

Facebook Privacy Policy: How Can I manage or delete information about me clause

Most privacy laws also require you to inform your website visitors about how you collect and share information with third parties such as Google Analytics, AdSense and others. You must clearly explain the current and possible third parties collecting information from your site and give your site visitors the option to refuse their consent to this.

Facebook provides a comprehensive but easy to understand summary of its third party relationships and the options users have for opting out:

Facebook Privacy Policy: Advertising, Measurement and Analytics Services clause

Third parties such as Google Analytics, AdSense and email marketing platforms require you to follow their policies as well as the laws in the jurisdictions where you operate.

MailChimp is an example of a third party that requires you to inform your users of certain policies and obtain consent to these policies from users who opt in to your email campaigns.

The MailChimp sign-up form requires you to agree to its Terms of Use and Privacy Policy, which contains a clause for Compliance with Laws.

Mailchimp Create Account form

The Compliance with Laws clause requires you to agree to follow all applicable laws when using the MailChimp service:

Mailchimp Standard Terms of Use: Compliance with Laws clause

Always check the Terms and Conditions of any third-party services you use to see exactly what's required of you and what you're agreeing to do when you sign up.

How Clickwrap Protects You

How Clickwrap Protects You

With increasing rules designed to protect privacy and avoid incidents of data breaches, it is wise to take every precaution to protect your website from legal liability.

By incorporating clickwrap into your Privacy Policy, you are able to limit your potential liability for compliance violations. Clickwrap uses tools such as checkboxes and confirmation buttons to collect informed consent from your website visitors.

Steep fines, particularly in the EU, provide serious incentive to comply. GDPR imposes penalties ranging from €20 Million to four percent of "annual global turnover," whichever is greater. Ensuring your website collects informed consent from users about the details of your Privacy Policy is critical.

Examples of Clickwrap

Multiple methods may be used to collect informed consent from your website visitors.

This example from the global ecommerce site, Etsy, displays a link to the company's Privacy Policy and Terms of Service on the registration page. This meets the convenience standard for website visitors.

Etsy's Create an account form

You can see that Etsy also allows registration through third parties - Google and Facebook. This is an increasingly popular method to provide user-friendly sign-up and prevent lost registrations.

Autotrader lets users use their Facebook accounts to sign in. When tools such as this are used for registration, purchases, ads, etc. the policies of the third party vendor as well as the business itself will apply. Here, Autotrader clearly acknowledges the information it will receive from Facebook and stipulates that consent does not imply consent to post to Facebook.

Screenshot of Autotrader's login with Facebook and consent button

Facebook's Privacy Policy includes a provision confirming their compliance with laws regulating the user's rights to limit how their information is used by and with third parties:

Facebook Privacy Policy: Vendors, service providers and other partners clause

Many websites use an all-in-one opt-in box to give users one-click access to policies and to provide informed consent.

This example from Microsoft does just that, and uses colors to conspicuously distinguish hyperlinked policies from the opt-in consent statement.

Microsoft: Create Account button clicking means you agree to Policies

PayPal uses a stepped clickwrap protocol where the user is presented with the option to provide informed consent to finalize sign-up.

In this example, the user registered with minimal information but in order to proceed to use the PayPal service, she must complete required fields and click to provide her consent:

PayPal's create an account form with clickwrap checkbox for agreements

Many current privacy regulations also require websites to notify users of changes to a Privacy Policy. Policy changes are often needed to acknowledge changes in third policy vendors, changes to how the website operates or to comply with new regulations.

Your Privacy Policy should include a clause clearly describing any changes to your policy, as well as how you will inform registered users of changes to the policy.

Facebook's Privacy Policy outlines this in very simple terms:

Facebook Privacy Policy: Notification of changes to policy clause

How the notification will be made is not clear. Many websites are deploying a new strategy of displaying a popup to return visitors requiring the user to click to read and/or acknowledge a change to the site's policies.

This example from Twitter created some backlash because it limited registered users from continuing to use the site without accepting changes to the Privacy Policies. However, in doing so, Twitter protected itself from legal liability and properly informed its users of important information should should know.

Example from Twitter: Updated Privacy Policy notification using clickwrap

Twitter accomplished four important goals with this simple popup:

  1. Conspicuous Presentation - The popup displayed automatically the first time the registered user visited the site once the new policies were in effect. It is bright and visually appealing, ensuring users will see it.
  2. Plain and Simple Language - The language in the popup speaks plainly to Twitter's typical user in casual, clear and succinct language you can easily understand.
  3. Consent - A bold white button clearly distinguishes itself, allowing the user to provide informed consent. The user cannot proceed to the site without providing that consent, thus preventing Twitter from failing to collect informed consent. Until the user confirms consent, Twitter assumes previously provided consent no longer exists, thus automating opt-out.
  4. Easy Opt-out - The Review Settings button provides the user with one-click access to review policies and make changes to current settings. This ensures Twitter meets laws requiring that users can opt out as easily as they originally opted in.

WeTransfer, a file sharing platform, used a similar method to collect informed consent from its users after a change to the company's Cookie Policy, which also affected the company's Terms of Service and Privacy Policy:

WeTransfer: I agree button

The popup was presented to new and registered users the next time they visited the WeTransfer site, ensuring that new and former users would have easy access to all of the affected policies from one place.

It also meets other legal requirements:

  • The popup meets rules for conspicuous display.
  • The bold blue button meets rules for confirming informed consent.
  • The links to Terms of Service, Privacy Policy and Cookie Policy meet rules for providing users with one-click access to policies and procedures.

Implementing Clickwrap Functionality

Several tools exist to help you create popups to collect or update informed consent. OptinMonster offers several styles and rules for triggering popups. This one uses yes/no toggles the user must adjust to yes in order to proceed on your site:

Screenshot of OptinMonster clickwrap popup tool enabled

In addition to controlling the method for collecting informed consent, OptinMonster also allows you to control the timing of the popup so you can trigger the notice when a new or registered user lands on your site, navigates to a certain page, after viewing a page for a specified amount of time or when they exit.

Controls such as this help you take extra care in ensuring you reach your site visitors in the most logical way possible when collecting informed consent to your Privacy Policy or changes.

With steep fines for failure to comply with GDPR, CalOPPA and other privacy rules, the more you do to ensure your website visitors have knowingly provided you with informed consent to collect their data, the better protected you will be from legal liability.

Remember to use a checkbox or at minimum a clearly-labeled statement and button that makes it very obvious to users that by clicking, they're giving consent/agreement to one or more things. Remember to link to your Privacy Policy at locations where you're requesting agreement to it.