Facebook and Google have manipulated users into sharing data using so-called “dark
patterns,” such as misleading wording and confusing interfaces, according to a report the Norwegian Consumer Council released Wednesday.
The practices nudged users toward accepting privacy options that favored the tech companies rather than themselves, the NCC found.
Facebook and Google have no intention of providing users with an actual choice, the NCC has claimed, and their use of dark patterns constitutes a violation of the General Data Protection Regulation implemented across Europe last month.
Some of the dark patterns: providing misleading privacy-intrusive default settings; hiding privacy-friendly choices; and giving users the illusion of control while at the same time presenting them with take-it-or-leave-it options. Privacy-friendly options — when they are provided — tend to require more effort from the user, according to the NCC.
The companies have been manipulating users into sharing information, the NCC alleged, noting that such behavior shows a lack of respect for individuals or their
personal data and privacy.
Users who declined to choose certain settings were subject to deletion of their accounts in some cases.
The Norwegian trade organization, which has been joined by other
consumer and privacy groups in Europe and in the United States, has
called for European data protection authorities to investigate whether
Facebook and Google — as well as Microsoft to a lesser degree, via its
Windows products — have been acting in accordance with the GDPR and
If the companies are found to be in violation of the GDPR, they could face fines of up to 20 million euros (US$24 million) or 4 percent of their annual global turnover.
When it comes to the collection and sharing of user data, the default settings provided by the tech companies favor the companies over the end user, the NCC concluded.
Users rarely change pre-selected settings, and both Facebook and Google have set the least-friendly privacy choices as their defaults, according to the report.
More worrisome is that the sharing of personal data and the use of targeted advertising routinely are presented as being beneficial to the user, said the NCC. The wording and design suggests users actually benefit from having their data shared. At the same time, users who might want to opt for stricter privacy controls receive warnings about lost functionality.
The NCC singled out Google for designing a privacy dashboard that actually discourages users from changing or even taking control of their settings, and for implying that users benefit from the default settings.
The NCC noted that Facebook users actually are given no substantial choice — even after they take the extra effort to change their respective settings.
Microsoft received some praise for giving equal weight to privacy-friendly and unfriendly options in its Windows 10 operating system settings.
Patterns of Deception
The impact of the report’s findings is not limited to people within Europe.
“Basically, ‘dark matter’ reads like a list of practices that have
been commonplace for years among Web companies that rely on
advertising revenues for survival — particularly Facebook and Google,”
said Charles King, principal analyst at Pund-IT.
“The bigger issue here is that since the EU’s recently implemented
GDPR outlaws those functions, offending companies need to scrub them
out of their sites or risk significant fines,” he told TechNewsWorld.
“The thing is that dark practices are so mundane that they’ve become
pretty scrub-resistant, as the NCC investigation discovered,” King
The companies have been increasingly successful at monetizing data.
“Facebook and Google have built very powerful platforms, businesses
and audiences off the backs of their users’ data,” said Brock Berry, CEO of
“Their platforms are almost a utility to the public, in many ways, that’s operated like a business,” he told TechNewsWorld.
“When they’re divisive in their tactics, they open the doors for
competitors to enter the market, and I hope consumers step up, slow
their usage of these platforms, and test other options that are more
customer/consumer-centric,” Berry added.
“Facebook and Google have a duty
to be consumer-friendly and customer-first focused,” he said. “It’s against
everything they stand for to be surreptitious in their methods of
collecting user data.”
Although the NCC report specifically calls out Facebook and Google, as well as
Microsoft’s Windows 10 operating system, this could be just the
tip of the iceberg in terms of how software firms have been handling the issue of privacy.
“This practice isn’t limited to the big tech companies; almost all
tech companies obfuscate the data they collect about users,” said Josh
Crandall, principal analyst at Netpop Research.
“Most of the data are used for productive purposes, but sometimes
companies have used it for more profit-oriented endeavors that users
may not appreciate,” he told TechNewsWorld.
However, given the severity of the fines that companies may face, the days
of dark patterns could be coming to an end in Europe and the
“Facebook, Google, Microsoft and others are working to address the
problem,” remarked Pund-IT’s King.
“It’s too dangerous and costly for them to ignore, but it also looks
like an issue that defies a simple ‘turn off the spigot’ fix — meaning we’re likely to continue to see similar investigations and findings in the months to come,” he predicted.
“In addition, it should be a
wake-up call for companies affected by GDPR who hope they can somehow
skate under the radar and escape notice,” King said. “Facebook, etc.,
are obviously big fish, but over time the NCC and other GDPR watchdogs
will turn their attention to smaller fry.”