Are Google and Facebook misleading European users into sharing more of their personal data than they think?

According to a new consumer advocacy report from the Norwegian Consumer Council, they most certainly are.

The NCC dropped a 44-page report on Wednesday detailing how three of the world’s biggest tech companies are “nudging” their users through “dark patterns” of user interface designs and carefully crafted wording to agree to privacy settings that share their personal data that the GDPR was setup to protect.

“Dark patterns” are designs and user interfaces that are specifically crafted to trick users into buying, signing up, or taking some other action they did not intend to. The NCC report, titled "Deceived By Design," explains just how these dark patterns are being implemented by internet companies.

In one example, Facebook users looking to opt-out of a facial recognition feature are met with a prompt warning telling them that they "won't be able to use this technology if a stranger uses your photo to impersonate you." In this instance, Facebook has carefully formulated its wording to provide a negative result to your data privacy choice instead of giving their users even a neutral proposition. The report specifically makes the accusation that “Facebook, Google, and Windows 10 have design, symbols, and wording that nudge users away from the privacy-friendly choices.”

Facebook and Google are also accused in the report of providing nothing more than the the “illusion of control” through various methods such as “hiding away privacy-friendly choices, take-it-or-leave-it choices, and choice architectures where choosing the privacy friendly option requires more effort for the users."

The NCC report goes on to call the “practice of misleading consumers into making certain choices, which may put their privacy at risk,” both unethical and exploitative. The council found that the worst practices came from Google and Facebook, and Microsoft’s Windows 10 used them to a lesser extent.

Google has responded to the report with a statement obtained by Fortune:

"We build privacy and security into our products from the very earliest stages. Over the last 18 months, in preparation for the implementation of the EU's new data protection regulation, we have taken steps to update our products, policies and processes to provide all our users with meaningful data transparency and straightforward controls across all our services. We're constantly evolving these controls based on user experience tests - in the last month alone, we've made further improvements to our Ad Settings and Google Account information and controls."

Facebook also released a statement to Gizmodo that is very reminiscent of the one they gave late last month when privacy activist Max Schrems filed official complaints against tech companies, three of which were against Facebook and the Facebook-owned Instagram and Whatsapp: “We have prepared for the past 18 months to ensure we meet the requirements of the GDPR. We have made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information.”

Microsoft also told the BBC the following: "We have seen the report from Norway and would like to reinforce that we are committed to GDPR compliance across our cloud services, and provide GDPR-related assurances in our contractual commitments."

As a result of the Norwegian Consumer Council report, eight consumer advocacy groups are calling on the FTC to “investigate the misleading and manipulative tactics of Google and Facebook in steering users to "consent" to privacy-invasive default settings.” These groups include Consumer Watchdog, Electronic Privacy Information Center, Campaign for a Commercial-Free Childhood, Center for Digital Democracy, Consumer Action, Consumer Federation of America, U.S. PIRG and Public Citizen.

In just over a month that the GDPR has been in effect, plenty of action has been taken by privacy activists and consumer advocacy groups against these big tech companies breaching the trust of their users. The question that we’re all waiting to be answer though is which of these companies will be first to face the repercussions of the GDPR and what will the enforcement be?