Getting consent for your legal agreements not only helps build trust with consumers, it is also an essential step in complying with applicable laws.
This article explains what consent is, why it is necessary for legal agreements, when you need to get it, and how to obtain it.
"I Agree" Checkbox by TermsFeed tool can help you enforce your legal agreements in 3 easy steps.
Step 1. Adjust the settings in order to display your legal agreements properly.
Step 2. Customize the style to match your brand design.
You're done! Just copy the generated code from Step 3 and copy-paste it on your website.
- 1. What is Consent?
- 2. What are Legal Agreements?
- 3. What Laws Require Consent for Legal Agreements?
- 4. What is the Best Way to Obtain Consent for Legal Agreements?
- 5. Where/When Should I Get Consent for Legal Agreements?
- 6. What are the Best Practices for Requesting Consent for Legal Agreements?
- 6.1. Explicitly Ask For Consent
- 6.2. Include Links to Relevant Legal Agreements
- 6.3. Provide a Way For Users to Withdraw Consent
- 6.4. Offer Different Checkboxes for Each "I Agree" Statement
- 6.5. Re-obtain Consent as Needed
- 6.6. Maintain Consent Records
- 7. What are Some Examples of How to Get Consent for Legal Agreements?
- 7.1. Account Sign-Up
- 7.2. Communications Sign-Up
- 7.3. Ecommerce Checkout
- 8. Summary
What is Consent?
For our purposes here, consent is when an individual agrees to be bound by a legal agreement. For consent to be considered valid, it must be given freely, without coercion or force, and the individual needs to understand exactly what they are consenting to.
Consent helps make legal agreements valid and enforceable.
One of the most common and best-practice methods of obtaining consent to legal agreements is by using a checkbox next to an "I Agree" statement, and requiring users to check the box to show consent.
Here's an example of this:
What are Legal Agreements?
Legal agreements are documents that communicate the terms, conditions, rights, and responsibilities of each party in a specified relationship.
Many laws require businesses that collect or handle personal data to maintain clearly written, regularly updated Privacy Policies on their websites and mobile apps.
- What kind of information you collect
- How you collect information
- What you do with the data you collect
- What third parties you share information with
- What information you share with or sell to third parties
- How consumers can exercise their privacy rights (including how to withdraw their consent)
- How you keep the data you collect secure
- How consumers can contact you
For instance, when a user clicks on Apple's Personal Data Apple Collects from You clause, they get a detailed explanation about the situations in which Apple collects personal data:
A Terms and Conditions agreement (also known as Terms of Service or Terms) describes the rules that consumers must agree to in order to use your website, app, products, or services. It explains where your responsibilities end and a consumer's begins.
While a Terms and Conditions agreement is not legally required, it's still a good idea to have one, as it serves to educate users about what they need to consent to if they wish to use your services.
Your Terms and Conditions agreement should include clauses that are relevant to your business.
Some of the clauses commonly used in Terms and Conditions agreements include:
- Payment and billing terms: Describes how consumers can pay you and the rules concerning subscriptions
- Intellectual property: Explains that you own the content on your website or mobile app
- Third-party links: Disclaims responsibility for information found via third-party links on your website or app
- Warranties and disclaimers: Explains that your services are available on an "as is" or "as available" condition
- Limitation of liability: Describes what you are legally responsible for
- Applicable/governing law: Explains which laws govern your Terms and Conditions agreement
- Termination of accounts: Informs consumers that you retain the right to terminate their accounts at your discretion
- Contact information: Informs users how they can contact you
Discord's Terms of Service agreement contains clauses detailing copyright information, paid services, account termination, and limitation of liability, among others:
Circumstances in which you likely need to obtain consent include when users sign up for an account or subscribe to a newsletter, or when they make a purchase from you.
What Laws Require Consent for Legal Agreements?
Data protection laws require applicable businesses to get consent from consumers before they collect or process personal information.
Getting consumers to consent to your legal agreements is necessary because these documents describe how you manage consumers' personal information.
The laws requiring consent depend on where you and your consumers are located and include federal, state, and international laws.
Several laws require businesses to get consent from consumers before using their personal information, the Children's Online Privacy Protection Act (COPPA), the General Data Protection Regulation (GDPR) and others. Here's a brief overview of some of them.
The California Consumer Privacy Act (CCPA) and its CPRA amendments is California's primary consumer protection law and has consent rules for the collection and processing of California residents' personal information.
The CPRA requires businesses that meet its criteria to get consent from California consumers in certain situations, including:
- Before selling or sharing consumers' personal information
- Prior to using personal data for any purposes the consumer didn't initially consent to
- Before entering a consumer into a financial incentive program
The law requires businesses to clearly explain why they are requesting consent and to ensure that consent is unambiguous.
The CPRA defines consent and states that businesses can get consent through the use of "a statement or by clear affirmative action" that signifies the consumer's agreement to its terms:
The Virginia Consumer Data Protection Act (VCDPA) applies to certain businesses based in Virginia or businesses located outside of the state that offer goods or services to Virginia residents.
It requires applicable businesses to limit their collection of personal data to that which is necessary to fulfill their purposes and to get consent before processing:
- Personal data for additional purposes
- Sensitive personal information
- Data belonging to children
The VCDPA mandates that data controllers (those who decide how to use consumers' personal data) must get consent from Virginia consumers before processing their personal data for reasons beyond those considered reasonably necessary, and must get consent before processing sensitive data and abide by COPPA when processing children's sensitive personal data:
And here is the other relevant section:
Many global consumer protection laws also require businesses to get consent before processing consumers' personal data. Some laws apply to organizations outside of the governing location.
Let's take a look at the European Union's General Data Protection Regulation (GDPR) and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).
The GDPR is the EU's comprehensive data protection law. It applies to EU businesses that process EU citizen's data, as well as to businesses located outside of the EU that provide goods or services to EU consumers.
Consent is one of the GDPR's lawful bases for processing. For consent to be valid under the GDPR, it must be freely given, and the individual giving consent needs to understand exactly what they are agreeing to.
The law also requires applicable businesses to provide a way for data subjects (those to whom personal data belongs) to easily withdraw their consent at any time.
Article 7 of the GDPR explains its conditions for consent, including informing data subjects that they can withdraw their consent at any time and providing an easy method for doing so.
Under the GDPR, consent cannot be implied. The individual providing consent must actively opt-in to data processing (the use of their personal information).
PIPEDA is Canada's main privacy legislation. It applies to organizations that process Canadians' personal information. It requires applicable organizations to follow its ten principles for the protection of personal information, of which consent is one.
Under PIPEDA, organizations must get Canadian consumers' consent before collecting, using, or disclosing their personal information. They must explain what information they are collecting and why and give consumers a user-friendly method for withdrawing their consent.
PIPEDA states that organizations must explain why they wish to collect, use, or share consumers' personal information. It explains that consent beyond what is necessary can't be a condition of supplying goods or services:
What is the Best Way to Obtain Consent for Legal Agreements?
The best way to obtain consent is through the use of a checkbox next to a statement that the user agrees to your terms. A checkbox next to an "I Agree" or consent statement is effective because it is unambiguous, user-friendly, and requires active participation from the consumer.
Here's an example of this, from Gaia. User are required users to tick checkboxs stating that they consent to legal agreements before creating an account. It also gives them the option to tick a checkbox to sign up to receive news emails from the company:
Avoid using pre-ticked checkboxes or any other implied consent methods. Users should have to tick the checkbox in order to continue navigating your website or app or to complete an online activity such as subscribing to a newsletter or making a purchase.
Many companies like Hulu still rely on a statement located above a button that says that users must agree to their terms before continuing with their intended action. However, this method for obtaining consent is not ideal, as it could be argued that the user didn't actually mean to agree with the statement, and simply wanted to continue using the site or app:
Where/When Should I Get Consent for Legal Agreements?
You should put "I Agree" checkboxes to get consent to legal agreements wherever you intend to collect or process consumers' personal information.
Some common locations for placing "I Agree" checkboxes on websites and mobile apps to get consent to legal agreements include the following:
- Account sign-up page
- Newsletter subscription form
- Pop-up notifications
- Checkout page
- Contact Us form
- In-app menu
- App download page
What are the Best Practices for Requesting Consent for Legal Agreements?
There are a few steps you should take to ensure your consent request methods are compliant with applicable laws, such as linking your legal documents within your consent agreement and providing consumers with a way to withdraw their consent.
Let's take a look at best practices for requesting consumer consent.
Explicitly Ask For Consent
You should clearly state exactly what you wish the consumer to consent to.
When users go to create an Apple ID, they have the option to tick checkboxes to agree to receive marketing communications from the company. Apple explains that if users tick the checkboxes they may receive targeted advertising based on how they use its services, and provides a link where users can learn more about how Apple manages their personal information:
Include Links to Relevant Legal Agreements
You should put links to relevant legal documents within your consent request so that users can read and agree to your terms before you collect their data.
Here you can see the names of the legal agreements are hyperlinked:
Here's an even more detailed method of displaying your legal agreements at the same time you request users consent to them:
Provide a Way For Users to Withdraw Consent
You should provide users with a way to withdraw their consent. The method for withdrawing consent should be at least as easy as the method used to obtain it.
Here's how you can include a note after the consent request checkboxes and before a user submits consent to let them know that they can update, change or withdraw consent at any time, and how:
Offer Different Checkboxes for Each "I Agree" Statement
Instead of bundling everything you want consumers to agree to in one statement, you should give them the ability to pick and choose what they consent to. This is known as granular consent.
Re-obtain Consent as Needed
You should ask consumers again for consent to use their personal information whenever you update your legal agreements or want to use their data for any purposes beyond what they initially agreed to.
Whenever you make changes to your legal agreements, you will want to reach out to consumers to let them know about the updates.
Maintain Consent Records
It's important to keep a record of the consent you acquire. Your consent records should describe how and when you obtained consent from each consumer.
What are Some Examples of How to Get Consent for Legal Agreements?
Let's take a look at some of the situations that require consumer consent and examples of consent mechanisms.
You should get consent whenever a user needs to provide personal information to create an account.
Here's another example that has users check a box next to a statement that shows they certify their age is of a certain number and that they agree to (or give consent to) legal agreements:
And another that has users give consent to two different sets of terms agreements by checking a box next to an "I Accept" statement:
This works in a mobile app format as well, as seen here:
Email addresses, phone numbers and other methods of contact count as personal information under many privacy protection laws, so it's important to get consent from consumers when they subscribe to your newsletter or offer to connect with you in other ways.
You should use the same approach here, with having users check a box next to a statement that shows they are clearly consenting to receive communications from you.
Here's an example of this:
While this next example is from an account creation process, it shows how you can get consent even then for communications. While signing up, users must take an extra step to check a box to show they also are consenting to receiving emails and promotional content:
You should also provide an unsubscribe link as a part of each newsletter so that consumers have the option to stop receiving communications from you.
Here's another example of combining both consent requests:
And one more, just to really demonstrate the point here:
SeedInvest sign-up form with consent checkboxes highlighted
You should get consent before collecting or using consumers' financial information to complete purchases.
Here's an example of this, still using the tried and true checkbox method:
Here's another example of requesting a shopper gives consent by clicking to accept your Terms agreement before placing an order:
Any business that maintains legal agreements such as Privacy Policies or Terms and Conditions agreements on its website or mobile app should have a system in place for obtaining consumer consent.
Consent to a legal agreement is when a user agrees to the terms within, and to be bound by them.
Getting consumer consent to your legal agreements is important because it helps build trust in your brand and helps you comply with applicable state, federal, and global laws. Your legal agreements are also not guaranteed to be legally enforceable without valid consent.
Federal, state, and international laws require certain businesses to get consent from consumers. You should get consent to your legal agreements before collecting or processing consumers' personal information.
One of the best ways to get consent to your legal documents is through the use of a tickable checkbox next to an "I Agree" statement. Getting consent this way helps ensure that it is freely given and unambiguous.
Common places to put "I Agree" checkboxes include:
- Account sign-up page
- Newsletter subscription form
- Pop-up notifications
- Checkout page
- Contact form
- In-app menu
- App download page
When getting consumer consent to your legal agreements you should take the following steps:
- Clearly explain what you are requesting consent for
- Provide links to your legal agreements
- Give consumers a way to easily withdraw their consent
- Provide individual checkboxes for each consent request
- Ask for consent again whenever you update your legal agreements or want to use consumers' personal data for purposes other than those to which they initially agreed
- Keep consent records that contain information about how and when you obtained consumer consent