What Is the GDPR?

The European Union's data protection legislation, known as the General Data Protection Regulation (GDPR), went into force on May 25, 2018. As a comprehensive framework for how companies gather, handle, keep, and share people's personal data inside the EU and European Economic Area (EEA), it superseded the 1995 Data Protection Directive.

The GDPR altered the regulations for organisations who use clickwrap agreements. Under the GDPR pre-ticked boxes and implied agreements are not legally legitimate because the legislation demands that consent be freely provided, informed, and unequivocal.

Who Does GDPR Apply To?

GDPR applies to every entity, regardless of its location, that handles personal data of EU residents. This implies that any non-EU business with clients in Europe must abide by the GDPR in the same way as a business with headquarters in Europe. Although the US has its own privacy regulations, such as California's CCPA, GDPR's geographical reach implies that compliance is necessary regardless of the business's location.

The GDPR is applicable when you:

  • Provide products or services to EU citizens, even if they are free.
  • Monitor how people behave within the EU (e.g., by tracking website visitors)
  • Process personal information as part of an organization's operations in the EU

If your clickwrap agreement is presented to EU users, it must comply with GDPR consent requirements.

GDPR and Clickwrap Agreements

GDPR imposes specific requirements on how consent is collected through clickwrap agreements. Specifically, Articles 4(11), 6, and 7 establish that consent must be freely given, specific, informed, and unambiguous with each of condition carrying direct implications for clickwrap design, disclosure, and recordkeeping.

How GDPR Affects Clickwrap Design

Consent requests must be clearly distinguished from other matters and provided in an understandable and accessible manner, according to Article 7(2). This criterion means that a clickwrap agreement mustn't be buried within an unrelated workflow or combined with a general terms acceptance.

Recital 32 and Article 6(1)(a) demand distinct consent for each purpose when processing serves more than one. Your GDPR compliance is violated by a single "I agree" checkbox that covers several purposes, such as terms of service, marketing, analytics, and third-party sharing at the same time. Separate checkboxes or a multi-step sequence are needed for each function, along with their own permission method.

Pre-ticked checkboxes are invalid. The CJEU confirmed this in Planet49 (Case C-673/17, 2019), ruling that a pre-checked box does not constitute valid consent, even where the user could uncheck it. Every checkbox must begin in an unchecked state, requiring a deliberate affirmative action.

Under Article 7(4), consent is not considered free if the performance of a contract is conditional on consent to processing that is not necessary for that contract. Requiring marketing consent as a precondition for account creation is a common example of non-compliance. The user must be able to decline non-essential processing without losing access to the core service.

Withdrawal must be as simple as giving consent. Article 7(3) requires that withdrawing consent be as easy as giving it. If consent is captured through a single click, withdrawal cannot require navigating multiple settings pages or submitting a manual request.

What Must Be Shown Under GDPR

Articles 13 and 14 define the information that must be provided at the point of data collection. For clickwrap agreements, the following must be disclosed before the user agrees to your terms:

  • Identity and contact details of the data controller.
  • Each specific processing purpose the user is consenting to.
  • Categories of personal data being collected.
  • Recipients or categories of recipients, including third parties.
  • Cross-border transfers, including the destination country and applicable safeguards (Arts. 46-49).
  • The right to withdraw consent at any time, without affecting the lawfulness of prior processing.
  • Retention periods or the criteria used to determine them.
  • The right to lodge a complaint with a supervisory authority.

The ICO's consent guidance provides practical examples of compliant disclosure.

What Records You Must Keep Under GDPR

Article 7(1) states: "Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented." The European Data Protection Board (EDPB) has published further guidance on demonstrating valid consent.

A compliant clickwrap agreement must capture:

  • The subject's identity - Name, email, account ID, or other unique identifier.
  • Action timestamp - Exact date and time of the consent action.
  • The agreement version - Specific version of the terms presented at the moment of acceptance.
  • The consent mechanism - Which checkbox was ticked, which button was clicked, and the exact UI presented to the user.
  • The purposes consented to - Each individual processing purpose the user accepted.

A database field recording "consent: true" is insufficient. The record must reconstruct the full context of the consent event from what was presented, when, to whom, and through what mechanism.

When terms are updated, consent given under a previous version does not extend to the new version. The clickwrap system must detect version changes, re-present updated terms, and capture fresh consent with every historical version being archived and linked to the consent record that references it.

GDPR and Clickwrap Agreements

Key Provisions of GDPR

Lawful Basis
Every processing activity must rest on one of six lawful bases: consent, contract, legal obligation, vital interests, public task, or legitimate interests (Art. 6).
Consent
Consent must be freely given, specific, informed, and unambiguous, obtained through a clear affirmative action. Pre-ticked boxes don't qualify (Art. 7).
Data Subject Rights
Data subjects hold rights to access, rectify, erase, restrict, port, and object to the processing of their personal data (Arts. 15-22).
Data Minimisation
Data minimization requires collecting only what is adequate, relevant, and limited to what is necessary for the specified purpose (Art. 5(1)(c)).
Purpose Limitation
Purpose limitation means data collected for one specified, explicit, and legitimate purpose cannot be repurposed in a way incompatible with that purpose (Art. 5(1)(b)).
Accountability
Accountability means controllers must not only comply but demonstrate compliance, through documented policies, processing records, and evidence of valid consent (Art. 5(2)).
DPO Requirement
A Data Protection Officer is mandatory for public authorities and for organizations whose core activities involve large-scale systematic monitoring or large-scale processing of special category or criminal data (Art. 37).
Breach Notification
Personal data breaches must be reported to the supervisory authority within 72 hours of discovery and, where high risk, to the affected individuals without undue delay (Arts. 33-34).

Penalties for GDPR Non-Compliance

Tier 2 (Upper) €20M or 4% of global annual turnover
Article 83(5) infringements may attract administrative fines of up to EUR 20 million or 4% of worldwide annual turnover, whichever is higher.
Tier 1 (Lower) €10M or 2% of global annual turnover
Article 83(4) infringements may attract administrative fines of up to EUR 10 million or 2% of worldwide annual turnover, whichever is higher.
Supervisory Authority Powers Warnings, bans, and corrective orders
Data protection authorities can issue formal warnings, impose temporary or permanent processing bans, order data erasure, and suspend cross-border data transfers.

Frequently Asked Questions

Consent requires an explicit opt-in from the user. Legitimate interest allows processing without consent if the organization has a genuine reason and the processing doesn't override the individual's rights. Clickwrap agreements typically rely on consent, not legitimate interest.
GDPR doesn't specify an exact retention period for consent records, but you must keep them for as long as the processing continues and be able to demonstrate valid consent at any point. Best practice is to retain records for the duration of the relationship plus the applicable statute of limitations.

Related Regulations

eIDAS
Electronic Identification, Authentication and Trust Services Regulation
EU-wide · Updated 2024
This entry is for informational purposes only and does not constitute legal advice. Consult a qualified legal professional for guidance specific to your situation.