Getting consent for your legal agreements not only helps build trust with consumers, it is also an essential step in complying with applicable laws.

This article explains what consent is, why it is necessary for legal agreements, when you need to get it, and how to obtain it.

"I Agree" Checkbox by TermsFeed tool can help you enforce your legal agreements in 3 easy steps.

  1. Step 1. Adjust the settings in order to display your legal agreements properly.

    TermsFeed Free Tools: I Agree Checkbox - Settings - Step 1

  2. Step 2. Customize the style to match your brand design.

    TermsFeed Free Tools: I Agree Checkbox - Customize - Step 2

  3. You're done! Just copy the generated code from Step 3 and copy-paste it on your website.

    TermsFeed Free Tools: I Agree Checkbox - Copy your Code - Step 3



For our purposes here, consent is when an individual agrees to be bound by a legal agreement. For consent to be considered valid, it must be given freely, without coercion or force, and the individual needs to understand exactly what they are consenting to.

Consent helps make legal agreements valid and enforceable.

One of the most common and best-practice methods of obtaining consent to legal agreements is by using a checkbox next to an "I Agree" statement, and requiring users to check the box to show consent.

Here's an example of this:

Autodesk Create Account form with Agree checkbox highlighted

Legal agreements are documents that communicate the terms, conditions, rights, and responsibilities of each party in a specified relationship.

Common legal agreements include Privacy Policies and Terms and Conditions agreements.

A Privacy Policy describes how you collect and process consumers' personal data.

Many laws require businesses that collect or handle personal data to maintain clearly written, regularly updated Privacy Policies on their websites and mobile apps.

A Privacy Policy typically contains the following clauses:

  • What kind of information you collect
  • How you collect information
  • What you do with the data you collect
  • What third parties you share information with
  • What information you share with or sell to third parties
  • How consumers can exercise their privacy rights (including how to withdraw their consent)
  • How you keep the data you collect secure
  • How consumers can contact you

The clauses in Apple's Privacy Policy are in a drop-down menu format, which is an effective method of organizing large amounts of information so that users can easily find what they're looking for:

Apple Privacy Policy Table of Contents menu

For instance, when a user clicks on Apple's Personal Data Apple Collects from You clause, they get a detailed explanation about the situations in which Apple collects personal data:

Apple Privacy Policy: Personal data Apple collects from you clause

A Terms and Conditions agreement (also known as Terms of Service or Terms) describes the rules that consumers must agree to in order to use your website, app, products, or services. It explains where your responsibilities end and a consumer's begins.

While a Terms and Conditions agreement is not legally required, it's still a good idea to have one, as it serves to educate users about what they need to consent to if they wish to use your services.

Your Terms and Conditions agreement should include clauses that are relevant to your business.

Some of the clauses commonly used in Terms and Conditions agreements include:

  • Payment and billing terms: Describes how consumers can pay you and the rules concerning subscriptions
  • Intellectual property: Explains that you own the content on your website or mobile app
  • Third-party links: Disclaims responsibility for information found via third-party links on your website or app
  • Warranties and disclaimers: Explains that your services are available on an "as is" or "as available" condition
  • Limitation of liability: Describes what you are legally responsible for
  • Applicable/governing law: Explains which laws govern your Terms and Conditions agreement
  • Termination of accounts: Informs consumers that you retain the right to terminate their accounts at your discretion
  • Privacy Policy: Lets consumers know where they can find your Privacy Policy
  • Contact information: Informs users how they can contact you

Discord's Terms of Service agreement contains clauses detailing copyright information, paid services, account termination, and limitation of liability, among others:

Discord Terms of Service: Table of contents

Circumstances in which you likely need to obtain consent include when users sign up for an account or subscribe to a newsletter, or when they make a purchase from you.

Data protection laws require applicable businesses to get consent from consumers before they collect or process personal information.

Getting consumers to consent to your legal agreements is necessary because these documents describe how you manage consumers' personal information.

The laws requiring consent depend on where you and your consumers are located and include federal, state, and international laws.

Several laws require businesses to get consent from consumers before using their personal information, the Children's Online Privacy Protection Act (COPPA), the General Data Protection Regulation (GDPR) and others. Here's a brief overview of some of them.

Under COPPA, U.S. businesses must get parental consent before collecting or processing personal data (information that can be used to identify an individual) belonging to children. Businesses should also maintain a Privacy Policy on their websites or apps that explains what information they collect from children and why, and who they share that data with.

The California Consumer Privacy Act (CCPA) and its CPRA amendments is California's primary consumer protection law and has consent rules for the collection and processing of California residents' personal information.

The CPRA requires businesses that meet its criteria to get consent from California consumers in certain situations, including:

  • Before selling or sharing consumers' personal information
  • Prior to using personal data for any purposes the consumer didn't initially consent to
  • Before entering a consumer into a financial incentive program

The law requires businesses to clearly explain why they are requesting consent and to ensure that consent is unambiguous.

The CPRA defines consent and states that businesses can get consent through the use of "a statement or by clear affirmative action" that signifies the consumer's agreement to its terms:

CPRA Section 1798 40 Definition of consent

The Virginia Consumer Data Protection Act (VCDPA) applies to certain businesses based in Virginia or businesses located outside of the state that offer goods or services to Virginia residents.

It requires applicable businesses to limit their collection of personal data to that which is necessary to fulfill their purposes and to get consent before processing:

  • Personal data for additional purposes
  • Sensitive personal information
  • Data belonging to children

The VCDPA mandates that data controllers (those who decide how to use consumers' personal data) must get consent from Virginia consumers before processing their personal data for reasons beyond those considered reasonably necessary, and must get consent before processing sensitive data and abide by COPPA when processing children's sensitive personal data:

VCDPA Data Controller Responsibilities section excerpt

And here is the other relevant section:

VCDPA Data Controller Responsibilities section - Sensitive data excerpt

Many global consumer protection laws also require businesses to get consent before processing consumers' personal data. Some laws apply to organizations outside of the governing location.

Let's take a look at the European Union's General Data Protection Regulation (GDPR) and Canada's Personal Information Protection and Electronic Documents Act (PIPEDA).

The GDPR is the EU's comprehensive data protection law. It applies to EU businesses that process EU citizen's data, as well as to businesses located outside of the EU that provide goods or services to EU consumers.

Consent is one of the GDPR's lawful bases for processing. For consent to be valid under the GDPR, it must be freely given, and the individual giving consent needs to understand exactly what they are agreeing to.

The law also requires applicable businesses to provide a way for data subjects (those to whom personal data belongs) to easily withdraw their consent at any time.

Article 7 of the GDPR explains its conditions for consent, including informing data subjects that they can withdraw their consent at any time and providing an easy method for doing so.

GDPR Article 7: Conditions for Consent

Under the GDPR, consent cannot be implied. The individual providing consent must actively opt-in to data processing (the use of their personal information).

PIPEDA is Canada's main privacy legislation. It applies to organizations that process Canadians' personal information. It requires applicable organizations to follow its ten principles for the protection of personal information, of which consent is one.

Under PIPEDA, organizations must get Canadian consumers' consent before collecting, using, or disclosing their personal information. They must explain what information they are collecting and why and give consumers a user-friendly method for withdrawing their consent.

PIPEDA states that organizations must explain why they wish to collect, use, or share consumers' personal information. It explains that consent beyond what is necessary can't be a condition of supplying goods or services:

PIPEDA Principle 3: Consent - Excerpt

The best way to obtain consent is through the use of a checkbox next to a statement that the user agrees to your terms. A checkbox next to an "I Agree" or consent statement is effective because it is unambiguous, user-friendly, and requires active participation from the consumer.

Here's an example of this, from Gaia. User are required users to tick checkboxs stating that they consent to legal agreements before creating an account. It also gives them the option to tick a checkbox to sign up to receive news emails from the company:

Gaia create account form with consent checkboxes highlighted

Avoid using pre-ticked checkboxes or any other implied consent methods. Users should have to tick the checkbox in order to continue navigating your website or app or to complete an online activity such as subscribing to a newsletter or making a purchase.

Many companies like Hulu still rely on a statement located above a button that says that users must agree to their terms before continuing with their intended action. However, this method for obtaining consent is not ideal, as it could be argued that the user didn't actually mean to agree with the statement, and simply wanted to continue using the site or app:

Hulu example of implied consent

You should put "I Agree" checkboxes to get consent to legal agreements wherever you intend to collect or process consumers' personal information.

Some common locations for placing "I Agree" checkboxes on websites and mobile apps to get consent to legal agreements include the following:

  • Account sign-up page
  • Newsletter subscription form
  • Pop-up notifications
  • Checkout page
  • Contact Us form
  • In-app menu
  • App download page

There are a few steps you should take to ensure your consent request methods are compliant with applicable laws, such as linking your legal documents within your consent agreement and providing consumers with a way to withdraw their consent.

Let's take a look at best practices for requesting consumer consent.

You should clearly state exactly what you wish the consumer to consent to.

When users go to create an Apple ID, they have the option to tick checkboxes to agree to receive marketing communications from the company. Apple explains that if users tick the checkboxes they may receive targeted advertising based on how they use its services, and provides a link where users can learn more about how Apple manages their personal information:

Apple ID Create form excerpt

You should put links to relevant legal documents within your consent request so that users can read and agree to your terms before you collect their data.

Here you can see the names of the legal agreements are hyperlinked:

Generic Create Account form with I Agree checkbox highlighted - example

Here's an even more detailed method of displaying your legal agreements at the same time you request users consent to them:

Generic submit payment with Agree to Terms checkbox highlighted

You should provide users with a way to withdraw their consent. The method for withdrawing consent should be at least as easy as the method used to obtain it.

Here's how you can include a note after the consent request checkboxes and before a user submits consent to let them know that they can update, change or withdraw consent at any time, and how:

Adoption UK newsletter sign up form checkboxes

Offer Different Checkboxes for Each "I Agree" Statement

Instead of bundling everything you want consumers to agree to in one statement, you should give them the ability to pick and choose what they consent to. This is known as granular consent.

Dior's account creation page includes individual checkboxes next to statements consenting to receive customized news and/or text messages and a statement that consumers have read and agree to its Privacy Policy:

Dior create account form with consent checkboxes highlighted

You should ask consumers again for consent to use their personal information whenever you update your legal agreements or want to use their data for any purposes beyond what they initially agreed to.

Whenever you make changes to your legal agreements, you will want to reach out to consumers to let them know about the updates.

It's important to keep a record of the consent you acquire. Your consent records should describe how and when you obtained consent from each consumer.

Let's take a look at some of the situations that require consumer consent and examples of consent mechanisms.

Account Sign-Up

You should get consent whenever a user needs to provide personal information to create an account.

When users go to create an account with Nintendo, they must first tick a checkbox agreeing to the terms in its User Agreement and Privacy Policy. They also have the option to tick a checkbox consenting to receive emails from Nintendo:

Nintendo Create Account form with Agree checkboxes highlighted

Here's another example that has users check a box next to a statement that shows they certify their age is of a certain number and that they agree to (or give consent to) legal agreements:

Vudu Create Account form with Agree to Terms and Privacy checkbox highlighted

And another that has users give consent to two different sets of terms agreements by checking a box next to an "I Accept" statement:

Pizza Hut Create Account form with Accept Terms checkbox highlighted - Updated version

This works in a mobile app format as well, as seen here:

Shpock app sign-up and accept Terms of Service and Privacy Policy screen

Communications Sign-Up

Email addresses, phone numbers and other methods of contact count as personal information under many privacy protection laws, so it's important to get consent from consumers when they subscribe to your newsletter or offer to connect with you in other ways.

You should use the same approach here, with having users check a box next to a statement that shows they are clearly consenting to receive communications from you.

Here's an example of this:

Havaianas email newsletter sign-up form with Privacy Policy link highlighted

While this next example is from an account creation process, it shows how you can get consent even then for communications. While signing up, users must take an extra step to check a box to show they also are consenting to receiving emails and promotional content:

Costco sign-up form with checkbox to receive marketing emails highlighted

You should also provide an unsubscribe link as a part of each newsletter so that consumers have the option to stop receiving communications from you.

Here's another example of combining both consent requests:

Coca-Cola sign-up form with Agree checkboxes highlighted

And one more, just to really demonstrate the point here:

seedinvest-sign-up-form-consent-checkboxes-highlighted.jpg
SeedInvest sign-up form with consent checkboxes highlighted

Ecommerce Checkout

You should get consent before collecting or using consumers' financial information to complete purchases.

Here's an example of this, still using the tried and true checkbox method:

Practical Defense Systems Terms and Conditions agreement and checkbox highlighted

Here's another example of requesting a shopper gives consent by clicking to accept your Terms agreement before placing an order:

TermsFeed BigCommerce: Checkout - Payment step - The I agree checkbox for Terms and Conditions displayed highlighted

Summary

Any business that maintains legal agreements such as Privacy Policies or Terms and Conditions agreements on its website or mobile app should have a system in place for obtaining consumer consent.

Consent to a legal agreement is when a user agrees to the terms within, and to be bound by them.

Getting consumer consent to your legal agreements is important because it helps build trust in your brand and helps you comply with applicable state, federal, and global laws. Your legal agreements are also not guaranteed to be legally enforceable without valid consent.

Federal, state, and international laws require certain businesses to get consent from consumers. You should get consent to your legal agreements before collecting or processing consumers' personal information.

One of the best ways to get consent to your legal documents is through the use of a tickable checkbox next to an "I Agree" statement. Getting consent this way helps ensure that it is freely given and unambiguous.

Common places to put "I Agree" checkboxes include:

  • Account sign-up page
  • Newsletter subscription form
  • Pop-up notifications
  • Checkout page
  • Contact form
  • In-app menu
  • App download page

When getting consumer consent to your legal agreements you should take the following steps:

  1. Clearly explain what you are requesting consent for
  2. Provide links to your legal agreements
  3. Give consumers a way to easily withdraw their consent
  4. Provide individual checkboxes for each consent request
  5. Ask for consent again whenever you update your legal agreements or want to use consumers' personal data for purposes other than those to which they initially agreed
  6. Keep consent records that contain information about how and when you obtained consumer consent

Privacy Policy Generator
Comprehensive compliance starts with a Privacy Policy.

Comply with the law with our agreements, policies, and consent banners. Everything is included.

Generate Privacy Policy