Despite the new GDPR regulation entering into effect across Europe, Facebook and Google are manipulating users into sharing personal data by leveraging misleading wording and confusing interfaces, according to a report released today by the Norwegian Consumer Council (NCC).

In its 44-page report, the Norwegian agency accuses Google and Facebook of using so-called "dark patterns" user interface elements into "nudging" users towards accepting privacy options.

These dark patterns include misleading privacy-intrusive default settings, misleading wording, giving users an illusion of control, hiding away privacy-friendly choices, take-it-or-leave-it choices, and choice architectures where choosing the privacy-friendly option requires more effort for the users.

Google and Facebook making users work for their privacy

"Facebook and Google have privacy-intrusive defaults, where users who want the privacy-friendly option have to go through a significantly longer process," the NCC says.

"They even obscure some of these settings so that the user cannot know that the more privacy intrusive option was preselected.

"Choices are worded to compel users to make certain choices, while key information is omitted or downplayed," the NCC says in its report.

Google and Facebook threaten users with loss of service

Furthermore, investigators discovered that both Facebook and Google threaten users with loss of functionality or deletion of the user account if they don't choose the privacy-intrusive options.

The NCC also analyzed the privacy options in Microsoft's Windows 10 operating system but gave the product a generally favorable rating after the agency discovered that Windows 10 was using "privacy by default" settings.

Here are some of the report's conclusions on various topics.

The general conclusion:

All of the services nudge users toward accepting data collection through a combination of positioning and visual cues. However, Facebook and Google go further by requiring a significant larger amount of steps in order to limit data collection.

Conclusion on privacy dashboard that Google has rolled out to EU users:

By giving users an overwhelming amount of granular choices to micromanage, Google has designed a privacy dashboard that, according to our analysis, actually discourages users from changing or taking control of the settings or delete bulks of data. Simultaneously, as noted above, the presence and claims of complete user control may incentivise users to share more personal data.

Conclusion on Facebook's GDPR popup:

In the end, we conclude that users seem to not have been given a substantial choice, even after going through the extra effort of changing their settings with the intention of using their data protection rights.

Conclusion on the use of dark pattern UI elements:

All three companies presented the settings that maximise data collection as the positive option. Dark patterns such as skewed wording, focus on positives such as “improve services”, glossing over potential negative consequences, and not explaining the full extent of the choices, all serve to nudge users toward allowing wider data collection and use.

Prior to today's report, an Austrian privacy advocate had filed GDPR complaints against Google and Facebook for the same reasons detailed in the NCC report. The complaint was filed hours after GDPR entered into effect across Europe.

If found guilty, the two companies face fines up to €20 million ($24 million) or 4% of their annual global turnover.