Westin Global Privacy Surveys
The Westin Research Center has created a network of national rapporteurs who will be available to answer common questions about complying with global privacy law. These international surveys, which are organized by the Westin Research Center, channel the experience of experts in the respective jurisdictions. They do not constitute—nor should be used as a substitute for—legal advice. They do not reflect the opinion of the Westin Research Center.
- Validity of consent to English privacy statement
- In the case of employee
- In the case of consumer
- Additional comments
SURVEY 1: IS CONSENT TO A PRIVACY STATEMENT VALID IF THE STATEMENT IS DRAFTED IN ENGLISH, OR MUST IT BE TRANSLATED TO YOUR LOCAL LANGUAGE?
The data protection law does not require consent to be written in Spanish, so a consent can be in English.
In general, consent declarations in English are not illegitimate per se. They depend on the effective foreign language skills and understanding of the data subjects involved, as data subjects have to freely give unambiguous consent based upon full information.
Yes it could be valid; there is no specific prohibition against the use of a foreign language.
Generally, any language will do. However, consent is defined as “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data related to him being processed.” The key word being “informed.” Danish language statements will generally be expected to be understood (unless the wording is in itself incomprehensible), but depending on the audience English may be fine.
As a general rule, privacy statements should be communicated in language that can be easily understood by the target group of a service. The feasibility of the English language depends on the English knowledge of the target group of a particular service, i.e. to whom the service is directed.
Consent to a privacy statement is not valid if the statement is drafted in English. To be valid, it must be translated into the local language.
According to Section 4(a) of the German Data Protection Act, consent must be given in an informed manner, meaning the data subject must be aware of the purpose and the extent of the data processing he or she is consenting to.
It depends. The overriding principle is that data collection shall be fair. It may be regarded as unfair to provide English privacy statements to readers not proficient in English.
There are no formal language requirements. Under the Privacy Protection Act, 1981, consent may be express or implied, but must be "informed." If a privacy statement is not provided in Hebrew, the controller would face an evidentiary burden to prove consent was informed.
Consent to an English language privacy statement is invalid unless the data subject fully understands the language (which is unlikely to be valid to the general audience).
There is no provision or policy on a linguistic requirement. But it is normally understood that the statement must be translated into Japanese; otherwise the statement may be regarded as a disadvantageous contract that unilaterally impairs the interests of consumers, which is prohibited by Article 10 of the Consumer Contract Act. The general Japanese audience cannot be expected to read an English privacy statement.
Consent to an English language privacy statement would be valid, provided that the data subject indeed understands the language of the privacy statement. Note, however, that accepting a privacy statement that has some consent wording may not qualify as unambiguous consent, as it is not certain whether the data subject actually has read and understood the consent wording. Layered consent is acceptable.
In general, under Polish law a privacy statement understood as a consent for the processing of personal data does not require translation into Polish (except when the consent is given by a consumer or employee).
Consent to an English language privacy statement could be considered valid. However, the Data Privacy Commission requires a Portuguese translation of all documents provided.
The Russian law on personal data does not provide a direct requirement to obtain consents from individuals in Russian. However, since the official language of the territory of Russia is Russian, in case of audits or interaction with the state authorities, as well as in case of disputes in courts, such documents are reviewed in Russian.
There are no specific rules on the language of consent. However, as a general rule, the consent must be informed. This means that the data subject must be aware of the processing that will take place before granting the consent. Otherwise, the consent is not valid.
For such reasons, in Spain, consents tend to be in Spanish. Otherwise, there is a risk that the data subject may argue that the consent was not understandable. Yet, strictly speaking, there is no such requirement and depending on the circumstances, and English consent may be completely appropriate (e.g., the mother tongue of the data subject is English although he or she lives in Spain, or the consent is collected in a meeting of a U.S. or English association in Spain where the language used in all sessions is English, etc.)
There is no statutory obligation to translate information into Swedish. However, the controller carries the burden of proof that the data subject has understood the information provided (upon which the consent is based) and it is therefore strongly recommended that information is translated into Swedish if the controller is not certain that the data subject’s understanding of English is sufficient.
Consent to an English language privacy statement would be valid if the subject correctly understood the information provided in English.
There is no requirement for consents (or other written agreements or documents between private parties) to be in Arabic unless the statement is required by the parties to be notarized, and consent to an English privacy statement generally would be valid.
A statement in English may be valid, but it is advisable to have it in Spanish.
The statement should be in a language understood by the employee. Special language legislation requires employment documents to be drafted in the language of the region in Belgium where the employer is seated. Considering the uneven balance of powers between employers and employees, to the extent that employee consent is not easily “freely” given such consent is not taken into account, most of the time.
Yes, it could be valid.
Yes, it could be valid.
Yes, it could be valid (e.g., if the subjects are employees in a company where the day-to-day language is English).
Privacy statements should be communicated in a language that can be easily understood by the employees. Thus, the use of the employees’ mother tongue is not an absolute requirement. For example, if the company’s language is English and knowledge of English is required in the company, a privacy statement can be in English too.
Article L.1321-6 of the French Labor Code requires that “any document providing obligations to the employee or any provision the knowledge of which is necessary for the execution of his work must be written in French.” Therefore, a privacy statement would be considered as necessary for the execution of the employee’s work and must be written in French. However, please note that under French labor law it is very likely that consent to a privacy statement would not be considered as valid anyway, even in French, since consent is not considered as a legal basis for processing when it is given by an employee.
It depends on the nature of the employment. Similar considerations apply: if the employee’s working language is English and his employee contract is in English, an English privacy statement is likely sufficient. Otherwise, a translation should be made.
However, to be valid, consent must be given freely. The relationship between employee and employer is characterized by a certain hierarchy which in general prevents the employee from freely deciding about such consent. Against this background, an employee’s consent is in general no valid justification to process personal data in the course of the employment contract.
It depends on the English proficiency of the employee.
In a workplace where English is used as a work language, an English statement would typically suffice. Otherwise, if a privacy statement is not provided in Hebrew, the controller would face an evidentiary burden to prove consent was informed.
Consent to an English language privacy statement could be valid, provided that the employee speaks or understands English.
Guidelines on privacy protection in employment management say “it is necessary that the contents of [contracts or statements] shall be reasonable and appropriate enough to recognize by the data subject” (Article 18, Section 2). English statements are not likely to be “reasonable and appropriate” for the ordinary Japanese workplace.
Consent is always tricky when it comes to employees, as it is not clear whether they have the freedom to deny consent. Leaving that aside, if the employee understands the language, consent can be valid.
The Polish Language Act requires the employer to provide all communication regarding the employee’s rights and obligations, including a consent for data processing, in Polish or bilingual form. Violators are subject to up to 30 days in jail, restriction of freedoms, fines up to PLN 5000 or reprimands.
Further, the Polish Data Protection Act generally requires that consent be clear, and there is a risk that such consent to an English statement by a person who is not fluent in the language could be considered invalid.
Consent would be considered valid if the consent document includes that the employee has full knowledge of the English language and understands the contents of the consent provided.
However, collection and processing on the basis of consent is restricted, since the Data Protection Commission has generally adopted the view that employees, due to their subordinate position, have no capacity to provide truly free consent.
Statements should be translated into Russian.
The same as the general rule. The fact that the data subject is an employee may make it easier to make a risk assessment on whether he or she will understand an English consent (e.g., if the employee needs English in order to perform his or her task, etc.).
It should also be noted that employees are generally not considered to be able to provide valid consent as they are in a dependent position in relation to their employer. Valid consent from employees requires a real free choice, i.e. that there is a real option not to consent and that there is no direct or indirect pressure from the employer to consent.
Consent to an English language privacy statement would be invalid. The consent of an employee is rarely accepted, as an employee is not in a position to refuse.
Consent to an English privacy statement would be valid.
A statement in English may be valid, but it is advisable to have it in Spanish.
As long as the customer is capable of understanding the scope of the consent declaration (i.e., English is used as a general contracting language), an English language privacy statement is sufficient.
The consent is only valid if the data subject fully understands the statement before consent is given. As the burden of proof for “informed consent” lies with the data controller, it would be necessary to produce evidence that the consumer understands English and gave “informed consent,” which can be difficult. Most consumers in Belgium are not English speakers, so it is advisable to use local languages. Usually, privacy statements are in the language used for advertising the service or product.
Yes, it could be valid.
Yes, it could be valid. However, according to new Czech legislation, effective as of January 1, 2014, all announcements towards consumers need to be in the same language as a concluded consumer contract. According to Czech consumer law, consumers should generally be informed about various things in the Czech language.
Yes, it could be valid. However, generally there cannot be the same expectation in relation to language skills as for employees.
The regulation is somewhat stricter than for employees. Generally, all merchandising information provided for the purpose of making a purchase decision should be available in a clear and understandable manner for consumers.
Finland has two national languages: Finnish and Swedish. Thus, privacy statements should be in both Finnish and Swedish if a service is directed towards Finnish consumers at large, and not only towards a limited group of potential customers possessing special expertise where the use of English or the use of either Finnish or Swedish may well be grounded. In addition, if the concerned service is not merchandised in Finland or directed towards Finnish consumers, the national language requirement does not apply.
Article L.121-66 of the French Consumer Code requires that “the contract must be written in French when the consumer resides in France or the professional sells on the French territory.” Consent to a privacy statement would be considered as part of the contractual relationship with the consumer, and therefore would need to be in French.
The general rule is that it depends on the language of the corresponding service. If the controller processing the data can ensure that the data subject was capable of understanding an English consent declaration, such consent can be given in English.
It depends on the English proficiency of the consumer.
If a privacy statement is not provided in Hebrew, the controller would face an evidentiary burden to prove consent was informed.
Use of the Italian language is mandatory for all contractual information in the case of consumers.
In Italy, a consent is invalid unless the data subject fully understands the language.
It is normally understood that the statement must be translated into Japanese; otherwise the statement may be regarded as a disadvantageous contract that unilaterally impairs the interests of consumers, which is prohibited by Article 10 of the Consumer Contract Act.
If the consumer understands the language, then consent would be valid. In the Netherlands, most people have a basic understanding of English (but obviously all are not at the same level).
The standard is the same as for employees; the Polish Language Act requires the entrepreneur to provide all communication regarding consumer's rights and obligation, including a consent for data processing, in Polish or bilingual form. Privacy statements should generally be provided in Polish or bilingual form.
Consent would be considered valid if the consent document includes that the consumer has full knowledge of the English language and understands the contents of the consent provided.
However, while this could technically be admissible, there are strong reservations to the use of a foreign language for consent, since it is hard to assess at the moment of retrieval whether the consumer indeed understood the language at the time of consent.
Statements should be translated into Russian.
The same as the general rule. However, note that, generally speaking, it is not possible to assume that consumers in Spain understand English. Therefore, a consent addressed to consumers in general should be in Spanish. There are some exceptions to this rule (e.g., information provided in a hotel to English customers, etc.).
If the controller can show that the data subject understood an English statement, consent could be valid.
Consent to an English language privacy statement would be valid, if the subject correctly understood the information provided in English.
Consent to an English privacy statement would be valid.
No additional comments.
No additional comments.
The Belgian Data Protection Authority tends to refer, in relation to consent, to Article 29 Working Party opinions and applicable EU case law.
While there is no express prohibition against the use of English, translation to Chinese would be advisable to avoid the situation where the employee or consumer claims he or she did not give consent because he or she did not understand what he or she was consenting to.
Regarding the privacy statement, the Czech language is not mandatory. However, it is highly recommended as controllers need to prove that the data subjects understood the privacy statement. There are only a few exceptions when the English wording would be acceptable – e.g., if the data subject is fluent in English because it is a basic requirement for a particular job position, etc.
No additional comments.
As to the language requirement, the use of the English language is not prohibited as such. However, as described earlier, consideration of the language requirement should be case-specific, depending on the target group of a particular service.
The Toubon Act of 1994 provided for an obligation to use the French language in contracts. This legal provision cannot be overridden even by consent from the individual. Failure to use the French language is punishable by fines, but moreover documents which are not written in French are not considered as enforceable against consumers or employees.
Irrespective of the language, German law puts particularly strong requirements on privacy consents (they must be specific, transparent, opt-in, etc.).
It is required that the declaration is provided to the data subject in a way that enables the data subject to understand the purposes and the extent of the data processing intended. The burden of proof if the consent declaration was given validly lies with the controller processing the data. Thus, the controller has to ensure that the data subject understood what he/she consented to. Against this background it will be often advisable to translate a consent declaration if German customers are asked for their consent
English and Chinese are the two official languages of Hong Kong. It is common for privacy statements to be provided in both languages.
No additional comments.
Although the Italian data protection legislation does not expressly require that consent (and notice) be given in Italian, based on the general principles underlying the Italian legal system, if the data subject does not have sufficient understanding of the English language he or she may claim the unenforceability of such consent.
However, consent is not mandatory for all processing activities. For instance, processing of data to perform a contract does not require consent. Marketing activities always require prior consent.
The Japanese Privacy Act does not mention privacy statements, but the Basic Policy of the Protection of Personal Information Act says “it is desirable to develop and publicize privacy policies.” “Desirable,” of course, is not mandatory. A 2012 study by the Japanese government indicates that 61.3% of Japanese businesses publicize privacy statements, 11.3% have a nonpublic privacy statement, and 25.7% have no privacy statement at all (study in Japanese).
No additional comments.
The Polish Data Protection Act does not explicitly provide for that a privacy statement needs to be drafted in Polish; hence, it can be made in English also. However, provisions of other acts (e.g., the Polish Language Act) require the Polish language is used in dealings with employees and consumers.
No additional comments.
No additional comments.
No additional comments.
It should be noted that there are other legal bases for the processing in addition to consent that could be applicable (e.g., that the processing is necessary in order to fulfill an agreement with the data subject).
Consent is only valid if freely given and based on adequate information (this includes that the information be in an understandable language for the data subject).
There is no requirement for consents (or other written agreements or documents between private parties) to be in Arabic unless the statement is required by the parties to be notarized (in which case the document will need to be presented for notarization either in Arabic, or bilingually in Arabic and another language with the Arabic translation stamped by the Ministry of Justice).
Also, if a matter becomes the subject of a dispute before any of the onshore courts of the UAE (excluding the DIFC Courts), any documents that are being adduced in evidence will need to be translated into Arabic, and the Arabic translation stamped by the Ministry of Justice.
- Question 1
- Question 2
- Question 3
- Question 4
If the governing law of a contract is your local law, would a local court in your jurisdiction recognize a contract as having been formed if it is signed by click-to-accept?
Yes. According to Civil Code, consent can be express or implied. Express consent can be provided verbally, in writing or by unmistakable signs. Therefore, a contract could be recognized if it is signed by click-to-accept. Problems could potentially arise when a click-to-accept contract is presented as evidence; but there is no regulation that prohibits it.
Generally, yes, if it is made clear that click-to-accept will commit the clicker to an enforceable agreement. There would need to be language clarifying that clicking creates a legally binding contract.
Yes; in general there are no formal requirements for the creation of contracts.
Yes if consent is unambiguous and informed.
Yes, in general Czech courts would recognize a click-to-accept contract. However, if Czech law expressly requires the written form of an agreement, the parties will need to meet formal requirements for electronic execution (such as electronic signature or other similar means).
Generally yes, since Danish law establishes no formal requirements for entering into a contract. However, essential and burdensome terms must be clear to the party accepting a contract, otherwise those terms may be considered invalid. The higher the risk that an accepting party is unaware of what is being accepted, the higher the risk of acceptance being deemed invalid. For example, if contract terms are provided through a hyperlink that takes the consenting party to a long document written in small font and containing burdensome and possibly unexpected or unusual “hidden” terms, then there is a high risk that such terms will be considered invalid. This holds true even when the accepting party is not a consumer.
Click-to-accept (clickwrap) agreements are, in principle, accepted under Finnish contract law. Therefore a court will presumably recognize a click-to-accept contract. The court may, however, disregard or reconsider (i.e. interpret in another manner) some parts of the contract if those parts are found to be either unreasonable or surprising and severe for the contracting individual.
Yes, in case of a real click-to-accept (i.e., acceptance precedes the contract and is not a post contractual consent).
To date there have not been any Hong Kong court cases on click-to-accept contracts. Electronic contracts are governed by the Electronic Transactions Ordinance ("ETO"). However, the ETO only addresses electronic contracts signed with an electronic signature. It does not address click-to-accept.
Yes, for most types of contracts a Hungarian court would recognize a click-to-accept or click-through contracts. Such contracts are usually not viewed as contracts finalized in writing but rather as contracts finalized with implicit conduct. Where the law requires a contract to be finalized in written form, click-to-accept is usually not recognized unless it is furnished with at least an advanced electronic signature, as required by Directive 1999/93/EC (Electronic Signatures Directive).
Yes. Israeli courts recognize click-to-accept contracts. However, certain transactions cannot be entered into electronically, including sales of land, trusts, agencies, wills and testaments, bank-customer agreements and guarantees.
Yes, although there are exceptions.In principle, under Italian law either or both parties may form a contract by indicating acceptance of an offer electronically – either by clicking an 'accept' button (or similar) or consenting through another type of computer platform or portal.
According to article 1326 of the Italian civil code (applicable also to contracts completed online), a contract is formalized once the party that has made the proposal has knowledge of the other party’s acceptance. Acceptance of the proposal may occur by any means, including an accept button or a check box on a website. In addition, article 1341 of the Italian civil code provides that general terms and conditions drafted by one of the parties are binding if they were known or could have been known by the other party before executing the agreement. Consequently, the mere availability of general terms and conditions on a website through a link is enough for their validity and enforceability.
There is disagreement between commentators and inconsistent case law as to whether clauses that require written approval can be accepted with a click or a check button.
It is unlikely that a local court in Macau would recognize a click-to-accept contract. As discussed in response to question 3, electronic signatures must satisfy specific requirements.
Probably yes. There are no formal requirements for accepting an offer and subsequently entering into a contract. However, if the acceptance is not freely given, a Dutch court can, and in practice often does, protect the consumer. Further, consumer law provides a list of provisions that are considered onerous and therefore invalid (although they can be declared valid at the consumer’s request).
Yes, click-to-accept contracts are acceptable in most e-commence sales and services.
In some cases, however, Polish law prescribes a special contract format for the transaction. For example, Polish Law requires a notarial deed in the case of a transfer of ownership; a writing under penalty of nullity in the case of a copyright transfer agreement; and a writing in the case of an agency agreement or employment agreement. “In writing” means a hardcopy document with hand written signatures or a certified electronic signature equivalent to written form.
Yes, unless it is a contract with special formal requirements (e.g. recognized signatures of the parties are necessary). Because evidence of an effective signature can be an issue in click-to-accept contracts, it is always preferable to have a click-to-accept with some security backup (like a question to confirm signatory identity).
Yes, subject to compliance with the requirements of contract formation and execution under Russian law, a Russian court may recognise a click-to-accept contract. Contracts may be executed in electronic form through an exchange of, among other things, electronic documents. An exchange of electronic documents will be deemed equal in legal effect to an exchange of hard copies.
Depending on how click-to-accept is envisaged, the Federal Law No 63-FZ dated 6 April 2011 On Electronic Signature (the "Law On Electronic Signature") may apply.
A contract signed with an electronic signature is an electronic document equivalent in its legal effect to the contract executed by hand in hard copy in cases where the parties expressly agree to this effect in the contract or where the legislation provides for such effect. Except where the legislation requires a document to be in hard copy, no further formalities are required for a document signed with an enhanced certified electronic signature.
Please note that Russian law requires that certain types of contract should be entered into in hard copies. This applies to employment agreements, certain types of real estate transactions, leases, and sale of an enterprise as a going concern among others.
Yes. Section 11 of the Electronic Transactions Act provides that the requirements of offer and acceptance in contract formation can be expressed by means of electronic communications. The same principles that apply to the formation of written contracts will similarly apply to electronic contracts. A "click-to-accept" is a form of electronic communication and is likely to constitute valid acceptance for the purposes of contract formation.
Yes. Click-to-accept (or click wrap) contracts are accepted in Spain. Under the Spanish law, the general rule is that contracts are valid no matter how they are accepted. There are exceptions to this rule (e.g. contracts before a Notary Public). However, such exceptions do not affect common commercial contracts.
Swiss courts have not yet confirmed the validity of user consent provided via click-to-accept, but click-to-accept is used regularly. The user should be in a position to read and understand the terms and conditions before agreeing.
Pursuant to general rules of consumer protection, unusual clauses in the general terms are only binding if the attention of the consumer has been drawn to them. A court will not enforce a click-to-accept agreement, which is unlikely to be read by the customer.Click-to-accept contracts are not valid in limited situations where the law requires a specific form of contractual agreement (hire purchase agreements, loans and other financing transactions with consumers, contracts concerning real estate).
It is doubtful that a local court in Taiwan would recognize a click-to-accept contract, since relevant authorities appear to have interpreted this practice as invalid.
A click-to-accept contract would be recognized as valid in the UAE.
The Electronic Transactions and Commerce Law No.2/2002 ("ETCL") sets out that "it is permissible to express offer and acceptance, partly or wholly, by means of electronic communications".
The UAE Civil Code provides that "a contract is the meeting of an offer issued by one of the contracting parties with the acceptance made by the other party and their concordance in such a manner as to produce their effect on the object of the contract and results in a binding obligation on each party of the obligation of the other party". Furthermore, it provides that "a contract is formed by the meeting of an offer with an acceptance". There is no requirement for consideration under UAE law in order to form a valid contract.
Given the above, through the combination of the ETCL and the UAE Civil Code, using click-to-accept would be a valid method of indicating acceptance and forming a contract in the UAE.
In general, courts in the United States apply the same principles of contract formation to electronic contracts as they do to hard-copy contracts. Clicking to accept an electronic agreement will generally be sufficient to create a valid, enforceable contract to the extent that (1) the terms of the agreement have been reasonably communicated; (2) the consumer has actual or constructive notice of the terms; (3) there is no unfair surprise to the consumer as a result of the way in which the terms were presented; and (4) the terms are not deemed unconscionable (e.g., overly harsh, one-sided, fraudulent). Because courts may look to an affirmative act on the part of the consumer as evidence of acceptance of contract terms, having the consumer click a checkbox is useful for establishing consent. Inferring consent based on a consumer’s use of an online product or service is disfavored.
Not sure; it would probably need to be consistent with Australian law as well.
Yes except for clauses that are contrary to local mandatory laws.
Yes, in general Czech courts would recognize a click-to-accept contract governed by a foreign law.
However, some rules may apply irrespective of contractual provisions (e.g. the public order, consumer protection, data protection, mandatory provisions of Czech law), and these rules may require a written form, as per question 1 above.
Yes, with the same caveats as the answer to question 1 above. Generally, consumers would not be asked to make decisions about choice of law; but choice of a foreign law would not deprive them of consumer protection if a service is directed at the Danish market.
Yes. The court would recognize as enforceable a click-to-accept contract governed by foreign law.
Yes, it is very likely that a Hungarian court would recognize a click-to-accept contract governed by foreign law if the contract is deemed valid under that foreign law.
Yes. Israeli courts typically accept the contractual choice of law, except where such choice is considered unfair in a standard form contract, illegal, without good faith or counter to public policy. A choice of law provision may lack good faith if the chosen law has little or no territorial link to the contract. In addition, in cases where the foreign law conflicts with mandatory provisions of local law (e.g., labor law or consumer protection), Israeli courts may apply the local law’s mandatory provisions regardless of the parties’ choice of law.
In principle, yes, with some exceptions for specific types of contracts, such as real estate transactions.
In general, Art. 11 of Regulation no. 593/2008 (Rome I) applies. Therefore, if the law governing the contract is a foreign law under which click-to-accept is enforceable, Italian courts should recognize a signed click-to-accept contract as finalized.
Yes (based on the Act on General Rules for Application of Laws).
Whether a contract is enforceable is fact sensitive, and determined on a case-by-case basis. It is therefore difficult – if not impossible – to provide a single answer that will cover all cases. However, in the abstract, a court in Macau would enforce a contract that is governed by the law of another jurisdiction and is enforceable under the laws of that jurisdiction.
Probably yes. There are no formal requirements for accepting an offer and subsequently entering into a contract. However, if the acceptance is not freely given a Dutch court can, and in practice often does, protect the consumer. Further, consumer law provides a list of provisions that are considered onerous and therefore invalid (although they can be declared valid at the consumer’s request).
Yes, a Polish court would recognize a contract as having been formed if it is signed by click-to-accept and enforceable under foreign law provided that it does not infringe upon (i) Polish mandatory provisions, including data protection and consumer, and (ii) any overriding mandatory Polish rules.
Overriding mandatory rules are rules crucial for safeguarding Poland's public interests, such as its political, social or economic organization, to such an extent that they apply to any situation falling within their scope.
Yes, unless, under Portuguese law the same contract would require special signature formalities. In such case, a court would reject it under public order principles.
A Russian court would likely recognize a contract governed by a foreign law that enforces click-to-accept contracts. According to the recent amendments to the Russian Civil Code on conflict of law rules, the form of a contract, including its execution and signatures, is to be governed by the law that governs the contract itself.
Yes. The courts in Singapore will apply the governing law of the contract to determine its validity. If the governing law of the contract recognizes the contract as valid, Singapore courts will likely reach a similar conclusion.
Yes, unless the agreement includes provisions subject to imperative laws providing for requirements incompatible with click-wrap contracts (e.g. Data protection, as explained below).
Yes, except if Swiss law imposes the application of local law and a specific form of contract is required.
Yes (responding in the abstract and subject to actual factual circumstances).
Yes (assuming the contract itself is valid and enforceable in the UAE), a click-to-accept contract governed by foreign law would be recognized as valid. As mentioned previously, the ETCL makes provision for an offer to be accepted by electronic means in the UAE.
In addition, for foreign certificates and electronic signatures, the ETCL sets out that no regard shall be made to the place where the certificate of electronic signature was issued or to the jurisdiction in which the issuer had its place of business.
Yes. U.S. courts may recognize electronic agreements that were formed using a click-to-accept mechanism that is considered valid under the laws of another jurisdiction. U.S. courts will recognize and enforce electronic contracts governed by foreign law in the same way they enforce hard-copy contracts governed by foreign law, unless they find that the creation or terms of the contract violate U.S. law, are otherwise unconscionable, or that enforcing the contract would be against U.S. public policy.
An Australian court would likely examine whether there was: an intention to create a legally binding agreement, an offer, acceptance, consideration, etc. The Commonwealth Government and each State and Territory have their own Electronic Transactions Act, which outlines a number of matters surrounding signatures, electronic documents, etc.
No. However, language accepted by click-to-accept has to be made available to the contracting party before he agrees. Usually a hyperlink to the documents is used in the text after the click button. The accept button should not be pre-checked since this could lead to the agreement being deemed void.
No, there are no special requirements (apart from the written form requirements) with regard to the enforceability of click-to-accept contracts.
No. But the party claiming that an agreement has been entered into bears the burden of proof. Acceptance of the terms of an agreement requires action by an accepting party, and such action would serve as evidence of consent.
There are no specific requirements for enforceability of click-to-accept contracts. However, a click-to-accept contract runs the risk of a court finding the agreement (or parts of it) unreasonable or surprising and severe and therefore invalid. Consequently, the clearer and the more explicit the contract terms are, the better their chances of enforceability.
No. Except double opt-in is required for direct marketing online via email.
A click-to-accept contract must require an active-click. Pre-click does not constitute valid consent.
Specific requirements depend on the nature of the contract (e.g., B2B or B2C, for free or for consideration, etc.)
The ETO does not address click-to-accept contracts specifically, but rather electronic contracts signed with an electronic signature.
The ETO permits the formation of an electronic contract provided that it fulfills all legal contracting requirements, including offer and acceptance. Acceptance may be expressed by means of an electronic signature, defined as any letters, characters, numbers or other symbols in digital form attached to an electronic record for the purpose of authenticating the electronic record.
Sections 6:82-6:85 of the Hungarian Civil Code (Act 5 of 2013) set forth certain requirements for finalizing a contract via electronic means. For example, the party providing the electronic contract should, before making a legal statement pertaining to the contract, inform the other party, inter alia, of the technical steps necessary to finalize the contract, to rectify any errors or change the language, and whether the contract is also considered finalized in written form. In B2C relationships these are mandatory requirements.
No. However, it is advisable that the contracting party clarify the contracting process. Typically, the customer should be asked to check a box confirming he read and understood the terms of the agreement before clicking “I accept,” in order to prevent claims of mistaken click-through.
Pursuant to article 1341 of the Italian civil code, in case of general terms and conditions drafted by one party, "unbalanced clauses”—those provisions that create an imbalance between the non-drafting party and the drafting party—are unenforceable vis-à-vis the non-drafting party unless they are expressly and separately approved in writing by the latter.
According to Japan’s Consumer Contract Act, “business operators…shall endeavor to make the rights and duties of consumers and such other things set forth in the consumer contract clear and plain.”
In addition to satisfying the requirements of general contract law, a click-to-accept contract must also satisfy the requirements of Macau’s electronic documents and digital signatures law. Under the electronic documents and digital signatures law, a click-to-accept mechanism must be uniquely linked to the signatory, be capable of identifying him and be created using means that he can maintain under his sole control. The click-to-accept mechanism must also be linked to the related data in such a manner that any subsequent change of the data can be detected.
Electronic signatures in Macau are more prudently made if supported by a certificate, such as a qualified certificate or a normalized certificate. A qualified certificate is issued by an accredited certification service provider after a rigorous authentication process. A normalized certificate requires face-to-face identity authentication by the applicant before the certification service provider will issue it. Whether a certification service provider will issue a certificate for a signature using a click-to-accept mechanism will depend on its internal rules and assessment.
No, Polish law does not provide any special requirements for the enforceability of click-to-accept contracts. According to the general rule, click-to-accept as a declaration of will should be unambiguous. A pre-checked box would not be enforceable.
There are no specific requirements for enforceability. However, as mentioned in response to question one, evidence of an actual signature by the party can be an issue. For the sake of efficiency, it is therefore advisable to get a verifiable signature.
In accordance with the requirements of the Law On Electronic Signature, click-to-accept is likely to be valid if the following statutory requirements are met:
- a simple electronic signature is included in an electronic document,or a key of a simple electronic signature, which contains enough information to identify the sender, is used in accordance with the regulations of an operator of the information system that is used for the creation and transmission of an electronic document;
- the parties agree that the electronic document is deemed equivalent in legal effect to the agreement that is executed in hard copy by hand;
- the document provides a procedure for identifying a person who signs the document with the electronic signature (for example, by indicating that an offer or acceptance is sent from a password protected e-mail address that identifies the sender); and
- the document imposes an obligation on the person who creates and/or uses the key of a simple electronic signature to keep the key confidential.
Further requirements apply to using an enhanced electronic signature.
There are no specific requirements for the enforceability of click-to-accept contracts under Singapore law.
There are no specific requirements. General requirements for the enforceability of contracts apply (i.e. consent, object/purpose and cause).
The counterparty must have agreed to use an electronic document, and the content of the electronic record must be presented in its complete form and remain accessible for subsequent verification. It would be most prudent to adopt PKI for a digital signature.
While there is legislation regarding electronic transactions, there are no provisions specifically addressing click-to-accept contracts. As such, there are no specific requirements relating to accepting a contract in this way.
Using a single click in a click-to-accept contract would, prima facie, be sufficient to indicate an acceptance of the terms of the contract.
There are no specific requirements.
There are no statutory requirements for click-to-accept mechanisms, though courts may inquire into the way in which the terms of the agreement and the acceptance mechanism are presented to the consumer to determine the validity of the consumer’s consent. It is generally considered a best practice to list the most important contract terms at the top of the agreement, so as to help ensure a consumer sees the terms before accepting. For example, several years ago the Federal Trade Commission brought an enforcement action alleging that a company acted deceptively because, although the company provided information about how a software application would collect personal information and track online activity, it positioned those terms deep within a lengthy user license agreement such that consumers likely would not review them.
In addition, certain contractual agreements may only be entered into pursuant to the Electronic Signatures in Global and National Commerce Act (ESIGN Act), a U.S. federal law enacted to ensure the validity and legal effect of electronic contracts. To the extent the ESIGN Act applies to a contract, a one-step click-to-accept mechanism likely would not be sufficient to comply with the ESIGN Act.
No. Processing of personal data must be authorized by consent, which could be given in writing or through similar means, including click-to accept.
In practice, the DPA has accepted this method.
No. Consent in relation to the processing of personal data, must be specific and informed. In other words, the terms must be clear and the data subject must take an action to accept.
In cases of ambiguity, a court would more likely rule in favor of a data subject, as data protection regulation, more than general contract law, focuses on individual protection.
Not necessarily. Privacy policies do not require consent. If a party solicits consent for a specific instance or type of data processing, the click-to-accept contract should be drafted as an “acknowledgment of terms;” consent should not be “hidden” in a general policy. If more explicit consent is needed, it could be obtained online only for online services; for offline services or uses, consent must be in writing.
Yes, consistent with the mandatory provisions.
Click-to-accept would not be enforceable in the case of a data processing agreement, as this agreement should be in writing (within the meaning described in answer one).
No, it would not.
In accordance with Russian law, consent to the processing of personal data may be granted in any form but should be specific, informed and wilfully granted. Consent in writing is only required in a handful of cases that are prescribed by the Federal Law dated 27 July 2006 No 152-FZ On Personal Data (the "Law On Personal Data"). Where consent in writing is required, the Law On Personal Data provides that electronic consent signed with an electronic signature in accordance with the requirements of the Law On Electronic Signature is equivalent to the hard copy consent in writing that is signed by hand by the data subject.
Data protection laws provide certain requirements for the processing of sensitive data (ideology, religion and beliefs) including written consent. It is arguable whether a click-to-accept consent is "in writing". However, generally speaking, consent for the processing of sensitive information tends to be given in paper form with a handwritten signature.
The IAPP Westin Research Center extends its greatest thanks to the rapporteurs who generously shared their time and expertise to produce this survey.