Goodbye Browsewrap. Hello GDPR.
Internet privacy is changing, and soon.
Even though the EU's General Data Protection Regulation (GDPR) went into full effect back on May 25th of 2018, a great many number of online businesses are still relying on the browsewrap method as their way of obtaining consent for collecting consumer information.
The GDPR has made browsewrap basically defunct for businesses that must follow its rules, as it calls for more clear, active consent from your users. Clickwrap will fully replace browsewrap for any business that falls under the scope of the GDPR.
- 1. Browsewrap Basics
- 1.1. What Does Browsewrap Look Like?
- 1.1.1. Links Throughout
- 1.1.3. Form Submission
- 1.1.4. Cookies Consent
- 1.1.5. The Pre-Ticked Checkbox
- 2. Say Goodbye to Browsewrap
- 2.1. The GDPR Way to Obtain Consent
- 2.1.2. 2. Cookies Consent
- 2.1.3. 3. Marketing Communications
What Does Browsewrap Look Like?
The browsewrap agreement is still commonplace, especially among online businesses that are located outside of the more privacy-stringent EU. Here are a few ways that companies implement the practice.
The same is true of the mobile app as well:
Although this method is less obvious, packaging user consent into a webform submission is also a type of browsewrap agreement. This is very common, as seen in the mobile registration form for Instagram:
When a form bundles consent into an unrelated submission, this is still a type of browsewrap agreement because the visitor did not click or take any affirmative action as part of the agreement.
Browsewrap agreements are sometimes applied to cookies consent as well. This may be expressed by a statement within the Cookies Policy that reads like the following:
Any time you see the terminology "By using our website you consent to..." this represents a browsewrap agreement.
Consent should not be considered as given just because someone stumbles onto your website.
Some companies even use their cookies banner as a way to reinforce the browsewrap agreement.
Once again, if no active consent is given, it must be considered a browsewrap agreement and thus not valid under the GDPR's increased standards for consent.
The Pre-Ticked Checkbox
It could be argued that this particular method is not a browsewrap agreement. Regardless, if a consent box is pre-ticked upon navigation to a webform, was consent ever expressly given by the user?
Consider the marketing communications checkbox.
This form pre-ticks the checkbox for marketing emails before the visitor even fills out any information:
This is another case in which the user did not express any affirmative choice to consent, making it a form of browsewrap agreement, or as the GDPR labels it, implied consent (versus active consent).
An even better example of implied consent is the Target signup form. Here, a user must automatically sign up for email marketing when they create an account. There's not even a checkbox to untick:
Say Goodbye to Browsewrap
As of May 25th of 2018, all of the consent methods described above will be absolutely prohibited under the GDPR.
Browsewrap is not compliant with GDPR requirements to confirm the unambiguous consent of users via a clear affirmative action before collecting any personal information from them.
Since the GDPR will apply to and be enforced upon any business (anywhere) that collects data from EU residents, you will need to review your own consent methods to avoid potentially enormous fines.
The GDPR Way to Obtain Consent
As opposed to browsewrap, the GDPR-compliant way to obtain consumer consent is through a clickwrap agreement.
The clickwrap agreement asks users to click or otherwise take a decisive action in order to provide consent for the collection or processing of their personal information.
Here are a few ways to accomplish this.
Bamboo HR includes this very clear consent checkbox next to the submission button on its signup form:
See how WeTransfer accomplishes this on its homepage:
2. Cookies Consent
As demonstrated above, many websites are still incorporating a browsewrap approach to their cookies consent banner, but this will not be considered compliant under the GDPR. Visitors must click to agree to all but the most basic functionality cookies before any may be placed in their browser:
When the visitor clicks "Cookie Settings," the following interface appears:
Here, HP describes the consumer's choices regarding cookies and privacy while allowing them to toggle cookies on or off, based on each user's preferences.
3. Marketing Communications
The GDPR is very specific about marketing consent:
"Silence, pre-ticked boxes or inactivity should not therefore constitute consent."
That's very clear. There must be no pre-ticked checkboxes!
This can be demonstrated simply with a form like the one below from Walmart Canada:
As you can see, the form explains clearly what the subscription checkbox is for - receiving email updates about products - but it is not pre-ticked. The user must make the clear decision to consent to marketing emails.
Many retailers worry that this will greatly reduce the number of opt-ins they receive for email marketing, which is why many prefer to give visitors several choices so users will be likely to at least choose one method of communication to opt in to.
In this form, Prada gives visitors the choice between different kinds of marketing communications and lets them choose yes or no on each topic. Some marketers say that giving users more choices will increase rates of email marketing consent.
Remember to get clear consent by adding a checkbox or some sort of clearly-labeled button. Ideally you should use both. This would make it very easy for users to be absolutely aware that by creating an account, confirming a purchase or interacting in some other way with your site they're giving consent for something.
If you fall under the scope of the rules of the GDPR and request consent either for cookies or for collecting personal information, become familiar with clickwrap techniques and make sure they're implemented in appropriate places on your website and mobile app.