Updated: Apr 13, 2020
We’ve all had our fair share of pop-up privacy notifications from popular websites and services. In fact, you’ve probably noticed these notifications popping up on your phone and in your email, and although they might annoy a few, they are actually intended to keep service providers compliant and on track with the rules of GDPR.
As you should already be aware (if you’re on this site!) The regulation ensures that the companies you share your personal data with cannot use or process your personal data without your consent, making transparency and data privacy a top priority.
Tech trio, Facebook, Microsoft and Google have been compliant with the regulation, seemingly keen on staying on the right side of the European Law. However, careful analysis on these pop-ups has led privacy advocates to believe that the three digital giants are employing subtle psychological tricks (“dark patterns”) on their users designed to push users away from privacy-friendly options on their services as reported by the Norwegian Consumer Council.
In the report Deceived by Design, the Norwegian Consumer Council (Forbrukerrådet) called out tech giants, Facebook, Google and Microsoft for using “dark patterns” on users. The report focused on data protection by design and default (one of the key principles of GDPR) which aimed to protect user privacy and ensure transparency in the user data processing. This would push services to make protection a default option rather than something that the user must work to enable. The privacy security issue was brought to light when Forbrukerrådet, along with a number of privacy advocacy groups wrote to the Chair of the European Data Protection Board, the EU body in charge of the application of GDPR. This prompted BEUC (an umbrella group of 43 European consumer organizations), Privacy International, ANEC (a group promoting European consumer rights in standardization), and Consumers International to take action against the deliberate user privacy threat.
Deceived by Design was based on user tests which took place during the time when all three firms were making changes to their privacy policies to be in compliance with the EU’s GDPR. Results of the test put the three digital giants under heat for their manipulative methods which include intrusive default settings and misleading wording. For example, Facebook would warn any of its users who wishes to disable facial recognition that the company “won’t be able to use this technology if a stranger uses your photo to impersonate you”. The report concluded that the firms give users “an illusion of control” while unknowingly giving up their privacy.
Facebook was slammed when its GDPR pop-up failed the data protection by default test. It was found out that the company forces its users to opt for a data management setting that would switch off ads using data from third parties, instead of letting users simply hit the “accept and continue” button that would automatically turn the advertising delivery method on. The firm’s default facial recognition technology also raised privacy concerns because it had to make users go through multiple clicks just to turn it off.
Facebook also makes it seem to users that turning the facial recognition off is unethical. Moreover, they failed to disclose how the company intends to use its facial recognition technology. Google fared slightly better than the former. Although users had to access a privacy dashboard in order to manage their ad personalization settings, they’ve excluded options to history, device information, voice activity and store location by default. Microsoft was able to give equal weight to its privacy-friendly and unfriendly options in its Windows 10 set-up process, thus the firm was only guilty to a lesser degree.
The report emphasizes just how important it is to pay attention to GDPR notifications and taking the time to read what service providers are asking for even if it meant spending a few more minutes before accessing your favourite sites. In the digital world where almost everything you put on the cloud stays on the cloud, watching out for dark patterns is just a cheap price to pay.