Legal terms compliance
I added a terms of service and privacy policy acceptance checkbox to my sign up form. User accounts cannot be created without checking this box, however the acceptance is not stored in the database at all (e.g. no timestamp, hash/version of the accepted terms documents, etc.). Does anyone know if this is sufficient, legally compliant with e.g. GDPR or do I need to store acceptance information in the database?
I did see some discussion about this in this discord server, but not much about legal compliance in the first place. If it's sufficient to not have to worry about storing this info i'd rather take the simpler path!
Relevant GDPR section: https://gdpr-info.eu/art-7-gdpr/
I know this is outside the scope of better auth, but figured this is a great community to ask this question and potentially save on attorney fees 😉 Good shared public knowledge with this question!
General Data Protection Regulation (GDPR)
Art. 7 GDPR – Conditions for consent - General Data Protection Re...
Where processing is based on consent, the controller shall be able to demonstrate that the data subject has consented to processing of his or her personal data. 1If the data subject’s consent is given in the context of a written declaration which also concerns other matters, the request for consent shall be presented in a … Continue reading ...
4 Replies
Most cases it's probably "sufficient" as you can always associate a user signing up as them agreeing to your terms and use this as evidence of agreement.
But I think regarding storing data in DB it all depends. In the end, it's all about how you can prove they agreed to your terms.
A simple flag which says "this user agreed" is probably not enough, but can be sufficient if you think your agreement isn't too substantial. The safer path is to have an entire table specifically for keeping record of user agreement. This table can store user IP, device information, which document they agreed to, what version of the document, when they agreed, etc etc.
And all of this would be much better evidence to prove they agreed.
But again, it may not be necessarily needed when signups require agreement before creation of account.
--
On a seperate note:
I have a legal compliance plugin for Better Auth in my https://www.better-auth-kit.com/docs/plugins/legal-consent, but I still need to improve it and make it support storing data in a seperate table for what I described just before about the safer path for evidence. But for now, that data is stored in the user table.
Man, thank you so much for the thorough response and free ("non-")legal advice hahaha. Means a lot. Thanks for sharing your plugin, which btw id be happy to collaborate on and have further convos about this if helpful -- definitely something i want to square up patterns on for my company. Super pumped you have this plugin rolling!!!
TIL about better auth kit in the first place as well, amazing package you have there
Yeah for sure