Westin Global Privacy Surveys

The Westin Research Center has created a network of national rapporteurs who will be available to answer common questions about complying with global privacy law. These international surveys, which are organized by the Westin Research Center, channel the experience of experts in the respective jurisdictions. They do not constitute—nor should be used as a substitute for—legal advice. They do not reflect the opinion of the Westin Research Center.

Argentina

Rapporteur:
Pablo A. Palazzi

The data protection law does not require consent to be written in Spanish, so a consent can be in English.

Austria

Rapporteur:
Axel Anderl

In general, consent declarations in English are not illegitimate per se. They depend on the effective foreign language skills and understanding of the data subjects involved, as data subjects have to freely give unambiguous consent based upon full information.

Belgium

Rapporteur:
Catherine Erkelens

Consent to data processing on the basis of an English privacy policy is valid if the data subject fully understands it before their consent is given (i.e. it is “informed consent”). Consent must also be unambiguous and freely given.

China

Rapporteur:
Grace Chen

Yes it could be valid; there is no specific prohibition against the use of a foreign language.

Czech Republic

Rapporteur:
Vojtech Chloupek

Consent to an English language privacy policy would be valid. However, even if using English for the privacy statement does not necessarily mean the statement is invalid, translation to Czech is generally highly recommended.

Denmark

Rapporteur:
Nis Peter Dall

Generally, any language will do. However, consent is defined as “any freely given specific and informed indication of his wishes by which the data subject signifies his agreement to personal data related to him being processed.” The key word being “informed.” Danish language statements will generally be expected to be understood (unless the wording is in itself incomprehensible), but depending on the audience English may be fine.

Finland

Rapporteur:
Eija Warma

As a general rule, privacy statements should be communicated in language that can be easily understood by the target group of a service. The feasibility of the English language depends on the English knowledge of the target group of a particular service, i.e. to whom the service is directed.

France

Rapporteur:
Ariane Mole

Consent to a privacy statement is not valid if the statement is drafted in English. To be valid, it must be translated into the local language.

Germany

Rapporteur:
Fabien Niemann
Stefan Schuppert

According to Section 4(a) of the German Data Protection Act, consent must be given in an informed manner, meaning the data subject must be aware of the purpose and the extent of the data processing he or she is consenting to.

With regard to this requirement, a consent can be given in English (or any other language) if the data subject is capable of understanding this language. If the corresponding service offering is (in total or in material parts) available (also or only) in German, then an English privacy statement will likely not be seen as sufficient by German courts and, hence, the respective consent will not be effective. In these cases, a translation of the privacy policy should be made.

Hong Kong

Rapporteur:
Marcus Vass

It depends. The overriding principle is that data collection shall be fair. It may be regarded as unfair to provide English privacy statements to readers not proficient in English.

Israel

Rapporteur:
Pini Azaria

There are no formal language requirements. Under the Privacy Protection Act, 1981, consent may be express or implied, but must be "informed." If a privacy statement is not provided in Hebrew, the controller would face an evidentiary burden to prove consent was informed.

Italy

Rapporteur:
Marco Berliri
Debora Stella

Consent to an English language privacy statement is invalid unless the data subject fully understands the language (which is unlikely to be valid to the general audience).

Japan

Rapporteur:
Hiroshi Miyashita

There is no provision or policy on a linguistic requirement. But it is normally understood that the statement must be translated into Japanese; otherwise the statement may be regarded as a disadvantageous contract that unilaterally impairs the interests of consumers, which is prohibited by Article 10 of the Consumer Contract Act. The general Japanese audience cannot be expected to read an English privacy statement.

Netherlands

Rapporteur:
Gerrit-Jan Zwenne

Consent to an English language privacy statement would be valid, provided that the data subject indeed understands the language of the privacy statement. Note, however, that accepting a privacy statement that has some consent wording may not qualify as unambiguous consent, as it is not certain whether the data subject actually has read and understood the consent wording. Layered consent is acceptable.

In general, under Polish law a privacy statement understood as a consent for the processing of personal data does not require translation into Polish (except when the consent is given by a consumer or employee).

Portugal

Rapporteur:
Ana Rita Painho

Consent to an English language privacy statement could be considered valid. However, the Data Privacy Commission requires a Portuguese translation of all documents provided.

Russia

Rapporteur:
Natalia Gulyaeva

The Russian law on personal data does not provide a direct requirement to obtain consents from individuals in Russian. However, since the official language of the territory of Russia is Russian, in case of audits or interaction with the state authorities, as well as in case of disputes in courts, such documents are reviewed in Russian.

Spain

Rapporteur:
Gonzalo Gállego

There are no specific rules on the language of consent. However, as a general rule, the consent must be informed. This means that the data subject must be aware of the processing that will take place before granting the consent. Otherwise, the consent is not valid.

For such reasons, in Spain, consents tend to be in Spanish. Otherwise, there is a risk that the data subject may argue that the consent was not understandable. Yet, strictly speaking, there is no such requirement and depending on the circumstances, and English consent may be completely appropriate (e.g., the mother tongue of the data subject is English although he or she lives in Spain, or the consent is collected in a meeting of a U.S. or English association in Spain where the language used in all sessions is English, etc.)

Sweden

Rapporteur:
Ida Smed Sörensen

There is no statutory obligation to translate information into Swedish. However, the controller carries the burden of proof that the data subject has understood the information provided (upon which the consent is based) and it is therefore strongly recommended that information is translated into Swedish if the controller is not certain that the data subject’s understanding of English is sufficient.

Switzerland

Rapporteur:
Sylvain Métille

Consent to an English language privacy statement would be valid if the subject correctly understood the information provided in English.

United Arab Emirates

Rapporteur:
Warren Thomson

There is no requirement for consents (or other written agreements or documents between private parties) to be in Arabic unless the statement is required by the parties to be notarized, and consent to an English privacy statement generally would be valid.

Argentina

Rapporteur:
Pablo A. Palazzi

A statement in English may be valid, but it is advisable to have it in Spanish.

Austria

Rapporteur:
Axel Anderl

As long as the employee is capable of understanding the scope of the consent declaration (i.e., English is used as a daily business language), an English language privacy policy is sufficient.

Belgium

Rapporteur:
Catherine Erkelens

The statement should be in a language understood by the employee. Special language legislation requires employment documents to be drafted in the language of the region in Belgium where the employer is seated. Considering the uneven balance of powers between employers and employees, to the extent that employee consent is not easily “freely” given such consent is not taken into account, most of the time.

China

Rapporteur:
Grace Chen

Yes, it could be valid.

Czech Republic

Rapporteur:
Vojtech Chloupek

Yes, it could be valid.

Denmark

Rapporteur:
Nis Peter Dall

Yes, it could be valid (e.g., if the subjects are employees in a company where the day-to-day language is English).

Finland

Rapporteur:
Eija Warma

Privacy statements should be communicated in a language that can be easily understood by the employees. Thus, the use of the employees’ mother tongue is not an absolute requirement. For example, if the company’s language is English and knowledge of English is required in the company, a privacy statement can be in English too.

France

Rapporteur:
Ariane Mole

Article L.1321-6 of the French Labor Code requires that “any document providing obligations to the employee or any provision the knowledge of which is necessary for the execution of his work must be written in French.” Therefore, a privacy statement would be considered as necessary for the execution of the employee’s work and must be written in French. However, please note that under French labor law it is very likely that consent to a privacy statement would not be considered as valid anyway, even in French, since consent is not considered as a legal basis for processing when it is given by an employee.

Germany

Rapporteur:
Fabien Niemann
Stefan Schuppert

It depends on the nature of the employment. Similar considerations apply: if the employee’s working language is English and his employee contract is in English, an English privacy statement is likely sufficient. Otherwise, a translation should be made.

However, to be valid, consent must be given freely. The relationship between employee and employer is characterized by a certain hierarchy which in general prevents the employee from freely deciding about such consent. Against this background, an employee’s consent is in general no valid justification to process personal data in the course of the employment contract.

Hong Kong

Rapporteur:
Marcus Vass

It depends on the English proficiency of the employee.

Israel

Rapporteur:
Pini Azaria

In a workplace where English is used as a work language, an English statement would typically suffice. Otherwise, if a privacy statement is not provided in Hebrew, the controller would face an evidentiary burden to prove consent was informed.

Italy

Rapporteur:
Marco Berliri
Debora Stella

Consent to an English language privacy statement could be valid, provided that the employee speaks or understands English.

Japan

Rapporteur:
Hiroshi Miyashita

Guidelines on privacy protection in employment management say “it is necessary that the contents of [contracts or statements] shall be reasonable and appropriate enough to recognize by the data subject” (Article 18, Section 2). English statements are not likely to be “reasonable and appropriate” for the ordinary Japanese workplace.

Netherlands

Rapporteur:
Gerrit-Jan Zwenne

Consent is always tricky when it comes to employees, as it is not clear whether they have the freedom to deny consent. Leaving that aside, if the employee understands the language, consent can be valid.

The Polish Language Act requires the employer to provide all communication regarding the employee’s rights and obligations, including a consent for data processing, in Polish or bilingual form. Violators are subject to up to 30 days in jail, restriction of freedoms, fines up to PLN 5000 or reprimands.

Further, the Polish Data Protection Act generally requires that consent be clear, and there is a risk that such consent to an English statement by a person who is not fluent in the language could be considered invalid.

Portugal

Rapporteur:
Ana Rita Painho

Consent would be considered valid if the consent document includes that the employee has full knowledge of the English language and understands the contents of the consent provided.

However, collection and processing on the basis of consent is restricted, since the Data Protection Commission has generally adopted the view that employees, due to their subordinate position, have no capacity to provide truly free consent.

Russia

Rapporteur:
Natalia Gulyaeva

Statements should be translated into Russian.

Spain

Rapporteur:
Gonzalo Gállego

The same as the general rule. The fact that the data subject is an employee may make it easier to make a risk assessment on whether he or she will understand an English consent (e.g., if the employee needs English in order to perform his or her task, etc.).

Sweden

Rapporteur:
Ida Smed Sörensen

It should also be noted that employees are generally not considered to be able to provide valid consent as they are in a dependent position in relation to their employer. Valid consent from employees requires a real free choice, i.e. that there is a real option not to consent and that there is no direct or indirect pressure from the employer to consent.

Switzerland

Rapporteur:
Sylvain Métille

Consent to an English language privacy statement would be invalid. The consent of an employee is rarely accepted, as an employee is not in a position to refuse.

United Arab Emirates

Rapporteur:
Warren Thomson

Consent to an English privacy statement would be valid.

Argentina

Rapporteur:
Pablo A. Palazzi

A statement in English may be valid, but it is advisable to have it in Spanish.

Austria

Rapporteur:
Axel Anderl

As long as the customer is capable of understanding the scope of the consent declaration (i.e., English is used as a general contracting language), an English language privacy statement is sufficient.

Belgium

Rapporteur:
Catherine Erkelens

The consent is only valid if the data subject fully understands the statement before consent is given. As the burden of proof for “informed consent” lies with the data controller, it would be necessary to produce evidence that the consumer understands English and gave “informed consent,” which can be difficult. Most consumers in Belgium are not English speakers, so it is advisable to use local languages. Usually, privacy statements are in the language used for advertising the service or product.

China

Rapporteur:
Grace Chen

Yes, it could be valid.

Czech Republic

Rapporteur:
Vojtech Chloupek

Yes, it could be valid. However, according to new Czech legislation, effective as of January 1, 2014, all announcements towards consumers need to be in the same language as a concluded consumer contract. According to Czech consumer law, consumers should generally be informed about various things in the Czech language.

Denmark

Rapporteur:
Nis Peter Dall

Yes, it could be valid. However, generally there cannot be the same expectation in relation to language skills as for employees.

Finland

Rapporteur:
Eija Warma

The regulation is somewhat stricter than for employees. Generally, all merchandising information provided for the purpose of making a purchase decision should be available in a clear and understandable manner for consumers.

Finland has two national languages: Finnish and Swedish. Thus, privacy statements should be in both Finnish and Swedish if a service is directed towards Finnish consumers at large, and not only towards a limited group of potential customers possessing special expertise where the use of English or the use of either Finnish or Swedish may well be grounded. In addition, if the concerned service is not merchandised in Finland or directed towards Finnish consumers, the national language requirement does not apply.

France

Rapporteur:
Ariane Mole

Article L.121-66 of the French Consumer Code requires that “the contract must be written in French when the consumer resides in France or the professional sells on the French territory.” Consent to a privacy statement would be considered as part of the contractual relationship with the consumer, and therefore would need to be in French.

Germany

Rapporteur:
Fabien Niemann
Stefan Schuppert

The general rule is that it depends on the language of the corresponding service. If the controller processing the data can ensure that the data subject was capable of understanding an English consent declaration, such consent can be given in English.

However, it is unlikely that all relevant offerings, marketing materials, etc., will be in English in a business-to-consumer service which targets the German market. Therefore, usually, a translation of the privacy policy is required in business-to-consumer transactions.

Hong Kong

Rapporteur:
Marcus Vass

It depends on the English proficiency of the consumer.

Israel

Rapporteur:
Pini Azaria

If a privacy statement is not provided in Hebrew, the controller would face an evidentiary burden to prove consent was informed.

Italy

Rapporteur:
Marco Berliri
Debora Stella

Use of the Italian language is mandatory for all contractual information in the case of consumers.

In Italy, a consent is invalid unless the data subject fully understands the language.

Japan

Rapporteur:
Hiroshi Miyashita

It is normally understood that the statement must be translated into Japanese; otherwise the statement may be regarded as a disadvantageous contract that unilaterally impairs the interests of consumers, which is prohibited by Article 10 of the Consumer Contract Act.

Netherlands

Rapporteur:
Gerrit-Jan Zwenne

If the consumer understands the language, then consent would be valid. In the Netherlands, most people have a basic understanding of English (but obviously all are not at the same level).

The standard is the same as for employees; the Polish Language Act requires the entrepreneur to provide all communication regarding consumer's rights and obligation, including a consent for data processing, in Polish or bilingual form. Privacy statements should generally be provided in Polish or bilingual form.

Portugal

Rapporteur:
Ana Rita Painho

Consent would be considered valid if the consent document includes that the consumer has full knowledge of the English language and understands the contents of the consent provided.

However, while this could technically be admissible, there are strong reservations to the use of a foreign language for consent, since it is hard to assess at the moment of retrieval whether the consumer indeed understood the language at the time of consent.

Russia

Rapporteur:
Natalia Gulyaeva

Statements should be translated into Russian.

Spain

Rapporteur:
Gonzalo Gállego

The same as the general rule. However, note that, generally speaking, it is not possible to assume that consumers in Spain understand English. Therefore, a consent addressed to consumers in general should be in Spanish. There are some exceptions to this rule (e.g., information provided in a hotel to English customers, etc.).

Sweden

Rapporteur:
Ida Smed Sörensen

If the controller can show that the data subject understood an English statement, consent could be valid.

Switzerland

Rapporteur:
Sylvain Métille

Consent to an English language privacy statement would be valid, if the subject correctly understood the information provided in English.

United Arab Emirates

Rapporteur:
Warren Thomson

Consent to an English privacy statement would be valid.

Argentina

Rapporteur:
Pablo A. Palazzi

No additional comments.

Austria

Rapporteur:
Axel Anderl

No additional comments.

Belgium

Rapporteur:
Catherine Erkelens

The Belgian Data Protection Authority tends to refer, in relation to consent, to Article 29 Working Party opinions and applicable EU case law.

China

Rapporteur:
Grace Chen

While there is no express prohibition against the use of English, translation to Chinese would be advisable to avoid the situation where the employee or consumer claims he or she did not give consent because he or she did not understand what he or she was consenting to.

Czech Republic

Rapporteur:
Vojtech Chloupek

Regarding the privacy statement, the Czech language is not mandatory. However, it is highly recommended as controllers need to prove that the data subjects understood the privacy statement. There are only a few exceptions when the English wording would be acceptable – e.g., if the data subject is fluent in English because it is a basic requirement for a particular job position, etc.

Denmark

Rapporteur:
Nis Peter Dall

No additional comments.

Finland

Rapporteur:
Eija Warma

In addition to the language requirements, it is recommended consents to a privacy policy be obtained in a written form, as the data controller has the burden of proof of the existence of a valid contract.

As to the language requirement, the use of the English language is not prohibited as such. However, as described earlier, consideration of the language requirement should be case-specific, depending on the target group of a particular service.

France

Rapporteur:
Ariane Mole

The Toubon Act of 1994 provided for an obligation to use the French language in contracts. This legal provision cannot be overridden even by consent from the individual. Failure to use the French language is punishable by fines, but moreover documents which are not written in French are not considered as enforceable against consumers or employees.

Germany

Rapporteur:
Fabien Niemann
Stefan Schuppert

Irrespective of the language, German law puts particularly strong requirements on privacy consents (they must be specific, transparent, opt-in, etc.).

It is required that the declaration is provided to the data subject in a way that enables the data subject to understand the purposes and the extent of the data processing intended. The burden of proof if the consent declaration was given validly lies with the controller processing the data. Thus, the controller has to ensure that the data subject understood what he/she consented to. Against this background it will be often advisable to translate a consent declaration if German customers are asked for their consent

Hong Kong

Rapporteur:
Marcus Vass

English and Chinese are the two official languages of Hong Kong. It is common for privacy statements to be provided in both languages.

Israel

Rapporteur:
Pini Azaria

No additional comments.

Italy

Rapporteur:
Marco Berliri
Debora Stella

Although the Italian data protection legislation does not expressly require that consent (and notice) be given in Italian, based on the general principles underlying the Italian legal system, if the data subject does not have sufficient understanding of the English language he or she may claim the unenforceability of such consent.

However, consent is not mandatory for all processing activities. For instance, processing of data to perform a contract does not require consent. Marketing activities always require prior consent.

Japan

Rapporteur:
Hiroshi Miyashita

The Japanese Privacy Act does not mention privacy statements, but the Basic Policy of the Protection of Personal Information Act says “it is desirable to develop and publicize privacy policies.” “Desirable,” of course, is not mandatory. A 2012 study by the Japanese government indicates that 61.3% of Japanese businesses publicize privacy statements, 11.3% have a nonpublic privacy statement, and 25.7% have no privacy statement at all (study in Japanese).

Netherlands

Rapporteur:
Gerrit-Jan Zwenne

No additional comments.

The Polish Data Protection Act does not explicitly provide for that a privacy statement needs to be drafted in Polish; hence, it can be made in English also. However, provisions of other acts (e.g., the Polish Language Act) require the Polish language is used in dealings with employees and consumers.

Portugal

Rapporteur:
Ana Rita Painho

No additional comments.

Russia

Rapporteur:
Natalia Gulyaeva

No additional comments.

Spain

Rapporteur:
Gonzalo Gállego

No additional comments.

Sweden

Rapporteur:
Ida Smed Sörensen

It should be noted that there are other legal bases for the processing in addition to consent that could be applicable (e.g., that the processing is necessary in order to fulfill an agreement with the data subject).

Switzerland

Rapporteur:
Sylvain Métille

Consent is only valid if freely given and based on adequate information (this includes that the information be in an understandable language for the data subject).

United Arab Emirates

Rapporteur:
Warren Thomson

There is no requirement for consents (or other written agreements or documents between private parties) to be in Arabic unless the statement is required by the parties to be notarized (in which case the document will need to be presented for notarization either in Arabic, or bilingually in Arabic and another language with the Arabic translation stamped by the Ministry of Justice).

Also, if a matter becomes the subject of a dispute before any of the onshore courts of the UAE (excluding the DIFC Courts), any documents that are being adduced in evidence will need to be translated into Arabic, and the Arabic translation stamped by the Ministry of Justice.

  • Question 1
  • Question 2
  • Question 3
  • Question 4
  • If the governing law of a contract is your local law, would a local court in your jurisdiction recognize a contract as having been formed if it is signed by click-to-accept?

Argentina

Rapporteur:
Pablo A. Palazzi

Yes. According to Civil Code, consent can be express or implied. Express consent can be provided verbally, in writing or by unmistakable signs. Therefore, a contract could be recognized if it is signed by click-to-accept. Problems could potentially arise when a click-to-accept contract is presented as evidence; but there is no regulation that prohibits it.

Australia

Rapporteur:
Anna Johnston

Generally, yes, if it is made clear that click-to-accept will commit the clicker to an enforceable agreement. There would need to be language clarifying that clicking creates a legally binding contract.

Austria

Rapporteur:
Axel Anderl

Yes; in general there are no formal requirements for the creation of contracts.

Belgium

Rapporteur:
Catherine Erkelens

Yes if consent is unambiguous and informed.

Czech Republic

Rapporteur:
Vojtech Chloupek

Yes, in general Czech courts would recognize a click-to-accept contract. However, if Czech law expressly requires the written form of an agreement, the parties will need to meet formal requirements for electronic execution (such as electronic signature or other similar means).

Denmark

Rapporteur:
Nis Dall

Generally yes, since Danish law establishes no formal requirements for entering into a contract. However, essential and burdensome terms must be clear to the party accepting a contract, otherwise those terms may be considered invalid. The higher the risk that an accepting party is unaware of what is being accepted, the higher the risk of acceptance being deemed invalid. For example, if contract terms are provided through a hyperlink that takes the consenting party to a long document written in small font and containing burdensome and possibly unexpected or unusual “hidden” terms, then there is a high risk that such terms will be considered invalid. This holds true even when the accepting party is not a consumer.

Finland

Rapporteur:
Eija Warma

Click-to-accept (clickwrap) agreements are, in principle, accepted under Finnish contract law. Therefore a court will presumably recognize a click-to-accept contract. The court may, however, disregard or reconsider (i.e. interpret in another manner) some parts of the contract if those parts are found to be either unreasonable or surprising and severe for the contracting individual.

Germany

Rapporteur:
Fabien Niemann

Yes, in case of a real click-to-accept (i.e., acceptance precedes the contract and is not a post contractual consent).

Hong Kong

Rapporteur:
Marcus Vass

To date there have not been any Hong Kong court cases on click-to-accept contracts. Electronic contracts are governed by the Electronic Transactions Ordinance ("ETO"). However, the ETO only addresses electronic contracts signed with an electronic signature. It does not address click-to-accept.

Hungary

Rapporteur:
Bálint Halász

Yes, for most types of contracts a Hungarian court would recognize a click-to-accept or click-through contracts. Such contracts are usually not viewed as contracts finalized in writing but rather as contracts finalized with implicit conduct. Where the law requires a contract to be finalized in written form, click-to-accept is usually not recognized unless it is furnished with at least an advanced electronic signature, as required by Directive 1999/93/EC (Electronic Signatures Directive).

Israel

Rapporteur:
Pini Azaria

Yes. Israeli courts recognize click-to-accept contracts. However, certain transactions cannot be entered into electronically, including sales of land, trusts, agencies, wills and testaments, bank-customer agreements and guarantees.

Italy

Rapporteur:
Marco Berliri

Yes, although there are exceptions.In principle, under Italian law either or both parties may form a contract by indicating acceptance of an offer electronically – either by clicking an 'accept' button (or similar) or consenting through another type of computer platform or portal.

According to article 1326 of the Italian civil code (applicable also to contracts completed online), a contract is formalized once the party that has made the proposal has knowledge of the other party’s acceptance. Acceptance of the proposal may occur by any means, including an accept button or a check box on a website. In addition, article 1341 of the Italian civil code provides that general terms and conditions drafted by one of the parties are binding if they were known or could have been known by the other party before executing the agreement. Consequently, the mere availability of general terms and conditions on a website through a link is enough for their validity and enforceability.

There is disagreement between commentators and inconsistent case law as to whether clauses that require written approval can be accepted with a click or a check button.

Japan

Rapporteur:
Hiroshi Miyashita

Yes.

Macau

Rapporteur:
Manuel Maisog

It is unlikely that a local court in Macau would recognize a click-to-accept contract. As discussed in response to question 3, electronic signatures must satisfy specific requirements.

Netherlands

Rapporteur:
Gerrit-Jan Zwenne

Probably yes. There are no formal requirements for accepting an offer and subsequently entering into a contract. However, if the acceptance is not freely given, a Dutch court can, and in practice often does, protect the consumer. Further, consumer law provides a list of provisions that are considered onerous and therefore invalid (although they can be declared valid at the consumer’s request).

Poland

Rapporteur:
Izabela Kowalczuk-Pakula

Yes, click-to-accept contracts are acceptable in most e-commence sales and services.

In some cases, however, Polish law prescribes a special contract format for the transaction. For example, Polish Law requires a notarial deed in the case of a transfer of ownership; a writing under penalty of nullity in the case of a copyright transfer agreement; and a writing in the case of an agency agreement or employment agreement. “In writing” means a hardcopy document with hand written signatures or a certified electronic signature equivalent to written form.

Portugal

Rapporteur:
Ana Rita Painho

Yes, unless it is a contract with special formal requirements (e.g. recognized signatures of the parties are necessary). Because evidence of an effective signature can be an issue in click-to-accept contracts, it is always preferable to have a click-to-accept with some security backup (like a question to confirm signatory identity).

Russia

Rapporteur:
Natalia Gulyaeva

Yes, subject to compliance with the requirements of contract formation and execution under Russian law, a Russian court may recognise a click-to-accept contract. Contracts may be executed in electronic form through an exchange of, among other things, electronic documents. An exchange of electronic documents will be deemed equal in legal effect to an exchange of hard copies.

Depending on how click-to-accept is envisaged, the Federal Law No 63-FZ dated 6 April 2011 On Electronic Signature (the "Law On Electronic Signature") may apply.

A contract signed with an electronic signature is an electronic document equivalent in its legal effect to the contract executed by hand in hard copy in cases where the parties expressly agree to this effect in the contract or where the legislation provides for such effect. Except where the legislation requires a document to be in hard copy, no further formalities are required for a document signed with an enhanced certified electronic signature.

Please note that Russian law requires that certain types of contract should be entered into in hard copies. This applies to employment agreements, certain types of real estate transactions, leases, and sale of an enterprise as a going concern among others.

Singapore

Rapporteur:
Sheena Jacob

Yes. Section 11 of the Electronic Transactions Act provides that the requirements of offer and acceptance in contract formation can be expressed by means of electronic communications. The same principles that apply to the formation of written contracts will similarly apply to electronic contracts. A "click-to-accept" is a form of electronic communication and is likely to constitute valid acceptance for the purposes of contract formation.

Spain

Rapporteur:
Gonzalo Gállego

Yes. Click-to-accept (or click wrap) contracts are accepted in Spain. Under the Spanish law, the general rule is that contracts are valid no matter how they are accepted. There are exceptions to this rule (e.g. contracts before a Notary Public). However, such exceptions do not affect common commercial contracts.

Switzerland

Rapporteur:
Sylvain Métille

Swiss courts have not yet confirmed the validity of user consent provided via click-to-accept, but click-to-accept is used regularly. The user should be in a position to read and understand the terms and conditions before agreeing.

Pursuant to general rules of consumer protection, unusual clauses in the general terms are only binding if the attention of the consumer has been drawn to them. A court will not enforce a click-to-accept agreement, which is unlikely to be read by the customer.Click-to-accept contracts are not valid in limited situations where the law requires a specific form of contractual agreement (hire purchase agreements, loans and other financing transactions with consumers, contracts concerning real estate).

Taiwan

Rapporteur:
Manuel Maisog

It is doubtful that a local court in Taiwan would recognize a click-to-accept contract, since relevant authorities appear to have interpreted this practice as invalid.

United Arab Emirates

Rapporteur:
Warren Thomson

A click-to-accept contract would be recognized as valid in the UAE.

The Electronic Transactions and Commerce Law No.2/2002 ("ETCL") sets out that "it is permissible to express offer and acceptance, partly or wholly, by means of electronic communications".

The UAE Civil Code provides that "a contract is the meeting of an offer issued by one of the contracting parties with the acceptance made by the other party and their concordance in such a manner as to produce their effect on the object of the contract and results in a binding obligation on each party of the obligation of the other party". Furthermore, it provides that "a contract is formed by the meeting of an offer with an acceptance". There is no requirement for consideration under UAE law in order to form a valid contract.

Given the above, through the combination of the ETCL and the UAE Civil Code, using click-to-accept would be a valid method of indicating acceptance and forming a contract in the UAE.

UK

Rapporteur:
Ruth Boardman

Yes

USA

Rapporteur:
Aaron Simpson

In general, courts in the United States apply the same principles of contract formation to electronic contracts as they do to hard-copy contracts. Clicking to accept an electronic agreement will generally be sufficient to create a valid, enforceable contract to the extent that (1) the terms of the agreement have been reasonably communicated; (2) the consumer has actual or constructive notice of the terms; (3) there is no unfair surprise to the consumer as a result of the way in which the terms were presented; and (4) the terms are not deemed unconscionable (e.g., overly harsh, one-sided, fraudulent). Because courts may look to an affirmative act on the part of the consumer as evidence of acceptance of contract terms, having the consumer click a checkbox is useful for establishing consent. Inferring consent based on a consumer’s use of an online product or service is disfavored.

Argentina

Rapporteur:
Pablo A. Palazzi

Yes.

Australia

Rapporteur:
Anna Johnston

Not sure; it would probably need to be consistent with Australian law as well.

Austria

Rapporteur:
Axel Anderl

Yes.

Belgium

Rapporteur:
Catherine Erkelens

Yes except for clauses that are contrary to local mandatory laws.

Czech Republic

Rapporteur:
Vojtech Chloupek

Yes, in general Czech courts would recognize a click-to-accept contract governed by a foreign law.

However, some rules may apply irrespective of contractual provisions (e.g. the public order, consumer protection, data protection, mandatory provisions of Czech law), and these rules may require a written form, as per question 1 above.

Denmark

Rapporteur:
Nis Dall

Yes, with the same caveats as the answer to question 1 above. Generally, consumers would not be asked to make decisions about choice of law; but choice of a foreign law would not deprive them of consumer protection if a service is directed at the Danish market.

Finland

Rapporteur:
Eija Warma

Yes. The court would recognize as enforceable a click-to-accept contract governed by foreign law.

Germany

Rapporteur:
Fabien Niemann

Yes

Hong Kong

Rapporteur:
Marcus Vass

Yes

Hungary

Rapporteur:
Bálint Halász

Yes, it is very likely that a Hungarian court would recognize a click-to-accept contract governed by foreign law if the contract is deemed valid under that foreign law.

Israel

Rapporteur:
Pini Azaria

Yes. Israeli courts typically accept the contractual choice of law, except where such choice is considered unfair in a standard form contract, illegal, without good faith or counter to public policy. A choice of law provision may lack good faith if the chosen law has little or no territorial link to the contract. In addition, in cases where the foreign law conflicts with mandatory provisions of local law (e.g., labor law or consumer protection), Israeli courts may apply the local law’s mandatory provisions regardless of the parties’ choice of law.

Italy

Rapporteur:
Marco Berliri

In principle, yes, with some exceptions for specific types of contracts, such as real estate transactions.

In general, Art. 11 of Regulation no. 593/2008 (Rome I) applies. Therefore, if the law governing the contract is a foreign law under which click-to-accept is enforceable, Italian courts should recognize a signed click-to-accept contract as finalized.

Japan

Rapporteur:
Hiroshi Miyashita

Yes (based on the Act on General Rules for Application of Laws).

Macau

Rapporteur:
Manuel Maisog

Whether a contract is enforceable is fact sensitive, and determined on a case-by-case basis. It is therefore difficult – if not impossible – to provide a single answer that will cover all cases. However, in the abstract, a court in Macau would enforce a contract that is governed by the law of another jurisdiction and is enforceable under the laws of that jurisdiction.

Netherlands

Rapporteur:
Gerrit-Jan Zwenne

Probably yes. There are no formal requirements for accepting an offer and subsequently entering into a contract. However, if the acceptance is not freely given a Dutch court can, and in practice often does, protect the consumer. Further, consumer law provides a list of provisions that are considered onerous and therefore invalid (although they can be declared valid at the consumer’s request).

Poland

Rapporteur:
Izabela Kowalczuk-Pakula

Yes, a Polish court would recognize a contract as having been formed if it is signed by click-to-accept and enforceable under foreign law provided that it does not infringe upon (i) Polish mandatory provisions, including data protection and consumer, and (ii) any overriding mandatory Polish rules.

Overriding mandatory rules are rules crucial for safeguarding Poland's public interests, such as its political, social or economic organization, to such an extent that they apply to any situation falling within their scope.

Portugal

Rapporteur:
Ana Rita Painho

Yes, unless, under Portuguese law the same contract would require special signature formalities. In such case, a court would reject it under public order principles.

Russia

Rapporteur:
Natalia Gulyaeva

A Russian court would likely recognize a contract governed by a foreign law that enforces click-to-accept contracts. According to the recent amendments to the Russian Civil Code on conflict of law rules, the form of a contract, including its execution and signatures, is to be governed by the law that governs the contract itself.

Singapore

Rapporteur:
Sheena Jacob

Yes. The courts in Singapore will apply the governing law of the contract to determine its validity. If the governing law of the contract recognizes the contract as valid, Singapore courts will likely reach a similar conclusion.

Spain

Rapporteur:
Gonzalo Gállego

Yes, unless the agreement includes provisions subject to imperative laws providing for requirements incompatible with click-wrap contracts (e.g. Data protection, as explained below).

Switzerland

Rapporteur:
Sylvain Métille

Yes, except if Swiss law imposes the application of local law and a specific form of contract is required.

Taiwan

Rapporteur:
Manuel Maisog

Yes (responding in the abstract and subject to actual factual circumstances).

United Arab Emirates

Rapporteur:
Warren Thomson

Yes (assuming the contract itself is valid and enforceable in the UAE), a click-to-accept contract governed by foreign law would be recognized as valid. As mentioned previously, the ETCL makes provision for an offer to be accepted by electronic means in the UAE.

In addition, for foreign certificates and electronic signatures, the ETCL sets out that no regard shall be made to the place where the certificate of electronic signature was issued or to the jurisdiction in which the issuer had its place of business.

UK

Rapporteur:
Ruth Boardman

Yes

USA

Rapporteur:
Aaron Simpson

Yes. U.S. courts may recognize electronic agreements that were formed using a click-to-accept mechanism that is considered valid under the laws of another jurisdiction. U.S. courts will recognize and enforce electronic contracts governed by foreign law in the same way they enforce hard-copy contracts governed by foreign law, unless they find that the creation or terms of the contract violate U.S. law, are otherwise unconscionable, or that enforcing the contract would be against U.S. public policy.

Argentina

Rapporteur:
Pablo A. Palazzi

No.

Australia

Rapporteur:
Anna Johnston

An Australian court would likely examine whether there was: an intention to create a legally binding agreement, an offer, acceptance, consideration, etc. The Commonwealth Government and each State and Territory have their own Electronic Transactions Act, which outlines a number of matters surrounding signatures, electronic documents, etc.

Austria

Rapporteur:
Axel Anderl

No. However, language accepted by click-to-accept has to be made available to the contracting party before he agrees. Usually a hyperlink to the documents is used in the text after the click button. The accept button should not be pre-checked since this could lead to the agreement being deemed void.

Belgium

Rapporteur:
Catherine Erkelens

No.

Czech Republic

Rapporteur:
Vojtech Chloupek

No, there are no special requirements (apart from the written form requirements) with regard to the enforceability of click-to-accept contracts.

Denmark

Rapporteur:
Nis Dall

No. But the party claiming that an agreement has been entered into bears the burden of proof. Acceptance of the terms of an agreement requires action by an accepting party, and such action would serve as evidence of consent.

Finland

Rapporteur:
Eija Warma

There are no specific requirements for enforceability of click-to-accept contracts. However, a click-to-accept contract runs the risk of a court finding the agreement (or parts of it) unreasonable or surprising and severe and therefore invalid. Consequently, the clearer and the more explicit the contract terms are, the better their chances of enforceability.

Germany

Rapporteur:
Fabien Niemann

No. Except double opt-in is required for direct marketing online via email.

A click-to-accept contract must require an active-click. Pre-click does not constitute valid consent.

Specific requirements depend on the nature of the contract (e.g., B2B or B2C, for free or for consideration, etc.)

Hong Kong

Rapporteur:
Marcus Vass

The ETO does not address click-to-accept contracts specifically, but rather electronic contracts signed with an electronic signature.

The ETO permits the formation of an electronic contract provided that it fulfills all legal contracting requirements, including offer and acceptance. Acceptance may be expressed by means of an electronic signature, defined as any letters, characters, numbers or other symbols in digital form attached to an electronic record for the purpose of authenticating the electronic record.

Hungary

Rapporteur:
Bálint Halász

Sections 6:82-6:85 of the Hungarian Civil Code (Act 5 of 2013) set forth certain requirements for finalizing a contract via electronic means. For example, the party providing the electronic contract should, before making a legal statement pertaining to the contract, inform the other party, inter alia, of the technical steps necessary to finalize the contract, to rectify any errors or change the language, and whether the contract is also considered finalized in written form. In B2C relationships these are mandatory requirements.

Israel

Rapporteur:
Pini Azaria

No. However, it is advisable that the contracting party clarify the contracting process. Typically, the customer should be asked to check a box confirming he read and understood the terms of the agreement before clicking “I accept,” in order to prevent claims of mistaken click-through.

Italy

Rapporteur:
Marco Berliri

Pursuant to article 1341 of the Italian civil code, in case of general terms and conditions drafted by one party, "unbalanced clauses”—those provisions that create an imbalance between the non-drafting party and the drafting party—are unenforceable vis-à-vis the non-drafting party unless they are expressly and separately approved in writing by the latter.

Japan

Rapporteur:
Hiroshi Miyashita

According to Japan’s Consumer Contract Act, “business operators…shall endeavor to make the rights and duties of consumers and such other things set forth in the consumer contract clear and plain.”

Macau

Rapporteur:
Manuel Maisog

In addition to satisfying the requirements of general contract law, a click-to-accept contract must also satisfy the requirements of Macau’s electronic documents and digital signatures law. Under the electronic documents and digital signatures law, a click-to-accept mechanism must be uniquely linked to the signatory, be capable of identifying him and be created using means that he can maintain under his sole control. The click-to-accept mechanism must also be linked to the related data in such a manner that any subsequent change of the data can be detected.

Electronic signatures in Macau are more prudently made if supported by a certificate, such as a qualified certificate or a normalized certificate. A qualified certificate is issued by an accredited certification service provider after a rigorous authentication process. A normalized certificate requires face-to-face identity authentication by the applicant before the certification service provider will issue it. Whether a certification service provider will issue a certificate for a signature using a click-to-accept mechanism will depend on its internal rules and assessment.

Netherlands

Rapporteur:
Gerrit-Jan Zwenne

No

Poland

Rapporteur:
Izabela Kowalczuk-Pakula

No, Polish law does not provide any special requirements for the enforceability of click-to-accept contracts. According to the general rule, click-to-accept as a declaration of will should be unambiguous. A pre-checked box would not be enforceable.

Portugal

Rapporteur:
Ana Rita Painho

There are no specific requirements for enforceability. However, as mentioned in response to question one, evidence of an actual signature by the party can be an issue. For the sake of efficiency, it is therefore advisable to get a verifiable signature.

Russia

Rapporteur:
Natalia Gulyaeva

In accordance with the requirements of the Law On Electronic Signature, click-to-accept is likely to be valid if the following statutory requirements are met:

  • a simple electronic signature is included in an electronic document,or a key of a simple electronic signature, which contains enough information to identify the sender, is used in accordance with the regulations of an operator of the information system that is used for the creation and transmission of an electronic document;
  • the parties agree that the electronic document is deemed equivalent in legal effect to the agreement that is executed in hard copy by hand;
  • the document provides a procedure for identifying a person who signs the document with the electronic signature (for example, by indicating that an offer or acceptance is sent from a password protected e-mail address that identifies the sender); and
  • the document imposes an obligation on the person who creates and/or uses the key of a simple electronic signature to keep the key confidential.

Further requirements apply to using an enhanced electronic signature.

Singapore

Rapporteur:
Sheena Jacob

There are no specific requirements for the enforceability of click-to-accept contracts under Singapore law.

Spain

Rapporteur:
Gonzalo Gállego

There are no specific requirements. General requirements for the enforceability of contracts apply (i.e. consent, object/purpose and cause).

Switzerland

Rapporteur:
Sylvain Métille

No

Taiwan

Rapporteur:
Manuel Maisog

The counterparty must have agreed to use an electronic document, and the content of the electronic record must be presented in its complete form and remain accessible for subsequent verification. It would be most prudent to adopt PKI for a digital signature.

United Arab Emirates

Rapporteur:
Warren Thomson

While there is legislation regarding electronic transactions, there are no provisions specifically addressing click-to-accept contracts. As such, there are no specific requirements relating to accepting a contract in this way.

Using a single click in a click-to-accept contract would, prima facie, be sufficient to indicate an acceptance of the terms of the contract.

UK

Rapporteur:
Ruth Boardman

There are no specific requirements.

USA

Rapporteur:
Aaron Simpson

There are no statutory requirements for click-to-accept mechanisms, though courts may inquire into the way in which the terms of the agreement and the acceptance mechanism are presented to the consumer to determine the validity of the consumer’s consent. It is generally considered a best practice to list the most important contract terms at the top of the agreement, so as to help ensure a consumer sees the terms before accepting. For example, several years ago the Federal Trade Commission brought an enforcement action alleging that a company acted deceptively because, although the company provided information about how a software application would collect personal information and track online activity, it positioned those terms deep within a lengthy user license agreement such that consumers likely would not review them.

In addition, certain contractual agreements may only be entered into pursuant to the Electronic Signatures in Global and National Commerce Act (ESIGN Act), a U.S. federal law enacted to ensure the validity and legal effect of electronic contracts. To the extent the ESIGN Act applies to a contract, a one-step click-to-accept mechanism likely would not be sufficient to comply with the ESIGN Act.

Argentina

Rapporteur:
Pablo A. Palazzi

No. Processing of personal data must be authorized by consent, which could be given in writing or through similar means, including click-to accept.

In practice, the DPA has accepted this method.

Australia

Rapporteur:
Anna Johnston

Yes. Privacy policies are not generally treated as contracts. Privacy policies are legal documents, which must be published as a matter of transparency (see Australian Privacy Principle 1.3). There is no requirement that individuals ‘accept’ a privacy policy. By contrast, more specific privacy ‘notices’ are required when personal information is being collected. The requirement is typically described as to ‘notify’, ‘inform’ or ‘make the subject aware’ of certain matters (see APP 5.1). When individual ‘consent’ is required as a way of authorizing particular conduct, such as a secondary use or disclosure that would not otherwise be authorized under a privacy principle (see APP 6.1(a)), then a “click to accept” arrangement might be appropriate, so long as the other requirements for consent are complied with. Privacy Commissioners, courts and tribunals which hear privacy cases will typically only accept ‘consent’ as valid if it is voluntary (i.e. not bundled with other standard terms and conditions), informed, specific, current, and given by a person with legal capacity to agree.

Austria

Rapporteur:
Axel Anderl

No.

Belgium

Rapporteur:
Catherine Erkelens

Czech Republic

Rapporteur:
Vojtech Chloupek

A double-click requirement may apply in cases where, for example, it is necessary to receive both the party’s consent for data processing and the party’s consent to Terms of Use. In such cases, some sort of two-stage mechanism would be required.

Denmark

Rapporteur:
Nis Dall

No. Consent in relation to the processing of personal data, must be specific and informed. In other words, the terms must be clear and the data subject must take an action to accept.

Finland

Rapporteur:
Eija Warma

In cases of ambiguity, a court would more likely rule in favor of a data subject, as data protection regulation, more than general contract law, focuses on individual protection.

Germany

Rapporteur:
Fabien Niemann

Not necessarily. Privacy policies do not require consent. If a party solicits consent for a specific instance or type of data processing, the click-to-accept contract should be drafted as an “acknowledgment of terms;” consent should not be “hidden” in a general policy. If more explicit consent is needed, it could be obtained online only for online services; for offline services or uses, consent must be in writing.

Hong Kong

Rapporteur:
Marcus Vass

The Personal Data (Privacy) Ordinance ("PDPO") governs the collection and use of personal data in Hong Kong. The privacy policy must comply with the six data protection principles set out in the PDPO.

Hungary

Rapporteur:
Bálint Halász

Accepting a privacy policy by click-through is usually recognized as valid, since Hungarian law does not require written contractual consent to collect or process personal data. Please note that this does not apply to sensitive data (e.g. health data or data on ethnic origin), for which Hungarian law requires consent to be provided in written form before collection or processing.

Israel

Rapporteur:
Pini Azaria

No

Italy

Rapporteur:
Marco Berliri

Yes.

Under Italian law, privacy policies/notices are not "contracts" and, thus, do not need to be accepted. In most cases, it is sufficient simply to make the privacy policy available to the data subject. However, in some cases (e.g. processing of personal data for profiling purposes and/or for marketing purposes, transfer of personal data outside EEA, etc.) the data subject's consent is necessary. In such cases, a click-to-accept is generally sufficient to obtain the data subject’s consent, because consent may be given by any means.

Japan

Rapporteur:
Hiroshi Miyashita

Yes, consistent with the mandatory provisions.

Macau

Rapporteur:
Manuel Maisog

The Macau Personal Data Protection Act establishes rules for consenting to a privacy policy. Under the Act, data subjects must consent to the processing of personal data. The Macau data privacy law does not specifically require the electronic or written signature of the data subject; any action that indicates consent, such as selecting a check box, would be enough. “Consent” is defined as “any freely given specific and informed indication of [the data subject’s] wishes.” Under the Act, consent must also be “unambiguous” (sometimes translated as clear cut, explicit, or unequivocal).

Whether the answers to questions 1-3 would be different if the contract was a privacy policy remains open to further clarification by relevant legal authorities in Macau. A check box could be acceptable in Macau for a privacy policy if it is sufficient under the circumstances to indicate unambiguously, clearly, explicitly and unequivocally the data subject’s freely given and informed consent. However, the check box should not be pre-selected.

Netherlands

Rapporteur:
Gerrit-Jan Zwenne

No

Poland

Rapporteur:
Izabela Kowalczuk-Pakula

No, Polish law does not recognize a privacy policy as a document under Polish law. Having a privacy policy is more of an e-commence standard and most Polish e-commerce follows this practice.

Click-to-accept would not be enforceable in the case of a data processing agreement, as this agreement should be in writing (within the meaning described in answer one).

Portugal

Rapporteur:
Ana Rita Painho

No, it would not.

Russia

Rapporteur:
Natalia Gulyaeva

In accordance with Russian law, consent to the processing of personal data may be granted in any form but should be specific, informed and wilfully granted. Consent in writing is only required in a handful of cases that are prescribed by the Federal Law dated 27 July 2006 No 152-FZ On Personal Data (the "Law On Personal Data"). Where consent in writing is required, the Law On Personal Data provides that electronic consent signed with an electronic signature in accordance with the requirements of the Law On Electronic Signature is equivalent to the hard copy consent in writing that is signed by hand by the data subject.

Singapore

Rapporteur:
Sheena Jacob

No. A privacy policy can also be considered a valid contract if the requirements of contract formation as stated in the first answer are met.

Spain

Rapporteur:
Gonzalo Gállego

Yes, depending on the types of data and processing covered by the Privacy Policy.

Data protection laws provide certain requirements for the processing of sensitive data (ideology, religion and beliefs) including written consent. It is arguable whether a click-to-accept consent is "in writing". However, generally speaking, consent for the processing of sensitive information tends to be given in paper form with a handwritten signature.

Moreover, if the Privacy Policy regulates e-mail marketing communications or processing not necessary for the performance of a contract, a specific click (or another procedure, such as tick-box) may be necessary in order for the data subject to validly consent.

Switzerland

Rapporteur:
Sylvain Métille

No, as long as the privacy policy respects local law.

Taiwan

Rapporteur:
Manuel Maisog

These responses would not change if the contract were a privacy policy, because the Taiwan Personal Data Protection Law requires the data subject’s "written consent."

United Arab Emirates

Rapporteur:
Warren Thomson

No – the answers would remain the same because it is possible to accept a privacy policy by using click-to-accept.

If the acceptance of a privacy policy involves providing consent to the monitoring and processing of personal data, a positive explicit action is required to obtain the consent of the individual. Clicking to accept is, in our view, a positive action on the part of the individual and, as such, even a privacy policy that includes such terms should not require any additional action from the individual.

UK

Rapporteur:
Ruth Boardman

As a related point, from a UK perspective, when a user accepts a privacy policy, he or she is demonstrating consent to processing, or acknowledging that she or he has read the policy, rather than entering into a contract

USA

Rapporteur:
Aaron Simpson

Yes. In the U.S., a company’s privacy policy is not generally considered sufficient to create a binding contractual relationship between consumers and the company promulgating the policy. Privacy policies typically do not contain the elements of a contract under U.S. law, namely offer and acceptance, consideration and intention to enter into a binding legal agreement. Accordingly, U.S. courts are rarely called upon to determine whether a contract has been formed with respect to the terms of a privacy policy. The terms of a privacy policy may, however, be enforced through means other than pursuant to a contract law analysis. For example, the Federal Trade Commission regularly brings enforcement actions under its authority to regulate unfair or deceptive trade practices when a company fails to honor the terms of its online privacy policy. This authority is not dependent on whether the privacy policy has created contractual obligations.

The IAPP Westin Research Center extends its greatest thanks to the rapporteurs who generously shared their time and expertise to produce this survey.