Goodbye Browsewrap. Hello GDPR.

Goodbye Browsewrap. Hello GDPR.

Internet privacy is changing, and soon.

Even though the EU's General Data Protection Regulation (GDPR) went into full effect back on May 25th of 2018, a great many number of online businesses are still relying on the browsewrap method as their way of obtaining consent for collecting consumer information.

The GDPR has made browsewrap basically defunct for businesses that must follow its rules, as it calls for more clear, active consent from your users. Clickwrap will fully replace browsewrap for any business that falls under the scope of the GDPR.


Browsewrap Basics

If you're not familiar with the term, browsewrap refers to the common online practice of posting visible links to the Privacy Policy throughout a website or mobile application and assuming that consumers agree with it by default, simply because it's accessible.

In many parts of the world, this type of privacy agreement has been technically legal. For example, the California Online Privacy Protection Act (CalOPPA) only requires that a conspicuous Privacy Policy be posted throughout a website in order for that website to collect information about its visitors.

What Does Browsewrap Look Like?

The browsewrap agreement is still commonplace, especially among online businesses that are located outside of the more privacy-stringent EU. Here are a few ways that companies implement the practice.

Many businesses assume that since multiple links to the Privacy Policy are posted visibly throughout their online platform, their collection of consumer personal information is legal.

Target, for example, includes a small link to its Privacy Policy within the footer navigation bar of each page on their website:

Target website footer showing links

The same is true of the mobile app as well:

Target mobile app Show Stores screen with Privacy Policy link

Many companies still assume that this accessibility to the Privacy Policy gives users ample opportunity to read it, which would imply user consent. The GDPR makes this no longer be the case.

Privacy Policy Browsewrap Statement

Another way to reinforce a browsewrap agreement is to include a paragraph within the Privacy Policy like the following from Arbys:

Arby's Privacy Policy: Intro clause using browsewrap

Notice the line that states, "By using this site, you are agreeing to this Privacy Policy." That is a perfect example of a browsewrap agreement. The same statement is repeated in the Arby's mobile Privacy Policy:

Arby's mobile app Privacy Policy: Intro clause using browsewrap

Form Submission

Although this method is less obvious, packaging user consent into a webform submission is also a type of browsewrap agreement. This is very common, as seen in the mobile registration form for Instagram:

Instagram mobile app welcome screen using browsewrap

A link to the Privacy Policy is included, but the user does not have an opportunity to actively consent to the policy or terms, such as with a consent checkbox or a button labeled something like "I Agree."

When a form bundles consent into an unrelated submission, this is still a type of browsewrap agreement because the visitor did not click or take any affirmative action as part of the agreement.

Browsewrap agreements are sometimes applied to cookies consent as well. This may be expressed by a statement within the Cookies Policy that reads like the following:

Brandwatch Cookie Policy: Important information about consent clause using browsewrap

Any time you see the terminology "By using our website you consent to..." this represents a browsewrap agreement.

Consent should not be considered as given just because someone stumbles onto your website.

Some companies even use their cookies banner as a way to reinforce the browsewrap agreement.

This cookies banner is an example of this. While it informs site visitors about the use of cookies, it doesn't allow them to click to agree or consent to this usage in any way. It is simply understood that "By using this website you consent."

AstraZeneca cookie policy notice using browsewrap

Once again, if no active consent is given, it must be considered a browsewrap agreement and thus not valid under the GDPR's increased standards for consent.

The Pre-Ticked Checkbox

It could be argued that this particular method is not a browsewrap agreement. Regardless, if a consent box is pre-ticked upon navigation to a webform, was consent ever expressly given by the user?

Consider the marketing communications checkbox.

This form pre-ticks the checkbox for marketing emails before the visitor even fills out any information:

Nordstrom create account form with pre-ticked checkbox

This is another case in which the user did not express any affirmative choice to consent, making it a form of browsewrap agreement, or as the GDPR labels it, implied consent (versus active consent).

An even better example of implied consent is the Target signup form. Here, a user must automatically sign up for email marketing when they create an account. There's not even a checkbox to untick:

Target create an account form with automatic email signup/browsewrap

Say Goodbye to Browsewrap

As of May 25th of 2018, all of the consent methods described above will be absolutely prohibited under the GDPR.

Browsewrap is not compliant with GDPR requirements to confirm the unambiguous consent of users via a clear affirmative action before collecting any personal information from them.

Since the GDPR will apply to and be enforced upon any business (anywhere) that collects data from EU residents, you will need to review your own consent methods to avoid potentially enormous fines.

As opposed to browsewrap, the GDPR-compliant way to obtain consumer consent is through a clickwrap agreement.

The clickwrap agreement asks users to click or otherwise take a decisive action in order to provide consent for the collection or processing of their personal information.

Here are a few ways to accomplish this.

1. Click to Agree to Privacy Policy

Implied consent will no longer be considered valid under the GDPR, so make sure users actively consent to your Privacy Policy and terms using a clear affirmative action.

For example, within your registration and webforms, require users to tick a checkbox to agree to the Privacy Policy and Terms before proceeding with the service.

Bamboo HR includes this very clear consent checkbox next to the submission button on its signup form:

Bamboo HR sign-up form using clickwrap checkbox to agree to Terms and Privacy Policy

Another more thorough way to do this is to ask visitors to consent to your Privacy Policy within the GDPR or cookies banner when they first navigate to your website or mobile app.

See how WeTransfer accomplishes this on its homepage:

WeTransfer: I agree button

As demonstrated above, many websites are still incorporating a browsewrap approach to their cookies consent banner, but this will not be considered compliant under the GDPR. Visitors must click to agree to all but the most basic functionality cookies before any may be placed in their browser:

This GDPR banner on the HP homepage explains clearly how the company uses cookies and gives users the opportunity to click to accept cookies or change these settings:

HP cookies notice with clickwrap for Accept Cookies

When the visitor clicks "Cookie Settings," the following interface appears:

HP Privacy Preference Centre with Personalization Cookies settings

Here, HP describes the consumer's choices regarding cookies and privacy while allowing them to toggle cookies on or off, based on each user's preferences.

3. Marketing Communications

The GDPR is very specific about marketing consent:

"Silence, pre-ticked boxes or inactivity should not therefore constitute consent."

That's very clear. There must be no pre-ticked checkboxes!

This can be demonstrated simply with a form like the one below from Walmart Canada:

Walmart Canada create account form with checkbox to agree to Privacy Policy and subscribe to emails

As you can see, the form explains clearly what the subscription checkbox is for - receiving email updates about products - but it is not pre-ticked. The user must make the clear decision to consent to marketing emails.

Many retailers worry that this will greatly reduce the number of opt-ins they receive for email marketing, which is why many prefer to give visitors several choices so users will be likely to at least choose one method of communication to opt in to.

In this form, Prada gives visitors the choice between different kinds of marketing communications and lets them choose yes or no on each topic. Some marketers say that giving users more choices will increase rates of email marketing consent.

Prada registration form with clickwrap consent checkboxes for marketing and personal data collection

These are just a few ways to make your consent methods compliant with the GDPR. Make sure that you're using clickwrap methods to get consent to collect personal data and for agreement to your Privacy Policy and Terms. Ditch the browsewrap methods or you'll be violating the GDPR.

Remember to get clear consent by adding a checkbox or some sort of clearly-labeled button. Ideally you should use both. This would make it very easy for users to be absolutely aware that by creating an account, confirming a purchase or interacting in some other way with your site they're giving consent for something.

If you fall under the scope of the rules of the GDPR and request consent either for cookies or for collecting personal information, become familiar with clickwrap techniques and make sure they're implemented in appropriate places on your website and mobile app.

Last updated on 25 September 2019
Article categories