Previously on the CogitActive Saga:
In order to fulfill the ‘explicit consent’ GDPR requirement, WordPress added a cookie consent checkbox to the comment form.
… starting from the point where the story stopped.
Should I gain consent to store commenter’s personal information? While my quest for an answer proved more difficult than anticipated, I ended up with some resolution: to use legitimate interests as legal basis for the processing of my comment form’s data. However, many questions remained…
In my effort to find a legal answer to the aforementioned question, I indeed raised another burning issue…
provided to data subjects at the time you collect their data.
these agreements are essentially useless if you do not get people to legally agree to be bound by their terms.
If you are collecting data directly from someone, you have to provide them with your privacy notice at the moment you do so. In fact, the GDPR (article 12) specifies,
The information shall be provided in writing, or by other means, including, where appropriate, by electronic means . . . without undue delay . . . free of charge. Nothing about obtaining consent! Yet, many articles (from websites with Terms and Policies generators) have assertions like the following one:
To get consent?
For legal peace of mind, it is in your best interest to ensure that all users have the opportunity to understand and accept your privacy practices before you collect, store, or process their personal information.PrivacyPolicies
there’s a favored method to ensure that your legal agreements are able to be upheld in the event of a legal dispute or if other issues arise and indeed that is to obtain consent from users. In keeping with this logic,
clear affirmative action requirement of the GDPR (see GDPR part 6 – Comment form adjustment), the checkbox should be unticked by default
Browse-wrap vs. click-wrap
According to Wikipedia, the first term
is used in Internet law to refer to a contract or license agreement covering access to or use of materials on a web site. Such agreement does not require any
type of express manifestation of assent. Rather, a web-site user purportedly gives their consent simply by using the product — such as by entering the website. Indeed, browse-wrap agreements are written in a manner that gathers consent by the user’s action (e.g. by browsing a website).
As opposed to the former, click-wrap agreements require the user to click a button or check a box to indicate agreement. Usually, if they don’t do so, they are not allow to move forward and use the site. Such agreement generally contains, in addition to the checkbox, a notice telling you that you agree to the terms if you check the box. This is in contrast with the browse-wrap agreement, which can be just a link to the actual legal agreement page
To make a contract enforceable, it seems that the user needs to have notice and to give consent (among other things). While you can provide a notice (as opposed to just having a link in the footer of your website) to browse-wraps as well, an increased notice is inherent to click-wraps. As for the second aspect, express consent – as opposed to implied consent – is what you are getting when you use click-wraps over browse-wraps. As explained in the previous post,
implied consent does not exist in the GDPR. Hence, it is not surprising that the aforementioned articles favored click-wrap. Besides, the latter makes the method of acceptance unambiguous, another element among the five required for consent under the GDPR.
A catch-22 situation?
Again, by their very nature, click-wraps gather (explicit) consent. But here is the thing: a consent must be 1) freely given, 2) specific, 3) informed, 4) unambiguous, and 5) (given) by a statement or by a clear affirmative action;
If you’re missing any one of these five elements, you don’t have consent under the GDPR.
Of course, I didn’t twig what the problem was immediately; still, there was something wrong somewhere. For instance, in my opinion claims like –
If the user doesn’t check the checkbox, the form will not be submitted and the user can’t continue. – seems in conflict with the freely given requirement. But what do I know; I am neither a lawyer, nor an attorney.
While not directly addressing my concern, this was clearly reminiscent to the strategy adopted by Christian Behrends3 to make WordPress comment form GDPR-compliant (see GDPR part 6 – Comment form adjustment). In short, he asserts that legitimate interest is
My unease about the supposedly
consent must be freely given and as stressed by Thomas Kahler,
a consent without choice is invalid. He also pointed out
a consent which may not be withdrawn is legally invalid. That derives from the argumentum e contrario. As if these two issues were not enough, he also reminds that
contains all aspects of data processing operations of the controller, covers multiple purposes indeed. Therefore, he concludes,
To sum up
ensure that your legal agreements are able to be upheld in the event of a legal dispute or if other issues arise is unfounded. Such consent is actually, quoting Thomas Kahler,
So, what is my decision at the end?
in a concise, transparent, intelligible and easily accessible form, using clear and plain language. Checked! Equally importantly, this information should be
To be continued…
1 Not so naïvely, actually. In the GDPR.EU website, a resource for organizations and individuals researching the General Data Protection Regulation, it is stated:
2 Although I would not consider Quora as a reliable source of information, I had no choice but to make an exception. ^
3 Christian Behrends (2019) GDPR-compliant Comments with WordPress. webdevtrust. ^
5 You might remember from the previous post that Ben Wolford, the editor in Chief at GDPR EU, explains,
You only need to choose one legal basis for data processing, but once you’ve chosen it you have to stick with it. You cannot change your legal basis later. ^