1

Most of applications, when you sign up, you must agree with some terms and conditions.

Should the information that the user agreed to those terms be saved in the database?

I asking this because I'm thinking, If the user breaks one of those terms, I will need some prove that the user agreed to it? Like have a flag on the database which will be set when the user creates it's account?

I'm also thinking about when the terms changes and the user needs to re-agree with the terms. Should I also save some information that the user agreed with the new terms?

Vencovsky
  • 351
  • 3
  • 8
  • 2
    What happens if they don't agree? – Rik D Mar 18 '21 at 17:44
  • @RikD they don't create an account. It's like that terms that you must agree otherwise you can't do anything – Vencovsky Mar 18 '21 at 18:06
  • 1
    If I agree to the terms, and then you change your terms, and I *don't* agree with the new terms, are you obligated to delete my account? What if I create an account on day 1 and don't ever log back in? If your application stores user data, and your changes to the terms and conditions make me decide I don't want anything to do with your application anymore, what are you legally allowed to do with that data? This seems like a legal question more than a technical one. – trent Mar 18 '21 at 18:46
  • 1
    Note that on this site, the terms and conditions affect how contributions are licensed. This post, for example, is licensed under CC-BY-SA 4.0. But older posts may be licensed under other, older licenses. Stack Exchange keeps in its database version information for the terms of each contribution -- not just each user. If you are building a system that stores user data, you may need this kind of flexibility, depending on what else the terms allow you to do. – trent Mar 18 '21 at 18:53
  • (You can see what license(s) apply to a question by looking at the activity timeline -- the clock icon underneath the voting buttons. I'm not sure whether there is similar information for comments.) – trent Mar 18 '21 at 18:54
  • So if a user created an account (and I assume the date of account creation is stored as well somewhere in the database), you already *have* stored the information that the user accepted the terms and conditions which were valid at that date? Storing that again seems redundant - please clarify if I understood that correctly, or not. (Reagreement, however, may require an extra record). – Doc Brown Mar 18 '21 at 21:57

3 Answers3

5

Most services require the user to accept the terms of service in order to create an account. If you keep track of when the account was created and a revision history for the terms of service, you will be able to associate the account with the terms of service as they were when the account was created. If you also maintain a history of login times along with a revision history for the terms, you can link terms of service revisions with logins.

The need for re-accepting the terms of service is more of a question for legal or regulatory/compliance experts than software developers. If there is a need to re-accept the terms of service, take measures to track access or reading the terms, or track additional metadata about the acceptance of the terms, then that would drive the design and implementation of that functionality.

Thomas Owens
  • 79,623
  • 18
  • 192
  • 283
4

Regardless of any legal considerations:

  • you might need to track acceptance for new users
  • you will need to ask re-acceptance of changed terms and conditions for existing users.
  • you may have to ask for re-acceptance after a given time.

Moreover you may need to show evidence that the user subscribed to the terms. A simple flag is not sufficient in case of litigation (“I never accepted these terms"). So you need to keep track at least of the date and if possible also other elements ("yes you did on 22/11/2019 at 23:11:07 from an android device from the IP ... geolocalized in this country"). Having the date will also allow you to determine the version of terms and condition accepted, although it would be safer again to keep track of a version id and a language id if your app is multilingual.

Of course, all this depends on the respective responsibilities. A simple cookie can be sufficient in many cases, unless you may have to prove something (because you do not own the cookie that might be deleted by the user).

Phill W.
  • 11,891
  • 4
  • 21
  • 36
Christophe
  • 74,672
  • 10
  • 115
  • 187
1

If you have multiple signup options, marketing opt ins, data protection opt outs, various versions of your TnCs etc etc then you will need to keep track of which user selected what.

This is fairly common. However, when it comes to terms and conditions you have to ask yourself what your risk is if the user breaks them.

Do you just cancel their account? Can you do that for any reason anyway? Is the legal onus on them to prove they have a licence? Then why do you need to prove they broke the TnCs?

If you have a more substantial agreement, where you have a risk, say you are insuring them for example. Then a simple check box TnC probably isn't good enough for you. You will probably want to save the version of their policy agreement and send them a copy which they will want to keep and or download at random times in the future.

Ewan
  • 70,664
  • 5
  • 76
  • 161