Will the GDPR Affect Your Terms and Conditions Agreement?

The GDPR is quite possibly the most important update to internet privacy laws in the 21st century. Companies around the world have had to bolster their Privacy Policies, change the way that they handle personal data and institute new methods for notifying their users. These updates are intended to strengthen the rights of internet users and improve security of their personal information.

Privacy Policies are a core aspect of the GDPR. These documents are the keystone for ensuring that both websites and their users are aware of privacy rights and acting to protect them.

With the GDPR making changes to the requirements for your Privacy Policy, will it also change the requirements for your Terms and Conditions? There seems to be some confusion about this, but the short answer is that the GDPR does not govern Terms and Conditions and will not directly affect yours.

The GDPR is concerned with privacy law. Privacy Policies fall into that category, but Terms and Conditions agreements do not.

So what exactly is the GDPR?

The General Data Protection Regulation (or GDPR) is a new set of privacy laws for the European Union. It affects any entity that collects or processes the personal data of residents of the EU, whether or not that entity is itself located within the EU. This is to protect the privacy, security, and personal rights of EU citizens from unfair or unsafe data collection and processing.

The GDPR covers lawful means of collecting and processing the personal data of internet users in the EU. It sets forth rules that companies must follow for when and how personal information can be collected. For example, it limits the information that can be collected to only what is necessary to complete the agreed upon function (such as collecting an email address to send newsletters), in order to reduce the risk to users.

The GDPR also sets guidelines for things like cookie usage, obtaining consent for data processing, and how user information must be secured.

GDPR compliance will likely involve things like updating your Privacy Policy and obtaining consent before collecting personal data or using cookies. It will not require any changes to your Terms and Conditions.

What is a Terms and Conditions agreement?

Terms and Conditions agreements are sets of rules and disclaimers that users must abide by when using an app or website. The purpose of these agreements is more about protecting the company or people behind the app or website by requiring users to follow certain rules if they wish to utilize the services provided.

A Terms and Conditions agreement can also be referred to as a Terms of Use, Conditions of Use, Terms of Service or other similar agreement name. These are all interchangeable and based on the preference of the business.

For example, Amazon calls its Terms agreement its Conditions of Use:

Terms and Conditions agreements will include disclaimers about payments and subscriptions, limitation of liability statements, and rules of conduct to ensure proper usage of the service provided. These rules are in place in order to give website owners and app developers the right to remove users who use the service improperly, to protect themselves from frivolous lawsuits, and to have proof of payment procedures in the event of a dispute, among other things.

A good example of a common clause found in Terms and Conditions agreements is social media sites and forums banning offensive, hateful, or trolling posts. This is a classic example of a rule/disclaimer that would allow the website owner, app developer, or social media moderator to remove individuals who post content that negatively impacts the experience for other users.

It also protects them from frivolous claims of abuse, requiring that users understand that the website has no control over what other users might post. While rules such as these are common and a good idea, they do not fall under the umbrella of privacy as covered by the GDPR.

Here's how Amazon does it:

The difference between Terms and Conditions and Privacy Policies

A Privacy Policy is required by the GDPR and other privacy laws in order to protect users and ensure proper business practices by website owners and app developers.

A Terms and Conditions is an optional legal agreement created by the website owner or app developer laying down rules for proper usage of their services and any disclaimers to indemnify themselves against any potential legal disputes.

While the rules included in Terms and Conditions are important, you can see the difference in purpose between this type of document and a Privacy Policy.

A Terms and Conditions is the responsibility of the website owner or app developer for their own sake, but a Privacy Policy is required by law to protect the rights, privacy, and security of internet users from unsafe and unfair data collection and processing.

Will the GDPR have any impact on Terms and Conditions?

As mentioned above, the GDPR does not directly regulate Terms and Conditions agreements.

There are some ways, however, that it may indirectly affect these documents.

For starters, while the GDPR requires Privacy Policies to be separate and distinct from Terms and Conditions, these two documents often refer to one another and may link each other. So, if you are updating your Privacy Policy for GDPR compliance, make sure that you update any links if a new document is created for your new Privacy Policy. You wouldn't want your Terms and Conditions linking to your old (and non-compliant) Privacy Policy!

Also be sure that any references to your Privacy Policy in your Terms and Conditions are updated and consistent across both documents.

Let's discuss a few other topics about how the GDPR relates to Terms and Conditions:

Does the GDPR make Terms and Conditions mandatory?

Nope.

As mentioned previously, a Terms and Conditions agreement is optional. It works to the benefit of the website or app by laying down some legally binding terms about how to use (and not use) the service provided.

These documents are meant to protect the website owner or app developer from legal disputes and set guidelines for how the services must be used or the penalties for misuse. The GDPR does not change that at all.

Since Terms and Conditions generally do not offer any sort of protection to the users, they are not regulated by the GDPR. It is up to the website owner or app developer to create a Terms and Conditions for their own sake.

Does the GDPR require a Terms and Conditions to have any specific clauses?

Directly, no.

The GDPR does not make any mention of Terms and Conditions agreements or what they must include. Whether you have a Terms and Conditions, a Terms of Service or a Terms of Use document is entirely up to you (though you really, really should have one).

However, there may be certain situations where changes to your Privacy Policy or other aspects of your business procedures as a result of the GDPR could affect aspects of your Terms and Conditions.

For example, Terms and Conditions often have declarations about the use of their app or website by minors, such as stating that minors are required to have the consent of a parent or guardian before using the site or creating an account. The GDPR has its own set of rules for the data collection and processing of minors, which could lead to a change in your policies. This change may require you to alter the related sections of your Terms and Conditions to reflect any policy changes for accuracy and consistency.

While this change is not a direct effect of the GDPR, there may be instances such as this where new GDPR rules or Privacy Policy changes may create inconsistencies in your Terms and Conditions if there is overlap between these documents or changes to company procedures.

Reviewing your Terms and Conditions after updating your Privacy Policy and becoming compliant with the GDPR is highly recommended.

Will obtaining consent for Terms and Conditions change under the GDPR?

Nope.

While the GDPR does not require consent to be obtained for Terms and Conditions as it does for Privacy Policies, it is generally a good idea to follow suit when obtaining consent anyway.

For example, if you use a pop-up to obtain consent for data collection and acceptance of your Privacy Policy as required by the GDPR, it is not a bad idea to include your Terms and Conditions.

While this is not legally required, if you want your users to read and give consent for your Terms and Conditions, this may be a good time as they are already doing the same thing for your Privacy Policy as required by the GDPR.

You'll be better able to enforce your Terms in court if ever required if you have clear proof that the user definitely did consent to be bound by your Terms by agreeing to them.

Conclusion

The GDPR makes no mention of Terms and Conditions agreements and therefore has no direct impact on these documents.

However, it is possible that other changes to your website, app, or company policies brought about by the GDPR could create inconsistencies between your Terms and Conditions and other aspects of your website. For example, your Terms and Conditions may include information about your Privacy Policy that could change because of the GDPR.

After becoming fully compliant with the GDPR, reread your Terms and Conditions to see if any inconsistencies have been created.

Aside from that, the GDPR is a set of laws protecting the rights and privacy of internet users. It is designed to protect the individual from unfair and unsafe information handling by apps and websites. Since Terms and Conditions are created by app developers and website owners to protect their own interests, the GDPR does not regulate these documents.