Online consumers around the world are receiving more control over their information, often through legally mandated Privacy Policies. In many cases, these privacy laws require that the user agree to the policy in order for the agreement to be legally valid.
A business who is required to obtain the consumer's agreement to the Privacy Policy and fails to can face resulting legal issues. For example, unless the consumer's express agreement to the Privacy Policy can be shown, they can state that they never agreed to release or share that information. The company can then be found liable for any "mishandled" consumer information.
Not all privacy laws are the same, so check the privacy laws your business is subject to in order to determine whether you need them or not, and what is required to be compliant.
Keep in mind that some laws, for example the recent California Consumer Privacy Act (CCPA), require that all businesses who conduct business with California residents comply with the requirements of the CCPA - regardless of where the company itself is located.
The European Union's General Data Protection Regulation (GDPR) similarly applies to the data of EU residents, regardless of the business domicile.
The takeaway here is to be sure to examine any privacy laws that apply not only to the business's location, but which may apply to location where consumers reside.
The CCPA and the GDPR are both major examples of privacy laws that require consumers to clearly and unambiguously agree to a Privacy Policy in order for the business to be legally compliant.
Privacy laws typically require businesses to inform consumers about precisely how their data is being used. Often, this consumer data is used in order to provide convenient services or communications.
You can highlight these services or any extra features that consumer data is being used for in the Privacy Policy in order to offer a complete picture of how that data is used, including for the consumer's benefit.
For example, in the below screenshot of Instagram's Privacy Policy, we can see how the company has outlined the benefits of sharing information with Instagram, including account access, personalization, and more:
Offering a clear and comprehensive overview reflects a business's concern for professionalism and legal liability, so it can actually help you gain the trust of a consumer to show that you're a reputable business. It also helps consumers to feel confident sharing their information with a business when that business is transparent about how their information is used.
Prior to some of the comprehensive privacy laws we've mentioned here, Privacy Policies often utilized "implied consent," and this was considered sufficient.
Implied consent was generally a statement on the website, for example in the footer, which explained that by continuing to use the website, the consumer is implying that they consent to the Privacy Policy.
However, implied consent is no longer acceptable under most modern privacy laws. This includes "browsewrap" agreements, which are insufficient because they do not require the user to take any action to indicate agreement to the Privacy Policy terms.
Court rulings regarding the enforceability of browsewrap agreements have varied with the situation, but the bottom line is that they don't require the user's consent, so they may not be considered legally binding.
Here's an example of a browsewrap agreement, located at the very bottom of the Insomniac site's website upon first visit:
"Clickwrap" agreements require the customer to click a button or box to indicate agreement. Typically the consumer is not able to move forward and use the site if they do not check or click to indicate agreement to the Privacy Policy or other agreements (such as Terms of Use in the image above).
Many companies, including major social media sites, are currently using clickwrap agreements, as they offer a seamless method for the user to continue with their activity while eliciting their consent.
Here's an example of MeetUp's Privacy Policy update notice requiring users to consent to recent policy updates in order to continue using the service:
Since a Privacy Policy, correctly executed, is a legally binding agreement between a company and its users, it's important to make sure all requirements are met. Let's cover how to implement methods to collect user agreement.
First, provide links to your Privacy Policy, Terms of Service, and any other relevant documents that consumers may wish to review before agreeing to the Privacy Policy. These links should appear on the same page or window as the user agreement so that they're available to the consumer.
Financial website Credit Karma offers links to both the Privacy Policy and the Terms of Service when requiring consumers to agree to recent policy updates, as seen in the screenshot below:
Privacy Policy laws do not dictate the exact wording businesses must use when requesting user agreement, but they should clearly indicate that the user has reviewed the terms of the policy.
Some examples of wording that may be used are:
Whichever wording you select, the primary goal is to make sure the language used here is clear and accessible, and ensures that consumers understand exactly what they are agreeing to.
Note that it's not acceptable to "pre-tick" boxes and require the consumer to remove the check to indicate that they aren't giving consent - and depending on the privacy laws that apply, this could be illegal as well.
Be sure that any checkboxes are left unchecked and that any buttons you use clearly indicate agreement.
You can choose to implement the user agreement at different points of your website or app, depending on your business model and what you offer.
Many service-based companies, including Amazon Web Services, require the consumer to actually access (and presumably read) the agreement before they can proceed to create an account with Amazon. Thus, this model puts the agreement up front and gets it out of the way at sign-up.
Here's an example of Uber's driving service requiring drivers to agree to the policy at the time of registration:
Other businesses, for example e-commerce businesses, require agreement when the user is ready to check out.
Upscale retailer Nordstrom offers a great example here, when an item is placed in the shopping bag and "Checkout" is selected.
Information-driven companies must also obtain user consent. This includes businesses that send out newsletters and other information, because they're collecting (at minimum) user information in the form of an email address or phone number.
In this type of business, user consent is often gained by offering something of value (information, e-book, coupon, etc.) for free if the user agrees to the Privacy Policy at the time the consumer requests the free resource.
This example comes from HubSpot, who offers 30 days of free Instagram templates for those who sign up and agree to the Privacy Policy, including blatant disclosure that the information is shared with third parties:
Now that you have a suitable Privacy Policy in place, complete with user agreement indicators, make sure that you follow it!
Over the past several years, the Federal Trade Commission has taken legal action against companies who don't abide by their own policies. Snapchat and Credit Karma are a few of the major companies who were charged with deceptive or unfair trade practices when their privacy policies were found to contain misleading statements.
Finally, stay on top of news and updates to Privacy Policy requirements and consumer data rights to be sure that you're never out of compliance.