TECH GIANTS Facebook, Google and Microsoft have been accused of falling foul of GDPR by using so-called 'dark patterns' to manipulate users into accepting privacy options they don't necessarily want to agree to.
That's according to the Norwegian Consumer Council (NCC) - which recently accused Nintendo of illegally denying EU customers refunds - which claims that Facebook, Google and to a lesser extent Microsoft are pushing users away from privacy-friendly options on their services in an "unethical" way.
In a 44-page report titled Designed by Design, the NCC explains that these so-called dark patterns include "privacy intrusive default settings, misleading wording, giving users an illusion of control, hiding away privacy-friendly choices, take-it-or-leave-it choices, and choice architectures where choosing the privacy-friendly option requires more effort for the users".
It also claims that, in some cases, if users choose not to accept some privacy policies, they are threatened "with loss of functionality or deletion of the user account".
It called out Facebook and its controversial facial recognition functionality as an example, noting that if a user opts to disable the tech, Facebook warns them that they "won't be able to use this technology if a stranger uses your photo to impersonate you".
The NCC also uses Google's convoluted privacy dashboard, which it claims "discourages users from changing or taking control of the settings or delete bulks of data."
And although Microsoft was named and shamed as using these "deceitful" tactics, it received a rare bit of praise for Windows 10, with the Norweigan gov agency applauding the firm's requirement for users to actively opt into data collection.
"The combination of privacy-intrusive defaults and the use of dark patterns nudge users of Facebook and Google, and to a lesser degree Windows 10, towards the least privacy-friendly options to a degree that we consider unethical.
"We question whether this is in accordance with the principles of data protection by default and data protection by design, and if consent given under these circumstances can be said to be explicit, informed and freely given."
In a statement given to the BBC, Google distanced itself from the report, and said it's taken all of the necessary steps to comply with the EU's GDPR laws.
"Over the last 18 months, in preparation for the implementation of the EU's new data protection regulation, we have taken steps to update our products, policies and processes to provide all our users with meaningful data transparency and straightforward controls across all our services," a spokesperson said.
"We're constantly evolving these controls based on user experience tests - in the last month alone, we've made further improvements to our Ad Settings and Google Account information and controls."
Facebook added "We have prepared for the past 18 months to ensure we meet the requirements of the GDPR. We have made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information."
And Microsoft's statement was much of the same, with Redmond noting that it is "committed to GDPR compliance across our cloud services, and provide GDPR-related assurances in our contractual commitments."
Just a day after GDPR came into force, activist Max Schrems whacked Facebook and Google with £6.7bn in lawsuits, claiming that the firm's measures put in place to comply with the new data laws are simply not good enough. µ
The IoT has gone unsecured for too long, says DCMS and NCSC
Mobile-friendly app will offer a 'desktop-class' experience
Alexa, show me half-arsed implementation
Samsung reportedly orders in 6.66in OLED panels