Facebook is rolling out a handful of privacy-related updates to is platform ahead of a new European Union (EU) data privacy law that goes into effect next month.
The EU’s General Data Protection Regulation (GDPR), which seeks to extend and tighten the scope of data protection law in the EU, takes effect on May 25. And although the jurisdiction is limited to the EU, Facebook has confirmed that some of its privacy changes will later be applied to other regions of the world.
As part of its privacy spring cleaning, Facebook is asking users in some regions to review how the company uses their data, including what personal information they share with Facebook — with prompts to update or remove the information.
While Facebook is keen to put a positive spin on its actions — “We not only want to comply with the law, but also go beyond our obligations to build new and improved privacy experiences for everyone on Facebook,” as the company said in a statement — the social network giant makes it pretty clear what options it wants users to select.
In this example below, where users are invited to update their Facebook preferences around sharing data pertaining to their sexuality, religion, and political views, the “Accept and Continue” button is already highlighted in blue ready for the user’s quivery finger to hit. After all, who wants to go through the pesky process of managing settings?
If there was any doubt about Facebook’s intentions here, it’s worth looking at the terms and conditions options for the upcoming facial recognition feature that will soon be re-introduced to the EU and rolled out in Canada.
By way of a quick recap, Facebook users in the U.S. and other parts of the world have for many years already “enjoyed” Facebook’s facial recognition smarts, a feature that helps automatically identify photos with your face in them. But this feature hasn’t been available in Canada before, and Facebook pulled the feature from Europe following mounting pressure in 2012.
Now, however, Facebook is looking to introduce facial recognition to both Europe and Canada, and users in those regions will soon encounter this option below.
Once again, “Accept and Continue” is pre-highlighted in blue to encourage users to click. And those curious enough to hit the “Manage Data Setting” option are simply presented with two options: “Allow Facebook to recognize me in photos and videos” and “Don’t allow Facebook to recognize me in photos and videos.”
Surely a simple “Decline and Continue” button would have sufficed here, perhaps placed right above the “Accept and Continue” button? The “Manage Data Setting” button is completely redundant, as it doesn’t lead to any additional settings that could not have been placed on the original button.
“We’re now giving people in the EU and Canada the choice to turn on face recognition,” Facebook said. “Using face recognition is entirely optional for anyone on Facebook.”
These statements are technically true. But by designing the interface and consent process in this manner, it’s pretty clear Facebook is leaning closer toward “opt-out” than offering a true “opt-in.”
Dark pattern & ‘privacy zuckering’
Yes, Facebook is once again engaging in dark pattern design, trying to not-so-subtly nudge users into accepting terms by guiding their choices through the design and layout of the interface. The company has a long history of tricking users into sharing more information than they intended to, a practice some have referred to as privacy zuckering after the Facebook CEO and cofounder.
A couple of years ago, for example, when Facebook-owned WhatsApp revealed it would share some user data — such as phone numbers — with its parent company, the process did have an opt-out option. However, the opt-out was very cleverly hidden, with only one option — “Agree” — provided on-screen.
To opt out, you had to click to read the separate terms and conditions, scroll to the bottom, and then uncheck the pre-ticked box.
Last month, WhatsApp agreed to not share information with Facebook in Europe, at least until the GDPR comes into force.
The GDPR explicitly forbids pre-ticked boxes that may trick or pressure users into agreeing to things, thus the latest consent requests made by Facebook exist on very shaky grounds. The GDPR requires a “positive opt-in” and prohibits “pre-ticked boxes or any other method of default consent.” Highlighting a box in blue could arguably be construed as using a method of “default consent” as it is quite clearly positively differentiated from the alternative “Manage Data Setting” option. It will be interesting to see whether EU regulators have anything to say about this latest attempt to garner users’ consent.
Facebook is already facing a class action lawsuit in the U.S. over its historical use of facial recognition technology on users’ photos. And the company is still reeling from the headline-grabbing Cambridge Analytica data scandal. You would think that with all this negative publicity, Facebook would be going all-in to get users’ trust back, but as this latest debacle shows, the company doesn’t seem to have learned many lessons.
Facebook didn’t provide any specific comment on the issues outlined here when contacted by VentureBeat.