New analysis shows faults with Facebook’s and Google’s GDPR privacy updates

The Norwegian Consumer Council says that Facebook and Google steer users into sharing vast amounts of information about themselves, through cunning design, privacy invasive defaults, and “take it or leave it” choices. The Council analysed the companies’ privacy updates implemented to comply with the GDPR. 

Norway’s Consumer Council and several other consumer and privacy groups in Europe and the US are now asking European Data Protection Authorities to investigate whether the companies are acting in accordance with the GDPR and US rules.

The Council points out that users rarely change pre-selected settings. In many cases, both Facebook and Google have set the least privacy friendly choice as the default. Also, it is often very difficult to find the privacy friendly choices, or they require significantly more clicks to reach.

For example, in the last page of Facebook’s GDPR-popup, users are presented with an apparent choice regarding the new user terms, the Council says. ‘Hidden above the big blue “I accept”-button, the clickable text said “see your options”. Clicking the text leads the user to another choice, between going back and accepting the terms, or deleting their account. Since users potentially have years’ worth of information stored on their profiles, along with their network of friends and associates, this does not seem like much of a choice. Although users will get the option to download their data, the threat of deletion will probably be punishment enough to deter most users, leading them to accepting the terms. This use of an ultimatum is sometimes referred to as a “take it or leave it” situation.’

The Google Privacy Dashboard offers a wide variety of options and settings, but they are spread out through many different pages. In the user test, both initial testers ended up going through between 30 and 40 different links in an attempt to locate the “delete all location data” option. 

See the report, published today.