A consumer advocacy report by the Norwegian Consumer Council, out Wednesday, said the companies are using "dark patterns," or designs and user interfaces to trick users into unintentionally taking an action, to nudge people "toward the least privacy friendly options to a degree that we consider unethical." The report said Microsoft's Windows 10 is also doing this to a lesser extent.
For example, Facebook users who wanted to opt out of a facial recognition feature are prompted with a warning saying "if you keep face recognition turned off, we won't be able to use this technology if a stranger uses your photo to impersonate you." This framing and wording, the report argues, nudges users toward a decision by making them feel like the alternative is "ethically questionable or risky."
The report also said that Facebook, Google and Windows 10 use "misleading wording" and are offering "take-it-or-leave-it choices, and choice architectures where choosing the privacy friendly option requires more effort for the users."
The report said this nudging of users toward "the least privacy friendly options" is unethical, and questions whether consent given in these circumstances is in fact explicit, informed and freely given.
Last month, the European Union's General Protection Privacy Regulation (or GDPR), which raises the standards and stakes of personal data privacy, went into effect. The Norwegian Consumer Council report says the "GDPR settings from Facebook, Google and Windows 10 provide users with granular choices regarding the collection and use of personal data."
Google, Facebook and Microsoft didn't immediately respond to CNET's request for comment.
In a statement to Fortune, Google said: "We build privacy and security into our products from the very earliest stages. Over the last 18 months, in preparation for the implementation of the EU's new data protection regulation, we have taken steps to update our products, policies and processes to provide all our users with meaningful data transparency and straightforward controls across all our services."
A Facebook representative told Gizmodo: "We have prepared for the past 18 months to ensure we meet the requirements of the GDPR. We have made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information. In the run-up to GDPR, we asked people to review key privacy information which was written in plain language, as well as make choices on three important topics. Our approach complies with the law, follows recommendations from privacy and design experts, and are designed to help people understand how the technology works and their choices."
And Microsoft told the BBC, "We have seen the report from Norway and would like to reinforce that we are committed to GDPR compliance across our cloud services, and provide GDPR-related assurances in our contractual commitments."
Eight consumer advocacy groups are now calling on the Federal Trade Commission to "investigate the misleading and manipulative tactics of Google and Facebook in steering users to 'consent to privacy-invasive default settings."