Why Consent to General Terms and Conditions is Not Necessary
In my consulting practice, I frequently encounter a common question. Providers of SaaS solutions or online stores often wonder whether they should ask users to actively agree to their general terms and conditions or privacy policies. This usually stems from uncertainty or a desire for legal protection.
However, the opposite can be true. In many cases, such a request is unnecessary and may even lead to legal problems. This article explains why active consent to general terms and conditions is often superfluous. It also clarifies why requesting consent for data protection declarations can be problematic, and how you, as a provider, can proceed in a legally correct manner.
General Terms and Conditions: Why Consent is Not Required
The General Terms and Conditions (GTC) define the contractual rights and obligations between you, the provider, and your users. Under German law, specifically Section 305 (2) of the German Civil Code (BGB), GTCs only need to be "effectively included" to become part of the contract. Active user consent is not a prerequisite for this. The crucial factor is that the GTCs are reasonably perceptible to the user, meaning they are easily accessible before the contract is concluded.
What Does “Reasonable Perceptibility” Mean?
- The GTCs must be clearly visible before the contract is concluded. An example is a link within the order process or during user registration.
- Users must have the opportunity to read the GTCs thoroughly before completing the contract.
- A simple notice, such as “By using our services, you accept our GTC,” is sufficient to ensure their inclusion in the agreement.
Why a Consent Requirement for GTCs Can Be Problematic
- Legal Uncertainty: If you demand active consent and a user refuses, this could be interpreted as a rejection of the contract. Consequently, the contract might not be concluded at all.
- User-friendliness: A consent requirement creates an unnecessary hurdle for your users. This could potentially deter prospective customers from completing their purchase or registration.
- Misunderstandings: Requesting consent falsely implies that the GTCs are not binding without explicit agreement. This is not legally accurate.
Practical Tip for General Terms and Conditions:
Ensure your GTCs are clearly visible and easily accessible. Place a prominent link in your website's footer or integrate it into the ordering and registration processes. Avoid using checkboxes for consent. Instead, use clear statements like “By using our services, you accept our terms and conditions.”
Privacy Policy: Why Consent Can Be Problematic
The General Data Protection Regulation (GDPR) mandates that users be informed about the processing of their personal data. This information obligation is fulfilled through your privacy policy. Contrary to popular belief, however, active consent to the privacy policy itself is generally not required. In many scenarios, requesting it would even be legally incorrect.
Why Consent to a Privacy Policy is Not Required
- Data processing is typically based on one of the legal grounds outlined in Art. 6 GDPR, such as contract fulfillment or legitimate interest.
- Consent under Art. 6 para. 1 lit. a GDPR is only necessary in specific, exceptional cases, for instance, for certain marketing activities.
- The privacy policy's sole purpose is to inform the user about data processing; it does not constitute a form of consent itself.
Problems with Requesting Consent for Privacy Policies
- False Signal Effect: Demanding consent might misleadingly suggest that all data processing must rely on consent, which is incorrect.
- Invalid Consent: If you request consent when it's not legally required, this could be interpreted as unauthorized data processing.
- Increased Liability Risks: An unclear distinction between information obligations and actual consent can lead to your entire privacy policy being deemed invalid.
Practical Tip for Privacy Policies:
Make sure your privacy policy is easily accessible. A link in your website's footer or within the registration process is ideal. Do not require active consent to the privacy policy. Instead, inform your users clearly and transparently about data processing, in accordance with Art. 12 GDPR.
How Providers Can Proceed in a Legally Correct Manner
Rather than actively seeking user consent, you should focus on implementing the following best practices:
- Ensure Reasonable Perceptibility:
Place links to your terms and conditions and your privacy policy in clearly visible locations. This includes during the order process or when a user registers.
- Use Notices Instead of Checkboxes:
Phrases such as “By using our services, you agree to our terms and conditions” are sufficient to ensure their inclusion in the contract.
- Obtain Consent Only When Absolutely Necessary:
Only request active consent if it is genuinely required by law. Examples include specific marketing purposes or the use of non-essential cookies.
- Maintain Clear Separation of Information and Consent:
Ensure that your privacy policy is exclusively informative. It should not be combined or confused with consent mechanisms.
- Legally Compliant Design of Your Documents:
Regularly review your general terms and conditions and privacy policies. This ensures they comply with current legal requirements and remain up-to-date.
Conclusion: Fewer Hurdles Create More Trust
While asking for active consent to terms and conditions or a privacy policy might seem sensible initially, it actually introduces unnecessary risks and user hurdles. Instead, prioritize clear information, transparency, and streamlined processes. By doing so, you not only meet all legal requirements but also build greater trust with your customers. If you need support with drafting your terms and conditions or privacy policy, or have any related questions, I am happy to advise you.