New analysis shows how Facebook and Google push users into sharing personal data

Publisert 27. juni, 2018
Facebook and Google steer us into sharing vast amounts of information about ourselves, through cunning design, privacy invasive defaults, and “take it or leave it”-choices, according to an analysis of the companies’ privacy updates.

As the new General Data Protection Regulation (GDPR) is implemented across Europe, users of digital services have been confronted with new privacy settings through numerous pop-up messages. Unfortunately, The Norwegian Consumer Councils just published analysis demonstrates that companies appear to have little intention of giving users actual choices.

– These companies manipulate us into sharing information about ourselves. This shows a lack of respect for their users, and are circumventing the notion of giving consumers control of their personal data, says Finn Myrstad, director of digital services in the Norwegian Consumer Council.

The Norwegian Consumer Council and several other consumer and privacy groups in Europe and the US are now asking European data protection authorities to investigate whether the companies are acting in accordance with the GDPR and US rules.

Sharing by default

Through the Consumer Council’s analysis of the companies’ privacy pop-ups, it is made evident that consumers are pushed into sharing through;

Standard Settings
Research has shown that users rarely change pre-selected settings. In many cases, both Facebook and Google have set the least privacy friendly choice as the default.

Cunning design choices

Sharing of personal data and the use of targeted advertising are presented as exclusively beneficial through wording and design, often in combination with threats of lost functionality if users decline.

Confusing layout

The privacy friendly choices require significantly more clicks to reach and are often hidden away.
Illusion of choice
In many cases, the services obscure the fact that users have very few actual choices, and that comprehensive data sharing is accepted just by using the service. The feeling of control may also convince users to share more information.

 

– Data protection law requires that companies make it easier for users to make clear and informed choices, and that they let users take control of their own personal data. Unfortunately, this is not the case, which is at odds with the expectations of consumers and the intention of the new Regulation, says Finn Myrstad.

Fem mobiltelefoner med GDPR-varsler.foto

Foto: Forbrukerrådet

Comments from BEUC and Privacy International

Monique Goyens, Director General of The European Consumer Organisation (BEUC):

– Companies have to respect the letter and the spirit of the GDPR. This report demonstrates that many global digital household names still have a long way to go to do just that. European consumer organisations will continue to be vigilant, expose misconduct and work together with regulator to improve the system.

Ailidh Callander, Legal Officer at Privacy International:

– We welcome this analysis by the Norwegian Consumer Council. As GDPR is implemented by companies, it is important to test how companies are making changes to their products and services to ensure that users’ privacy is protected. We call on regulators to investigate further the dark patterns in which NCC’ analysis suggest companies are deploying and engaging.

Report: Deceived by design Letter to the The Norwegian DPA and Consumer Agency