GDPR part 7 – Comment form adjustment cont’d

Previously on the CogitActive Saga:
In order to fulfill the ‘explicit consent’ GDPR requirement, WordPress added a cookie consent checkbox to the comment form.

… starting from the point where the story stopped.

Should I gain consent to store commenter’s personal information? While my quest for an answer proved more difficult than anticipated, I ended up with some resolution: to use legitimate interests as legal basis for the processing of my comment form’s data. However, many questions remained…

In my effort to find a legal answer to the aforementioned question, I indeed raised another burning issue…

Any form submission must obtain the user’s explicit consent, and not only that, but an agreement to terms and privacy policy, which can’t be inserted in Jetpack Comments either.johnstonesnow

Again, is johnstonesnow’s claim correct? Specifically, should I obtain an agreement to my privacy policy?

Privacy Policy

As detailed in GDPR part 4 – Privacy Policy, this legal document is the keystone for ensuring that your site visitors/users are aware of your privacy practices. In particular, a Privacy Policy should inform in a concise, transparent, intelligible and easily accessible form, using clear and plain language, what data you are processing, how you do so and for what purpose, among other things (see article 12-14). Not only should this information be included in your Privacy Policy, but also apparently provided to data subjects at the time you collect their data.

The Privacy Policy itself is important, but it may not be legally applicable if people claim that they never saw it.PrivacyPolicies

Naïvely¹, I thought that having a link to my Privacy Policy in the footer of my sites was enough. Not only is the footer a conspicuous location, but also it is present on every page, thus making sure that the link is always available to the visitors. However, through my readings, I have encountered a recurring claim: these agreements are essentially useless if you do not get people to legally agree to be bound by their terms.

Gone are the days when a Privacy Policy link in the footer was enough to satisfy privacy law and consumers.PrivacyPolicies

Now, as explained by Ben Wolford – editor in chief at GDPR EU – the GDPR emphasizes that the Privacy Policy should be easy to understand and accessible, and him to add If you are collecting data directly from someone, you have to provide them with your privacy notice at the moment you do so. In fact, the GDPR (article 12) specifies, The information shall be provided in writing, or by other means, including, where appropriate, by electronic means . . . without undue delay . . . free of charge. Nothing about obtaining consent! Yet, many articles (from websites with Terms and Policies generators) have assertions like the following one:

Now that the Privacy Policy is live, you need to make sure website visitors are seeing it and consenting to it before their personal information is collected.PrivacyPolicies

To get consent?

For legal peace of mind, it is in your best interest to ensure that all users have the opportunity to understand and accept your privacy practices before you collect, store, or process their personal information.PrivacyPolicies

The Correct (and Incorrect) Way to Request Privacy Policy Consent.

Let assume, for a second, that you really need to obtain consent to your Privacy Policy. What do the aforementioned articles (from companies offering Privacy Policy generators) have to say on that matter? According to them, there’s a favored method to ensure that your legal agreements are able to be upheld in the event of a legal dispute or if other issues arise and indeed that is to obtain consent from users. In keeping with this logic, the most valid and binding ways to obtain user consent of the Privacy Policy is – still according to them – with a mandatory “I agree” checkbox, namely a click-wrap. Of course, given the clear affirmative action requirement of the GDPR (see GDPR part 6 – Comment form adjustment), the checkbox should be unticked by default

Browse-wrap vs. click-wrap

According to Wikipedia, the first term is used in Internet law to refer to a contract or license agreement covering access to or use of materials on a web site. Such agreement does not require any type of express manifestation of assent. Rather, a web-site user purportedly gives their consent simply by using the product — such as by entering the website. Indeed, browse-wrap agreements are written in a manner that gathers consent by the user’s action (e.g. by browsing a website).

As opposed to the former, click-wrap agreements require the user to click a button or check a box to indicate agreement. Usually, if they don’t do so, they are not allow to move forward and use the site. Such agreement generally contains, in addition to the checkbox, a notice telling you that you agree to the terms if you check the box. This is in contrast with the browse-wrap agreement, which can be just a link to the actual legal agreement page

To make a contract enforceable, it seems that the user needs to have notice and to give consent (among other things). While you can provide a notice (as opposed to just having a link in the footer of your website) to browse-wraps as well, an increased notice is inherent to click-wraps. As for the second aspect, express consent – as opposed to implied consent – is what you are getting when you use click-wraps over browse-wraps. As explained in the previous post, implied consent does not exist in the GDPR. Hence, it is not surprising that the aforementioned articles favored click-wrap. Besides, the latter makes the method of acceptance unambiguous, another element among the five required for consent under the GDPR.

Granted, click-wraps show clear notice and consent, but can you apply them to your Privacy Policy as a whole?

The clickwrap method can be used on websites, mobile apps, and desktop apps, regardless of the legal agreement presented to users: Privacy Policy, Terms and Conditions…Sara P.

A catch-22 situation?

Again, by their very nature, click-wraps gather (explicit) consent. But here is the thing: a consent must be 1) freely given, 2) specific, 3) informed, 4) unambiguous, and 5) (given) by a statement or by a clear affirmative action; If you’re missing any one of these five elements, you don’t have consent under the GDPR.

Of course, I didn’t twig what the problem was immediately; still, there was something wrong somewhere. For instance, in my opinion claims like – If each of your users specifically agrees to the terms of your Privacy Policy, that consent will extend to include the data processing practices that are described therein. – are at odds with the idea that consent must be obtained in a manner that is specific. Similarly, the mandatory aspect – If the user doesn’t check the checkbox, the form will not be submitted and the user can’t continue. – seems in conflict with the freely given requirement. But what do I know; I am neither a lawyer, nor an attorney.

Unbelievably, I could not find anything to address such a simple question: should I, and equally important, can I add a Privacy Policy consent checkbox to my comment form? None of my Google queries brought anything relevant; nothing but the aforementioned articles from Terms and Policies generators websites. A desperate helplessness enveloped me. Given the circumstances, I had to give a look at a similar question in Quora²: Under the GDPR rules, do I need to add consent check box for the contact form on the site? Among the four answers provided, the one by Nils Höglund (Certified Information Privacy Professional/Europe) was probably the most pertinent:

No, probably not unless you are processing special categories of data . . . Most probably, with reservation for not knowing the details of your intended processing, you could rely on the lawful basis “legitimate interest” . . . Regardless of the lawful basis used you always have to provide the information listed in Article 13 . . . in a clearly linked privacy policy.

While not directly addressing my concern, this was clearly reminiscent to the strategy adopted by Christian Behrends³ to make WordPress comment form GDPR-compliant (see GDPR part 6 – Comment form adjustment). In short, he asserts that legitimate interest is preferable to the consent of the data subject as legitimation of the processing and sufficient and, among other measures, he adds a mandatory checkbox with an “I read your Privacy Policy” label and a link to the policy page to the comment form. While most would have found this a satisfactory answer, this was not good enough (i.e. not an official source of information) and I kept searching for something more convincing.

This blog post by Thomas Kahler⁴, a lawyer specialized in IT law and a certified Data Protection Officer (DPO), was going to put the final nail in the coffin of this Privacy Policy click-wrap:

Consent to privacy policy – invalid

By asking for consent to their privacy policy these companies are trying to reach a higher degree of legal certainty for their compliance with GDPR. But this approach fails since the consent to the privacy policy is invalid: Firstly, the consent is not freely given since the users have no choice. Secondly, the consent is not specific since the privacy policy contains multible[sic] purposes.Thomas Kahler

My unease about the supposedly most valid and binding ways to obtain user consent of the Privacy Policy was apparently not groundless. Indeed, as already emphasized, consent must be freely given and as stressed by Thomas Kahler, a consent without choice is invalid. He also pointed out a consent which may not be withdrawn is legally invalid. That derives from the argumentum e contrario. As if these two issues were not enough, he also reminds that GDPR requires consent to be given seperately[sic] for each purpose in case different purposes do apply and that the Privacy Policy, which contains all aspects of data processing operations of the controller, covers multiple purposes indeed. Therefore, he concludes, Insofar the controller only asks for one consent which is covering the whole privacy policy, this single consent is invalid.

Therefore, a consent to a privacy policy is invalid.Thomas Kahler

To sum up

Contrary to popular belief, and as convincingly demonstrated by Thomas Kahler, using an “I agree to Privacy Policy” click-wrap is NOT the most valid and binding ways to obtain user consent of the Privacy Policy. Clearly the assertion that this method will ensure that your legal agreements are able to be upheld in the event of a legal dispute or if other issues arise is unfounded. Such consent is actually, quoting Thomas Kahler, invalid.

Why everybody is doing this then, you may wonder. I would have probably use this method myself if I would have limited my reading to the first article on that matter. Fortunately, as often specified, CogitActive modus operandi consists in studying every aspect of a problem – gathering and reading all possible information on the subject matter – before to take the most informed decision possible. While failing to convince me to use an “I agree to Privacy Policy” click-wrap, the first article I read actually prompted me to question this method; hence this post!

So, what is my decision at the end?

To answer this, let me remind you few specifics about the GDPR requirements. As pointed out in the GDPR EU website, the information about what data you are processing, how you do so and for what purpose, among other things (see article 12-14), should be described in your Privacy Policy in a concise, transparent, intelligible and easily accessible form, using clear and plain language. Checked! Equally importantly, this information should be provided to data subjects at the time you collect their data. My understanding is, when you collect Personal Data, you should provide a link to your Privacy Policy (within the form where you are collecting information); thus making sure people can easily access it.

Regardless of the lawful basis used you always have to provide the information listed in Article 13 . . . in a clearly linked privacy policy.Nils Höglund

To be continued…

¹ Not so naïvely, actually. In the GDPR.EU website, a resource for organizations and individuals researching the General Data Protection Regulation, it is stated: [the Privacy Policy] should be accessible via a direct link from every webpage. If a website collects any personal data online, the privacy notice or a link to it should be provided on the same page where the data collection occurs. ^
² Although I would not consider Quora as a reliable source of information, I had no choice but to make an exception. ^
³ Christian Behrends (2019) GDPR-compliant Comments with WordPress. webdevtrust. ^
⁴ Thomas Kahler (2019) Consent to privacy policy – invalid. DPOblog. ^
⁵ You might remember from the previous post that Ben Wolford, the editor in Chief at GDPR EU, explains, You only need to choose one legal basis for data processing, but once you’ve chosen it you have to stick with it. You cannot change your legal basis later. ^

What do you think?

Like ()
Agree ()
Disagree ()
Thank you ()