The Norwegian Consumer Council, a government-funded agency, has today published a report titled “deceived by design” that accuses Google and Facebook of “manipulation” and giving users “all or nothing choices” when it comes making determinations over how their data is collected or processed.
The report focuses specifically on the General Data Protection Regulation (GDPR) and claims that measures recently introduced by the tech giants run “contrary to the law’s intention to [grant users more] control [over their] personal information.”
The Council has asked the European Data Protection Authority to review whether the policies of the two Silicon Valley based tech organizations are in compliance with the new Regulation.
In the report it highlights what it deems to be psychological tactics to nudge users towards making privacy choices in the interests of tech organizations. It states that research has found that when users are presented with a choice, they’ll typically opt for short-term rewards over long-term gains.
It also argues that user experience professionals, tasked with designing interfaces for tech organizations, are aware of these psychological biases and can nudge users into making decisions that may not be in their best interests.
These interface design decisions are referred to as “dark patterns” and the report claims they can consist of emphasizing scarcity (e.g. a product is about to be “sold out”), rewording text and presenting particular colors.
It also takes aim at the organizations’ default privacy settings and reiterates a central principle of the GDPR that demands data protection by default i.e. users should receive the highest levels of data protection, “even if they do not actively opt-out of the collection and processing of personal data.”
Emphasizing the fact that most users do not change their settings, as well as the fact the GDPR demands that users’ default settings should not allow for more data collection than is necessary to provide a service, the report takes aim at Facebook’s decision to demand users opt-out from having their data utilized for personalized advertising.
It also states that when users agree to Facebook’s data settings, the setting to personalize ads is automatically turned on. Likewise, the report emphasizes Google’s default settings that demands users looking to avoid personalized ads have to opt-out.
Moreover, the report highlights that both organizations have obscured preselected privacy settings so that users who automatically accept their terms or policies will never see the settings.