Google, Facebook ‘Deceive’ Users On GDPR Data Choices

Matthew Broersma,

The internet giants’ new privacy controls don’t obtain the explicit, informed consent required by European law, consumer groups claim

Google and Facebook may be breaking the newly introduced General Data Protection Regulation (GDPR) with “dark patterns” that effectively trick users into choosing privacy-intrusive options, campaigners have said.

A group of eight consumer campaign groups sent an open letter to the US’ Federal Trade Commission (FTC) this week asking the regulator to open a probe into practices by the two internet giants that they say are “deceptive”.

Those tactics also go against the spirit of the GDPR, which enables European regulators to impose fines of up to 4 percent of a company’s global annual turnover for serious violations.

The groups based their charges on findings detailed in a new report by the Norwegian Consumer Council.

Facebook chief executive Mark Zuckerberg at Facebook's Parse Developer Day, 2013. Credit: FacebookExplicit consent?

The report, called “Deceived by Design”, details what it calls deceptive practices, such as the use of pop-up messages to manipulate users into accepting privacy settings that disclose far more personal information than are necessary to deliver the sites’ services.

The GDPR requires users to explicitly consent to online services’ user data settings, as opposed to implicitly consenting by, for instance, continuing to use the service.

It also requires companies to make permanently available a dashboard that allows users to control how their data is used, including requesting that it be deleted entirely.

Google and Facebook do now, in fact, make such controls available, meaning that options are now available for placing limits on how their online services acquire and process personal information.

But the Norwegian report found that those controls were often “hidden away”, and at minimum require “significantly more clicks” to access than the more intrusive default options.

Deceptive presentation

Data processing options are presented deceptively, with disclosure of personal information presented as beneficial to users, the study argues. It also states that, since users are required to disclose some personal information to use the services, the controls offered are more limited than they appear.

“Companies employ numerous tricks and tactics to nudge consumers toward giving consent to disclosing as much data as possible for as many purposes as possible,” the groups wrote in their letter.

“The practices highlighted in this report raise significant issues, including whether these companies are upholding their promises to comply with the GDPR, and whether these tactics constitute unfair and deceptive trade practices under Section 5 of the FTC Act.”

The study found that Google and Facebook threaten users with loss of functionality if certain settings are not chosen, deceptively making information disclosure appear more essential than it really is.

For instance, users who want to disable facial recognition are warned the company “won’t be able to use this technology if a stranger uses your photo to impersonate you”.

security and privacyData options ‘maze’

Users are urged with a bright blue box to accept the facial recognition feature, which scans the users’ photos and tags images in which they appear, while the option of disabling the feature is hidden away in a “manage data settings” page.

Google’s privacy dashboard, meanwhile, is “difficult to navigate,” resembling more  “a maze than a tool for user control”, the Norwegian report added.

Microsoft was less aggressive in its manipulation of users in Windows 10, giving intrusive and privacy-friendly options equal weight in the operating system’s set-up process, according to the report.

“The combination of privacy-intrusive defaults and the use of dark patterns nudge users of Facebook and Google, and to a lesser degree Windows 10, towards the least privacy-friendly options to a degree that we consider unethical,” the Norwegian Consumer Council concluded.

“We question whether this is in accordance with the principles of data protection by default and data protection by design, and if consent given under these circumstances can be said to be explicit, informed and freely given.”

Privacy improvements

Google said it provided users with “meaningful data transparency and straightforward controls” across all its services, and continues to “evolve” the controls based on user experience tests.

Facebook said that in preparation for the GDPR it has “made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information”.

Microsoft said it was committed to GDPR compliance and to providing GDPR-related assurances in its contractual commitments.

How much do you know about privacy? Try our quiz!