Chairs in cafeteria

Terms and conditions

Published on 25 September 2017

Thousands agree to clean loos and hug stray cats for free Wi-Fi

The question

Does anyone read terms and conditions?  And what might this mean for the concept of “unambiguous consent” under the GDPR?

The background

In an “experiment”, Purple, a Wi-Fi hotspot provider, added a clause to its terms and conditions that required 1,000 hours of community service from those who wanted free Wi-Fi.  The definition for community service included the following tasks: “cleaning portable festival lavatories, hugging stray cats and dogs and painting snails' shells to brighten up their existence”.

Only one person out of 22,000 noticed the clause, despite it being there for two weeks, and was awarded a prize for their attentiveness.

Purple's experiment follows a similar stunt in 2014, when cyber security firm F-Secure included in their terms and conditions that users had to hand over their first-born child “for the duration of eternity” in exchange for free Wi-Fi. Six people signed up.

Why is this important?

Whilst Purple's intention is not to enforce the community service, the experiment highlights an important issue for both users and Wi-Fi providers alike.

For users, the statement is clear – users are still not reading terms when they sign up to access free Wi-Fi and are unaware as to what they are agreeing to, how much data they are sharing and what license they are giving to providers. As the CEO of Purple observed, “the experiment shows it's all too easy to tick a box and consent to something unfair”.

For Wi-Fi providers, the deadline to become General Data Protection Regulation (GDPR) compliant is looming large – all EU hotspot providers must meet the rules by 25 May 2018.  One of GDPR's headlines is the introduction of “unambiguous consent” which must be obtained before users' personal or behavioural data can be used for marketing purposes.

In the light of GDPR, Purple has asserted that it is the first Wi-Fi provider to be compliant by modifying its privacy policy to be clearer, simpler and shorter, thereby encouraging users to review the policy before accepting free Wi-Fi.  Further, its “access journey” has been modified so as to provide better clarity as to how user data will be used, for what purposes and by whom. Finally, it has a “Profile Portal” so that users know that they can control how their data is being used.

Any practical tips?

For users of hotspots, it is imperative to read, read and read again the terms and conditions pertaining to the provision of goods and services before clicking “accept”. In the case of F-Secure, it was against public policy to enforce a clause where users were expected to give up their first born child. Likewise, there is no suggestion that the Courts would enforce Purple's clause in the light of the fact that such an unexpected and onerous clause was not clearly highlighted in the terms and conditions.  However, every case will be judged on its facts and it cannot be assumed that the Courts will be sympathetic to users who claim terms are onerous/contrary to public policy if in fact those terms are commonly found in the industry and are contained in the provider's standard, unmodified terms and conditions in plain English.

For providers of Wi-Fi, in line with GDPR requirements, terms and conditions need to be very clear on what data is being collected, the reasons for collection, the intended use of such data and the ability for the user to opt-in for any marketing, as well as providing them clear instructions on how they can opt-out at any time. Good practice would also dictate that onerous/unusual terms are highlighted so as to encourage transparency and trust between the user and the service provider.