Why providers of SaaS or online stores should not ask their users to agree to terms and conditions or privacy policies

15. January 2025

in Other

Reading Time: 4 mins read

Key Facts

T&Cs only need to be "effectively included"; active user consent is not required.
GTCs should be provided in a clearly visible manner before the contract is concluded, e.g. by means of links.
A consent requirement can cause legal uncertainties and user inconvenience.
General Data Protection Regulation does *not* require active consent to the privacy policy, but only a duty to inform.
Incorrect references to consent can falsely suggest the need for consent.
The separation of information and consent is crucial to ensure that documents are legally compliant.
Fewer hurdles create more trust; focus on transparency and clear information.

In my consulting practice, I often encounter the question of whether providers of SaaS solutions or online stores should ask their users to actively agree to general terms and conditions or privacy policies. This is often done out of uncertainty or the desire to be legally protected. However, the exact opposite can be the case: in many cases, such a request is not necessary and can even cause legal problems. In this article, I explain why consent to general terms and conditions is superfluous, why requesting consent for data protection declarations can be problematic and how you as a provider can proceed in a legally correct manner.

Content Hide

1. Why consent to general terms and conditions is not necessary

1.1. What does “reasonable perceptibility” mean?

1.2. Why a consent requirement can be problematic

1.3. Practical tip:

2. Why consent to the privacy policy can be problematic

2.1. Why consent is not required

2.2. Problems with the request for consent

2.3. Practical tip:

3. How can providers proceed in a legally correct manner?

4. Conclusion: Fewer hurdles create more trust

4.1. Author: Marian Härtel

Why consent to general terms and conditions is not necessary

The General Terms and Conditions govern the contractual rights and obligations between you as the provider and your users. Under German law (Section 305 (2) of the German Civil Code (BGB)), general terms and conditions only need to be “effectively included” for them to become part of the contract. The active consent of the user is not required for this. The decisive factor is that the GTC can be reasonably perceived by the user, i.e. that they are easily accessible before the contract is concluded.

What does “reasonable perceptibility” mean?

The GTC must be made clearly visible before the contract is concluded – for example, via a link in the order process or during registration.
The user must have the opportunity to read the GTC at their leisure before concluding the contract.
A note such as “By using our services, you accept our GTC” is sufficient to ensure inclusion.

Why a consent requirement can be problematic

Legal uncertainty: If you require active consent and a user refuses, this could be interpreted as a rejection of the contract. The contract may then not be concluded.
User-friendliness: A consent requirement represents an unnecessary hurdle for your users and could deter potential customers.
Misunderstandings: The request for consent falsely suggests that there is no obligation to the GTC without it – which is not legally correct.

Practical tip:

Make sure that your T&Cs are clearly visible and easily accessible – for example, via a link in the footer of your website or during the ordering process. Avoid checkboxes for consent and instead use clear statements such as “By using our services, you accept our terms and conditions.”

Why consent to the privacy policy can be problematic

The General Data Protection Regulation (GDPR) stipulates that users must be informed about the processing of their personal data. This information obligation is fulfilled by the privacy policy. Contrary to what is often assumed, however, the user’s active consent to the privacy policy is not required – and in many cases this would even be legally incorrect.

Why consent is not required

The processing of personal data is generally based on one of the legal bases of Art. 6 GDPR (e.g. contract fulfillment or legitimate interest). Consent pursuant to Art. 6 para. 1 lit. a GDPR is only required in exceptional cases (e.g. for marketing measures).
The data protection declaration serves only to inform the user about data processing – it does not constitute consent.

Problems with the request for consent

False signal effect: The request for consent could falsely suggest that all data processing must be based on consent – which is incorrect.
Invalid consent: If you request consent when consent is not required, this could be interpreted as unauthorized processing.
Increased liability risks: An unclear distinction between information obligations and consent can lead to your entire privacy policy being deemed invalid.

Practical tip:

Ensure that your privacy policy is easily accessible – for example, via a link in the footer of your website or during the registration process. Do not require active consent to the privacy policy, but inform your users clearly and transparently about data processing in accordance with Art. 12 GDPR.

How can providers proceed in a legally correct manner?

Instead of actively asking your users for consent, you should take the following measures:

Ensure reasonable perceptibility:
Place links to your terms and conditions and your privacy policy in clearly visible places – for example in the order process or when a user registers.
Use notices instead of checkboxes:
Formulations such as “By using our services, you agree to our terms and conditions” are sufficient to ensure inclusion.
Obtain consent only when necessary:
Only request active consent if this is really necessary – for example for marketing purposes or the use of cookies (except technically necessary cookies).
Clear separation of information and consent:
Ensure that your privacy policy is exclusively informative and is not mixed with consent mechanisms.
Legally compliant design of your documents:
Have your general terms and conditions and data protection declarations checked regularly to ensure that they comply with current legal requirements.

Conclusion: Fewer hurdles create more trust

Asking for active consent to terms and conditions or a privacy policy may seem sensible at first glance – but it actually harbors unnecessary risks and hurdles for your users. Instead, you should focus on clear information, transparency and simple processes. This way, you not only meet all legal requirements, but also create trust with your customers. If you need support with the design of your terms and conditions or privacy policy or have any questions on the subject, I will be happy to advise you!

Author: Marian Härtel

Marian Härtel ist Rechtsanwalt und Fachanwalt für IT-Recht mit einer über 25-jährigen Erfahrung als Unternehmer und Berater in den Bereichen Games, E-Sport, Blockchain, SaaS und Künstliche Intelligenz. Seine Beratungsschwerpunkte umfassen neben dem IT-Recht insbesondere das Urheberrecht, Medienrecht sowie Wettbewerbsrecht. Er betreut schwerpunktmäßig Start-ups, Agenturen und Influencer, die er in strategischen Fragen, komplexen Vertragsangelegenheiten sowie bei Investitionsprojekten begleitet. Dabei zeichnet sich seine Beratung durch einen interdisziplinären Ansatz aus, der juristische Expertise und langjährige unternehmerische Erfahrung miteinander verbindet. Ziel seiner Tätigkeit ist stets, Mandanten praxisorientierte Lösungen anzubieten und rechtlich fundierte Unterstützung bei der Umsetzung innovativer Geschäftsmodelle zu gewährleisten.