Online consumers around the world are receiving more control over their information, often through legally mandated Privacy Policies. In many cases, these privacy laws require that the user agree to the policy in order for the agreement to be legally valid.
Not all privacy laws are the same, so check the privacy laws your business is subject to in order to determine whether you need them or not, and what is required to be compliant.
Keep in mind that some laws, for example the recent California Consumer Privacy Act (CCPA), require that all businesses who conduct business with California residents comply with the requirements of the CCPA - regardless of where the company itself is located.
The European Union's General Data Protection Regulation (GDPR) similarly applies to the data of EU residents, regardless of the business domicile.
The takeaway here is to be sure to examine any privacy laws that apply not only to the business's location, but which may apply to location where consumers reside.
Privacy laws typically require businesses to inform consumers about precisely how their data is being used. Often, this consumer data is used in order to provide convenient services or communications.
Offering a clear and comprehensive overview reflects a business's concern for professionalism and legal liability, so it can actually help you gain the trust of a consumer to show that you're a reputable business. It also helps consumers to feel confident sharing their information with a business when that business is transparent about how their information is used.
Prior to some of the comprehensive privacy laws we've mentioned here, Privacy Policies often utilized "implied consent," and this was considered sufficient.
Court rulings regarding the enforceability of browsewrap agreements have varied with the situation, but the bottom line is that they don't require the user's consent, so they may not be considered legally binding.
Here's an example of a browsewrap agreement, located at the very bottom of the Insomniac site's website upon first visit:
Many companies, including major social media sites, are currently using clickwrap agreements, as they offer a seamless method for the user to continue with their activity while eliciting their consent.
Some examples of wording that may be used are:
Whichever wording you select, the primary goal is to make sure the language used here is clear and accessible, and ensures that consumers understand exactly what they are agreeing to.
Note that it's not acceptable to "pre-tick" boxes and require the consumer to remove the check to indicate that they aren't giving consent - and depending on the privacy laws that apply, this could be illegal as well.
Be sure that any checkboxes are left unchecked and that any buttons you use clearly indicate agreement.
You can choose to implement the user agreement at different points of your website or app, depending on your business model and what you offer.
Many service-based companies, including Amazon Web Services, require the consumer to actually access (and presumably read) the agreement before they can proceed to create an account with Amazon. Thus, this model puts the agreement up front and gets it out of the way at sign-up.
Here's an example of Uber's driving service requiring drivers to agree to the policy at the time of registration:
Other businesses, for example e-commerce businesses, require agreement when the user is ready to check out.
Upscale retailer Nordstrom offers a great example here, when an item is placed in the shopping bag and "Checkout" is selected.
Information-driven companies must also obtain user consent. This includes businesses that send out newsletters and other information, because they're collecting (at minimum) user information in the form of an email address or phone number.
Over the past several years, the Federal Trade Commission has taken legal action against companies who don't abide by their own policies. Snapchat and Credit Karma are a few of the major companies who were charged with deceptive or unfair trade practices when their privacy policies were found to contain misleading statements.