Google privacy flowchart. Image credit: NWCThe Norwegian Consumer Council (NCC), a government agency established in Norway with the purpose of protecting consumers’ rights, has released a new analysis in which it accuses Google and Facebook of using user interface (UI) “dark patterns” to capture data from potentially unwilling users.
Dark patterns represent a UI design crafted with the purpose of tricking users into agreeing with things that are not necessarily in their interest.
Deceived by Design
Both Google and Facebook have constantly repeated that their users’ privacy is important to them, even as the privacy scandals or lawsuits against them have kept ramping up. The NCC released a report, called "Deceived By Design," that says these two companies routinely “deceive” users through the interface design they pick for pages where a user may have to consent to giving up their data.
The report says Google and Facebook have “privacy-intrusive default settings” and misleading wording, giving users a false sense of control. The two companies also hide away certain privacy-focused options or present their users with a “take it or leave it” choice.
Facebook GDPR popup
NCC also notes that the design elements on Google and Facebook platforms nudge users away from the privacy-friendly choices. The choices are also worded in a way to compel users to enable the features that the companies want them to enable. Google and Facebook also threaten users with account deletion if users don't select the so-called privacy intrusive option.
Facebook privacy settings mobile
Facebook gives users the impression of control over what third parties can do with their data, something Mark Zuckerberg has emphasized in the recent Congressional hearings, but in reality the platform offers users limited control, NCC claims. NCC also accused Google of making deleting data it stories on users and navigation of its privacy dashboard too difficult.
GDPR Compliance in Question
NCC questioned whether or not Google and Facebook are in compliance with the European Union's (EU's) General Data Protection Regulation (GDPR), which took effect in May, when they employ tactics that trick users into freely giving their “consent.” The principle of freely given consent, as required by GDPR, may have been violated when users aren’t aware that more privacy-friendly options are available to them, or when the companies threaten them with account deletion otherwise.
None Of Your Business (nyob), a European civil rights non-profit founded by privacy activist Max Schrems, has already filed a complaint in the EU against Google and Facebook for billions of dollars over the companies’ similar violations under the GDPR. Schrems will likely use this report by the NCC to strengthen his case, so it remains to be seen if Google and Facebook will react by moving away from their use of UI dark patterns.