Despite the new GDPR regulation entering into effect across Europe, Facebook and Google are manipulating users into sharing personal data by leveraging misleading wording and confusing interfaces, according to a report released today by the Norwegian Consumer Council (NCC).
These dark patterns include misleading privacy-intrusive default settings, misleading wording, giving users an illusion of control, hiding away privacy-friendly choices, take-it-or-leave-it choices, and choice architectures where choosing the privacy-friendly option requires more effort for the users.
"Facebook and Google have privacy-intrusive defaults, where users who want the privacy-friendly option have to go through a significantly longer process," the NCC says.
"They even obscure some of these settings so that the user cannot know that the more privacy intrusive option was preselected.
"Choices are worded to compel users to make certain choices, while key information is omitted or downplayed," the NCC says in its report.
Furthermore, investigators discovered that both Facebook and Google threaten users with loss of functionality or deletion of the user account if they don't choose the privacy-intrusive options.
The NCC also analyzed the privacy options in Microsoft's Windows 10 operating system but gave the product a generally favorable rating after the agency discovered that Windows 10 was using "privacy by default" settings.
Here are some of the report's conclusions on various topics.
The general conclusion:
Conclusion on privacy dashboard that Google has rolled out to EU users:
Conclusion on Facebook's GDPR popup:
Conclusion on the use of dark pattern UI elements:
Prior to today's report, an Austrian privacy advocate had filed GDPR complaints against Google and Facebook for the same reasons detailed in the NCC report. The complaint was filed hours after GDPR entered into effect across Europe.
If found guilty, the two companies face fines up to €20 million ($24 million) or 4% of their annual global turnover.