A consumer advocacy report by the Norwegian Consumer Council, out Wednesday, said the companies are using "dark patterns," or designs and user interfaces to trick users into unintentionally taking an action, to nudge people "toward the least privacy friendly options to a degree that we consider unethical." The report said Microsoft's Windows 10 is also doing this to a lesser extent.
For example, Facebook users who wanted to opt out of a facial recognition feature are prompted with a warning saying "if you keep face recognition turned off, we won't be able to use this technology if a stranger uses your photo to impersonate you." This framing and wording, the report argues, nudges users toward a decision by making them feel like the alternative is "ethically questionable or risky."
The report also said Facebook, Google and Windows 10 use "misleading wording" and are offering "take-it-or-leave-it choices, and choice architectures where choosing the privacy friendly option requires more effort for the users."
The report said this nudging of users toward "the least privacy friendly options" is unethical, and questions whether consent given in these circumstances is in fact explicit, informed and freely given.
Last month, the European Union's General Protection Privacy Regulation (or GDPR), which raises the standards and stakes of personal data privacy, went into effect. The Norwegian Consumer Council report says the "GDPR settings from Facebook, Google and Windows 10 provide users with granular choices regarding the collection and use of personal data."
In a statement, Google said it has "evolved" its data controls over the years so people can easily understand and use the available tools.
"Feedback from both the research community and our users, along with extensive UI testing, helps us reflect users' privacy preferences," the search giant said. "For example, in the last month alone, we've made further improvements to our Ad Settings and Google Account information and controls."
A Microsoft represented told CNET it's a "priority for Microsoft to ensure that all our products and services will comply with applicable law, including the GDPR."
Facebook didn't immediately respond to CNET's request for comment, but a company representative told Gizmodo: "We have prepared for the past 18 months to ensure we meet the requirements of the GDPR. We have made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information. In the run-up to GDPR, we asked people to review key privacy information which was written in plain language, as well as make choices on three important topics. Our approach complies with the law, follows recommendations from privacy and design experts, and are designed to help people understand how the technology works and their choices."
Eight consumer advocacy groups are now calling on the Federal Trade Commission to "investigate the misleading and manipulative tactics of Google and Facebook in steering users to 'consent to privacy-invasive default settings."
First published June 28, 2:13 p.m. PT.
Update, 3:21 p.m.: Adds comment from Google and Microsoft.
CNET Magazine: Check out a sample of the stories in CNET's newsstand edition.
Cambridge Analytica: Everything you need to know about Facebook's data mining scandal.