Examples of "I Agree to Privacy Policy" Checkboxes

by Nicole O. Legal writer.
Examples of "I Agree to Privacy Policy" Checkboxes

You recently updated your Privacy Policy to meet the concerns of the GDPR and CalOPPA, but there's still one step left.

Now, your customers, visitors, and account holders need to consent to your Privacy Policy.

Publishing a compliant Privacy Policy isn't enough anymore. You need consent whether they are a loyal customer who accepted your old policy or if they're visiting your site for the first time.

Why? Because according to today's laws, you can't consent to an agreement you don't see. And it's up to businesses to put their Privacy Policies in front of customers and ask for consent.

Checkboxes are a valid way of obtaining and storing consent. Why do you need them and what do they look like? Keep reading for some excellent examples of "I Agree to Privacy Policy" checkboxes.


Why Use an "I Agree to Privacy Policy" Checkbox?

As regulators and consumers raise their expectations for privacy, they now ask for clearly defined consent.

Gone are the days when simply using a website or app is tantamount to consenting to a Privacy Policy. Today, your visitors need to know:

  • What they agree to (in plain terms)
  • How to provide active consent
  • How to withdraw their consent

Consent is key in today's privacy-conscious world, and if you want to process any user's data, they need to be in agreement. The agreement can't be general. It needs to be with the specific terms of your data processing practices.

Checkboxes are a helpful way to share your Privacy Policy and give users a way to actively consent to your data practices.

Using a checkbox means a user must take an action and click to show that they agree to your Privacy Policy. It also provides you a way to capture and record their consent in case your users or regulators ever ask questions about your data practices.

If you fall under the jurisdiction of the General Data Protection Regulation (GDPR from the EU) or the California Consumer Privacy Act of 2018 (CCPA), then you are required by law to prove consent. These laws are only the beginning. Bills across the United States and the world are increasingly requiring sophisticated affirmative consent from all data processors.

More importantly, checkboxes make your current Privacy Policy enforceable. Beyond the issue of users being unable to agree to a document they've never seen, it targets the issue of changes and updates.

Legislation dictates that no Privacy Policy should resemble a field of moving goalposts that changes at will and without the knowledge of approval of your users. You need to use a consent checkbox not only when you welcome a new user but also whenever you make substantial updates or changes to your Privacy Policy.

Where to Put "I Agree to Privacy Policy" Checkboxes

Where to Put

The key to using the checkbox consent mechanism is to place it in spots where your site visitors will encounter it before you process their data. Remember that if you must comply with the GDPR or the CCPA, then you cannot process any data prior to obtaining consent from your users.

As a result, you want to collect consent in places where you might collect data. Some of these common locations include:

  • Account registration forms
  • Checkout pages
  • Email/newsletter sign-ups
  • Contact forms
  • Spaces for posting user-generated content

All these places require the user to provide data for processing and thus fall under the jurisdiction of your Privacy Policy.

Why provide a checkbox at all these places? It covers all your bases and allows you multiple opportunities to obtain consent.

For example, if you allow a guest checkout option and do not require users to create an account, then placing an "I Agree to Privacy Policy" checkbox at the checkout or basket page allows you to process their data to complete the transaction.

By requiring consent in multiple places, you are less likely to process data without the user's consent. It's important because if that user is European, then processing that data is a violation of the GDPR.

It's also a good idea to add a checkbox to your page to greet first-time visitors. This is technically a Cookies Notice, but because the GDPR considers cookies to be data (in some cases), it is helpful to get consent and link to your Privacy Policy early.

Examples of "I Agree to Privacy Policy" Checkboxes

An "I Agree to Privacy Policy" checkbox gives you permission to process user data. Adding them to data collection points across your site protects you - and your visitors - and keeps you compliant with international privacy laws.

Not all checkboxes look the same and many businesses choose to alter them to reflect their data practices as well as the text of their legal documents (including Privacy Policies, Terms and Conditions, and Terms of Sale).

Here's how some prominent international businesses use checkboxes across their websites.

IHG Hotels

IHG Hotels has an "I Agree to Privacy Policy" checkbox on its rewards club sign-up page.

When you sign up for the rewards club, you provide personal data like your name, country, email address, and street address, which IHG then uses for processing:

IHG Rewards Club Join form with Agree checkboxes

IHG uses the checkbox as an opportunity to gain consent for its Privacy Policy, Terms and Conditions, and to confirm that the account holder is at least 18 years old.

However, you don't need to be a member of the site to book a hotel room. So, IHG also adds a second checkbox at checkout that the user must check before they can book a reservation (and provide data for processing).

IHG Book Reservation form with Agree checkbox

European Tour Operators Association

The European Tour Operators Association is based in London and targets European data subjects specifically, which means it needs to be particularly careful when collecting consent and processing data.

The ETOA added its checkbox to its contact form because it collects names, email addresses, and phone numbers:

ETOA contact form with Agree checkbox

It both links to its Privacy Policy and explicitly says that ticking the box means the user consents to the Privacy Policy.

This is particularly important because the ETOA uses the form to collect leads and contact them.

However, if a visitor by-passes the contact form and goes straight to sign-up for the ETOA tour guide card or service, they are covered there, too. There is another checkbox on that sign-up form before the ETOA processes a membership application:

ETOA checkout screen with Agree checkbox

Yelp

Yelp provides one of the best examples of the "I Agree to Privacy Policy" checkbox currently available. Not only does Yelp use the checkbox and link to its Privacy Policy, but it also does so at the very top of its forms rather than hiding it away at the bottom:

Yelp sign-up form

Lululemon

Lululemon uses two forms of consent for its Privacy Policy.

At its user registration page, it includes two checkboxes and a click mechanism. One checkbox is for its Terms of Use. A second allows the company to contact you using the email address provided and has a link to the Privacy Policy:

Lululemon create account form checkboxes

Checking the second box is tantamount to an "I Agree to Privacy Policy" checkbox, but it is different in that at this stage, there's only an email address to collect.

When a user signs up simply to receive emails without creating an account, the company acknowledges that it will use other details provided (and order history, if applicable) to provide better service on the site and reacknowledges its Privacy Policy:

Lululemon email signup form with checkbox and Privacy Policy disclosure

Why does this work? At this point, you have provided only an email address to Lululemon. It doesn't include your name, contact details, or any other personal information. The company must still provide a link to its Privacy Policy because email addresses fall under the category of protected personal data.

Because the site also allows guest checkout, it must also re-affirm consent before allowing a sale. Processing a sale requires Lululemon to process significantly more personal data than the account sign up.

Although it should link to its Privacy Policy, it instead provides a checkbox for its Terms of Sale:

Lululemon checkout screen with checkbox

Adding a link to its Privacy Policy to the signup and checkout checkbox areas would be in the company's interests.

Lufthansa

Lufthansa provides an interesting example of a Privacy Policy checkbox on its account registration page.

It is clear that Lufthansa uses email collection to contact customers or account holders. The box requires consent to both contact and the use of personal data. It details what data it collects and the purpose of the collection before linking to the Privacy Policy:

Lufthansa create account form with checkbox

The text on the checkbox is strategic and adheres to the GDPR principles of transparency and upholding data subject rights. You don't need all of this on a checkbox mechanism to comply with the GDPR or CalOPPA, but it also doesn't hurt because it lets customers know exactly what you intend to do with their data before they share even their email address.

Checkboxes are the Way Forward

Even the most robust Privacy Policy is meaningless if you can't prove data subjects provided consent to it.

By placing "I Agree to Privacy Policy" checkboxes at each point of data collection, you give your users an opportunity to consent to your data practices. You also protect yourself from violations of the GDPR or CalOPPA by avoiding the potential of processing data without consent.

Each checkbox should reflect the way your site works and the text of your legal documents and they can be as detailed or minimal as you wish as long as they are transparent.

With privacy laws evolving all the time, you should always be prepared to prove that you have consent. Checkboxes are a simple, user-friendly way to get it done.

Last updated on 08 May 2020
Article categories
Nicole O.

Legal writer.