Note that as per docs:
https://auth0.com/docs/libraries/lock/v11/configuration#mustacceptterms-boolean-
the flag only applies to database connection users.
Also, I don’t think relying on that checkbox that mustAcceptTerms (which only shows on the signup tab but not the login tab) is reliable, because technically, for Social Connections there’s no difference between a login and a signup. A user can as well use the “Login with Google” on the login tab instead of signup tab with no difference (even if he hasn’t loggedin/signed up before).
I would use a redirect rule with a custom consent page (on your end), and store this information in the user’s metadata. Then check for it in a Rule at login whether he’s accepted it yet or not.
Update: I actually just found that that checkbox mustAcceptTerms is a pure client-side check (obviously, as it’s just a configuration set on the client side). And you are right, it doesn’t get stored anywhere in the user profile. I will report that internally.
So, if you go into the HTML DOM and remove the ‘disabled’ attribute, a user can even signup without checking that checkbox, which obviously isn’t intended.
So, therefore, for the moment I’d even more recommend to go with the approach outlined above.