You MUST get an explicit agreement to your Terms and Conditions and Privacy Policy from your visitors, customers, if they interact with your online presence (website, emails, social media, etc), no matter what they do. Examples are (but not limited): creating an account; signing up; requesting information from you; commenting on your website; sharing something with their friends using your tools; etc.
GDPR Art. 7: Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to the processing of his or her personal data.
If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language. Any part of such a declaration which constitutes an infringement of this Regulation shall not be binding.
Ideas implemented from constrained points of view (biased developers, designers, sysadmins) will NOT BENEFIT YOUR online strategies, harming your long-term competitiveness.
This means, that no more trickery can be used (you agree to something, that can change over time and it's still binding you) or no more auto-implied consent (you agree to something specific, and they use that consent for anything else) can be used anymore. Let's see a few of these bad examples, that are NOT-GDPR compliant, and you should NEVER use them again!
A real-life scenario for this would be:
An apple stand visitor walks up to the shop and sees, above the basket of apples, a wall filled with signs. Some of those signs contain information necessary for her purchase, such as price, the method of payment, and delivery details, and are displayed prominently in the centre of the wall. Others she may quickly disregard, including advertisements for other fruit stands. Among them is a sign binding her to additional terms as a condition of her purchase. Has the apple stand owner provided reasonably conspicuous notice?
Let's see the previous bad examples, after they are GDPR compliant:
ASK US ANYTHING WORDPRESS RELATED: We can offer you confidently, SEVERAL OPTIONS to choose which one suits your needs better.
So, in short, you will have to get explicit agreement to your Terms and Conditions and Privacy Policy from customers. Specifically, to be GDPR compliant, you need to at least:
- Place an unchecked checkbox next to the call-out line regarding the Terms of Use and Privacy Policy. Customers will need to check this box before they sign up for an account.
- Have each of "Terms and Conditions" and "Privacy Policy" be a hyperlink to the relevant page. Make sure the relevant page opens up in a readable format and can be saved/downloaded if the customer wants.
- Put the "Register" button right underneath the call-out line so that it is not possible to miss (not see due to scroll).
- Retain the following information in connection with each clickthrough so you can prove you acquired consent properly: who consented, when they consented, what they were told at the time (terms and policies they agreed to), how they consented, and whether they have withdrawn consent (and if so, when).
It’s time to see THE BIG PICTURE!