Use clickwrap on registration forms

Use clickwrap on registration forms

Registration forms are used in a number of places, such as lead generation landing pages, as well as sign-up pages, getting quotes for services, event sign-ups, membership forms, competition entries, and even patient information online for medical clinics.

As these forms have so many uses, they are very ubiquitous.

But many of these registration forms are missing one key thing: the legal agreements that users need to agree to are not linked through what is called the clickwrap method.

First, let's take a look at what clickwrap is, and why you might want to use it on your registration form.

First, what is clickwrap?

Clickwrap is a method of getting agreement to your legal agreement, where the user actually clicks a "I agree" or "I accept" check box in some way.

Some websites use a button, or a statement above a button that says something to the effect of "By clicking the button below you agree to the Terms of Use". Others simply place this kind of checkbox at the end of a web form.

This is an example of clickwrap, as mentioned by FormAssembly:

FormAssembly: Example of checkbox on registration form

Most websites don't use clickwrap. What most websites actually use is something else, called browsewrap.

As an end-user, you'll often see various links to a website's Terms of Use and Privacy Policy agreements down the bottom of a web page in small writing. This is browsewrap.

Here's an example of what browsewrap looks like from BusinessWire:

Footer from BusinessWire Website

A recent case looking at the browsewrap method in the US was the 2012 Zappos case.

Zappos.com had experienced a data leak, and Zappos' customers sued Zappos for that breach. Zappos argued that their customers were bound by the Terms of Use displayed on zappos.com, which didn't allow the customers to sue. Instead the customers would have to go to arbitration because of an arbitration clause in the Terms of Use.

The Court was not convinced and said that the customers did not have "actual or constructive knowledge" of the terms. The Court said:

Here, the Terms of Use hyperlink ... is the same size, font, and color as most other non-significant links... Without direct evidence that [users] click on the Terms of Use, we cannot conclude that [they] ever viewed, let alone manifested assent to, the Terms of Use.

What Zappos used was as a browsewrap agreement: customers had to browse zappos.com to find the link to its Terms of Use agreement and its arbitration clause in it.

Browsewrap is a method where the user is assumed to have agreed to a legal agreement by virtue of their browsing the website and clicking on the small links at the bottom of the web page. Many users don't even see these links, let alone click on them and read them. This is partly why browsewrap is not legally enforceable.

This means that clickwrap is the better choice in terms of making sure that you're covered legally.

Now that you know what clickwrap is, let's take a look at why you'd want to set up the clickwrap method for a legal agreement on your registration forms.

Why registration forms need clickwrap

When creating registration forms - sign-up for an account forms, get a quote forms, and so on - it's particularly important to make sure users have agreed to your legal agreements, especially your Privacy Policy because when users fill out that web form, users will most likely be entering in some personal data that you'll then store and use later.

It's crucial to make sure that your users agree to your Privacy Policy agreement.

In many jurisdictions, if you collect personal data, you must also notify your users that you are doing so, and let them know what purpose you are collecting their data for. This is why Privacy Policies are required by law.

Let's take a look at some of the different privacy laws in a couple of jurisdictions - the UK and EU, and the US - and why it's important to get consent from your users when they register on your website/mobile app.

Flag of EU

In the UK and Europe, the Data Protection Directive and the Data Protection Act 1998 requires that several data collection principles must be followed when companies collect personal information of users in the EU.

These data collection principles are:

  • Users must be notified when or before you collect their personal data. This can be done by setting up legal statements.
  • Users' personal data should only be collected for the stated specific purposes
  • Users' personal data collected should be relevant for the stated purpose
  • Users' personal data should be accurate
  • Users' personal data should not be kept longer than necessary or longer than stated in your agreement
  • Security measures should be put in place to keep users' personal data secure
  • Users' personal data must not be transferred to a country or territory outside the European Economic Area unless that country or territory also ensures an adequate level of protection for users' personal data

In a few months, the Data Protection Directive will be replaced by the General Data Protection Regulation (also known as GDPR), which will make some of these principles even more strict. The GDPR regulation will also apply to anyone collecting the data of EU citizens, not just businesses based in the EU.

US Flag

In the US, there's no federal privacy law that applies generally to online data collection. There is, however, a Californian state law (the California Online Privacy Protection Act 2003) which applies to the data of California residents.

The California Online Privacy Protection Act (or CalOPPA) requires that an operator of an online service (that's a website or a mobile app) that deals with personal data of California residents must have an easily-found and distinctive link to their Privacy Policy agreement.

According to CalOPPA, their Privacy Policy must outline:

  • What type of personal data/information is being collected from users
  • How this collected personal data/information is (or may be) shared with other third parties
  • The effective date of the agreement
  • How the website/mobile app responds to "Do Not Track" requests through a Do Not Track clause in the Privacy Policy.
  • How can users review and update their collected personal data you have on them

If you're running a business that has international or users from the US, it's likely that some of your users will be from California, so it's important to consider whether or not you need to comply with CalOPPA.

Now that we've looked at what clickwrap is, and why you need it, let's briefly cover some of the key things you need to include when you set up this on your web forms, regardless if these web forms are used for registering users, logging users, and so on.

Tips to follow

First, when it's time to set up your web forms, make sure that to clearly hyperlink to your legal agreements that you want users to agree to.

These legal agreements can be a Privacy Policy, a Terms of Use or even an EULA agreement.

A clear and visible link to these legal agreements is a requirement of the CalOPPA law and also has been noted by several courts to be an important factor in whether or not the clickwrap has been effective.

Next, ensure that your clickwrap checkbox is in close proximity to both the web form and the link to the legal agreements.

Here's an example of a checkbox that's in a great position on the Salesforce's free trial registration form:

Registration form from SalesForce

You can see from Salesforce's example that the checkbox is right near the "Start free trial" button. Their checkbox also clearly states "I agree to the Master Subscription Agreement", and the "Master Subscription Agreement" words are hyperlinked in that text.

This is a clear example of a clickwrap that could be legally enforceable.

Registration forms are a common way of collecting user data, but they need to be more closely examined to ensure that they use clickwrap methods when linking legal agreements.

Without a clickwrap method, your legal agreements may not be legally binding on your users, and you may not be appropriately notifying them of the data collection that you are undertaking (in cases of Privacy Policy agreements) or what rules they need to agree to (in cases of Terms of Service agreements).

Other Categories:

Leah Hamilton

Qualified Solicitor. Writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.