Apple, Google, Facebook, and Amazon are all falling short of new European privacy rules, according to a consumer group which analysed their updated privacy policies.

The tech firms aren't giving people enough information about how they use their data, and why they might need to collect it.

The consumer group, the European Consumer Organisation (BEUC), used artificial intelligence to scan the privacy policies for 14 tech firms.

All the companies face massive fines if they don't comply with the GDPR.



Remember all those endless emails and app notifications about how important your privacy is to tech firms?

That was all about those firms having to obey new European privacy rules, officially known as the GDPR. But a new study from a European consumer group has found that most popular tech companies are falling short of properly obeying the rules.

The consumer group, BEUC, found post-GDPR privacy policies from 14 companies including Apple, Amazon, Facebook, and Google are "vague" and "insufficient." BEUC used artificial intelligence to scan every firm's privacy policy, comprising more than 80,000 words in total.

Monica Goyens, director general of the European said: "A little over a month after the GDPR became applicable, many privacy policies may not meet the standard of the law. This is very concerning. It is key that enforcement authorities take a close look at this."

According to the analysis, Facebook doesn't tell users about how it might use sensitive information that is protected under GDPR, such as religious and political views. While Facebook tells users these are protected categories, it doesn't actually state how the company might use that data should you choose to give it up.

Facebook also doesn't properly explain why it needs people's device data, how people can opt out of tracking on Facebook, and how third parties might use people's information.

BEUC criticised Google's language as "unclear" on how it uses people's information for advertising or other purposes. The group also found Apple's collection of voice and image data worrying, and said the firm didn't give a good enough explanation of how it gathers that information.

And it criticised Amazon for making a "vague threat" to users who don't hand over personal data. Specifically, Amazon tells users who don't disclose their data that some features won't be available to them — but the company isn't clear about what those features are, the report said.

A Facebook spokesperson: "We have worked hard to ensure we meet the requirements of the GDPR, making our policies clearer, our privacy settings easier to find and introducing better tools for people to access, download, and delete their information. We sought input from privacy experts and regulators across Europe as part of these preparations, including our lead regulator the Irish DPC."

The firm added that it was still working to improve people's privacy options.

A Google spokesman said: "We have updated our Privacy Policy in line with the requirements of the GDPR, providing more detail on our practices and describing the information that we collect and use, and the controls that users have, in clear and plain language. We’ve also added new graphics and video explanations, structured the Policy so that users can explore it more easily, and embedded controls to allow users to access relevant privacy settings directly."

Amazon said it believes it is GDPR-compliant and pointed to its privacy help page.

A spokesman said: "Protecting the privacy of our customers is always a top priority and has been built into our services for years. We have introduced a new Privacy Help page that shows customers how they can easily manage and access their information across our retail, entertainment services, and devices, as well as centralized privacy settings for Alexa that give customers control over their data."

Apple declined to comment.

The new rules are seen as a way of controlling the big Silicon Valley firms. They face fines of up to 4% of their annual turnover if they don't comply with the legislation.

Aside from fines, the tech firms are also under threat from lawsuits. BEUC said it was considering legal action. And its report follows $8 billion (£6 billion) in GDPR-related lawsuits filed by the Austrian privacy activist and lawyer Max Schrems.