Google, Microsoft, and Facebook's GDPR settings 'dupe' users into sharing data

Consumer group brands the firms "unethical" in how they present privacy-centric options

Microsoft, Google and Facebook have been accused of deliberately pushing their users away from selecting privacy-centric options in their services in a fashion deemed "unethical" by the Norwegian Consumer Council.

Studying the tech giants' GDPR privacy settings in its Deceived by Design report, the council came to the conclusion that "dark patterns" were being used to supposedly lead users into selecting settings that do not benefit their privacy.

The report noted that such patterns included the use of misleading wording and default settings that were intrusive to privacy, as well as settings that end up "giving users an illusion of control" and hide away privacy-friendly options, as well as present "take-it-or-leave-it choices".

"Facebook and Google have privacy intrusive defaults, where users who want the privacy friendly option have to go through a significantly longer process," the report noted.

"They even obscure some of these settings so that the user cannot know that the more privacy intrusive option was preselected.

"The pop-ups from Facebook, Google and Windows 10 have design, symbols and wording that nudge users away from the privacy-friendly choices. Choices are worded to compel users to make certain choices, while key information is omitted or downplayed."

Facebook, according to the report, gives the impression that its users have more control over their data than they actually do, while Google's privacy and security dashboard was found to be difficult to navigate, with a maze of options presented to users.

The council did acknowledge that the trio's privacy settings do drill down into the granular details associated with GDPR data collection permissions, but said that at the same time they try to nudge or push consumers towards sharing as much data as possible.

"The combination of privacy-intrusive defaults and the use of dark patterns nudge users of Facebook and Google, and to a lesser degree Windows 10, towards the least privacy-friendly options to a degree that we consider unethical," the report added.

"We question whether this is in accordance with the principles of data protection by default and data protection by design, and if consent given under these circumstances can be said to be explicit, informed and freely given."

Google responded with a widely reported statement, noting it builds privacy and security into its products from the get-go.

"Over the last 18 months, in preparation for the implementation of the EU's new data protection regulation, we have taken steps to update our products, policies and processes to provide all our users with meaningful data transparency and straightforward controls across all our services," a spokesperson for the search giant said.

"We're constantly evolving these controls based on user experience tests - in the last month alone, we've made further improvements to our Ad Settings and Google Account information and controls."

Facebook's response was on the same lines, a spokesperson saying: "We have prepared for the past 18 months to ensure we meet the requirements of the GDPR. We have made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information."

A Microsoft spokesperson told the BBC: "We have seen the report from Norway and would like to reinforce that we are committed to GDPR compliance across our cloud services, and provide GDPR-related assurances in our contractual commitments."

Featured Resources

BIOS security: The next frontier for endpoint protection

Today’s threats upend traditional security measures

Download now

The role of modern storage in a multi-cloud future

Research exploring the impact of modern storage in defining cloud success

Download now

Enterprise data protection: A four-step plan

An interactive buyers’ guide and checklist

Download now

The total economic impact of Adobe Sign

Cost savings and business benefits enabled by Adobe Sign

Download now

Recommended

ICO to relax GDPR enforcement during coronavirus economic downturn
General Data Protection Regulation (GDPR)

ICO to relax GDPR enforcement during coronavirus economic downturn

16 Apr 2020
The NHS teams up with Apple and Google on coronavirus tracking app
privacy

The NHS teams up with Apple and Google on coronavirus tracking app

14 Apr 2020
Health sites are 'unlawfully' sharing medical data with Facebook and Google
data protection

Health sites are 'unlawfully' sharing medical data with Facebook and Google

7 Apr 2020
Supreme Court rules Morrisons was not liable for 2014 data breach
data protection

Supreme Court rules Morrisons was not liable for 2014 data breach

1 Apr 2020

Most Popular

16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
16 ways to speed up your laptop
Laptops

16 ways to speed up your laptop

16 Sep 2020
Google removes 17 apps infected with evasive ‘Joker’ malware
malware

Google removes 17 apps infected with evasive ‘Joker’ malware

28 Sep 2020