Lesson 3The importance of privacy in project management
- Notion 15 - Why does privacy matter for project management?
- Notion 16 - What is considered user personal data?
- Notion 17 - Privacy legislation in the EU
- Notion 18 - Data protection principles
- Notion 19 - The legal ramifications of violating privacy
- Notion 20 - Privacy by Design: matching design with privacy needs
- Notion 21 - Consent is the magic word
- Notion 22 - The role of the project manager in ensuring privacy
- Notion 23 - Conducting a Privacy Impact Assessment
- Notion 24 - How can data protection lead to more sustainable project management?
- Notion 25 - Quiz
Notion 21
Consent is the magic word
Target skills
In the previous notion, we saw that GDPR compliance demands ‘prior consent’. What does it mean in concrete terms? And how to get it in the right way?
GDPR revolution in user consent
One of the biggest changes that the GDPR brought about is how businesses obtain valid consent to collect and use personal information from EU citizens. Before the GDPR, there were a variety of ways that consent could be obtained. The GDPR changed that and made consent requirements far more specific and strict.
How to get user consent under GDPR?
According to the European Union, consent asking is valid if it respect the following conditions:
- it must be freely given (must have a free choice and must be able to refuse or withdraw consent without being at a disadvantage);
- it must be informed;
- it must be given for a specific purpose;
- all the reasons for the processing must be clearly stated;
- it is explicit and given via a positive act (for example an electronic tick-box that the individual has to explicitly check online or a signature on a form);
- it uses clear and plain language and is clearly visible;
- it is possible to withdraw consent and that fact is explained (for example an unsubscribe link at the end of an electronic newsletter email).
It is important to differentiate between the new methods of obtaining consent under the GDPR, versus the common "implied consent", which is still widely used today.
What is the difference between browsewrap and clickwrap agreement?
A browsewrap agreement takes place when a website or mobile app posts links to their Privacy Policy throughout the platform. Here, it is assumed that since users have ample opportunity to read the Privacy Policy, they must consent to everything it contains by default.
By contrast, a clickwrap agreement takes place when a user is provided with a link to the Privacy Policy or other terms and must manually click to accept those terms before using the online service.
These two methods of creating a user agreement demonstrate the difference between the GDPR definition of valid consent and the old ways of automatically implying consent.
In others words, a clickwrap agreement is compliant with the GDPR, while a browsewrap agreement is not.
Some examples of NOT obtaining users’ consent
- If you include a paragraph in your Privacy Policy or Terms that says using your site or app means users consent… you don't get a valid user consent. The user's consent is not given simply because they are browsing or using an online service.
- It is the same thing for getting consent to a cookies policy through the browsewrap statement "By using this site you agree to the placement of cookies on your computer in accordance with the terms of this policy." This is not compliant with GDPR policy.
- It doesn’t work either if you post this kind of sentence: "By continuing to browse the site you are agreeing to accept the terms.".
- Do not use either pre-tick checkboxes when a user registers for your service.
Keep in mind that the user must be informed about the site's use of cookies, etc., AND take a clear, affirmative action to consent to that usage of their personal data.
To go further:
- GDPR: EU General Data Protection Regulation: https://www.termsfeed.com/blog/gdpr/