On day one of Europe’s new data regime, the General Data Protection Regulation, privacy watchdogs filed complaints alleging violations by Facebook and Google.
They accused the internet companies of flouting GDPR because they appear to force consumers to agree to their terms of service. The new regulations guide how companies can collect and use data, what kind of disclosures they must make to consumers and when and how to seek consent.
As the rules took effect on Friday, websites, apps and electronic services across Europe were displaying pop-up messages notifying users about new data policies and asking for their permission.
Facebook, for instance, has been guiding European consumers through a series of policy updates about the type of data it collects in user profiles, how it can use data collected from outside websites, and its facial recognition services. While Facebook lets users decline enrolling in certain features like face recognition, it forces them to accept the overall terms of service in order to proceed to the social network.
Google offers a similarly mandatory notice on Android phones, where users who don’t accept the terms of service are not able to use the devices.
On Friday, those “forced consent” tactics were the first to come under scrutiny by European privacy advocates. They filed complaints in four countries against Google, Facebook, Instagram and WhatsApp. (Facebook owns Instagram and WhatsApp.)
“Facebook has even blocked accounts of users who have not given consent,” said Max Schrems, a privacy activist with NOYB, also known as None Of Your Business, in a statement. “In the end users only had the choice to delete the account or hit the ‘agree’ button. That’s not a free choice, it more reminds of a North Korean election process.”
The idea of “forced consent” was expected to be a focus of privacy advocates. Their argument is that the internet companies should offer their services without making consumers “accept” data collection for targeted advertising.
However, GDPR does allow companies to collect and use data if it is essential to the operation of their businesses, and that will likely be the argument internet companies will make.
“We have prepared for the past 18 months to ensure we meet the requirements of the GDPR,” Erin Egan, Facebook’s chief privacy officer, said in an e-mail statement. “We have made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information. Our work to improve people’s privacy doesn’t stop on May 25.”
Facebook declined further comment on the specifics of the complaint. Google was not immediately available for comment.
Privacy advocates also took issue with how Facebook has been notifying European consumers of their data options, characterizing its procedures as manipulative and designed to pressure people into consenting.
They claim Facebook would tempt consumers to accept its terms and conditions by planting misleading notification messages—the little red bubbles in the icons at the top of the Facebook home screen that pop up when someone has a direct message.
Here’s how the complaint describes an alleged ruse to make people think they had messages to entice them to click through the consent forms:
The controller used additional ‘tricks’ to pressure the users: For example, the consent page included two fake red dots (violation against Article 5(1)(a)—neither ‘fair,’ nor ‘transparent’), that indicated that the user has new messages and notifications, which he/she cannot access without consenting—even if the user did not have such notifications or messages in reality.
Companies found to violate GDPR could be fined up to 4 percent of their yearly revenue.