Facebook and Google introduced new privacy settings in order to comply with Europe’s sweeping new privacy law, the General Data Protection Regulation, but campaigners still aren’t satisfied. Some official complaints on the day the new law went into force, and now others have raised further concerns about how the companies manipulate people into exposing their data.
The issue—which Fortune has noted before—is that some of the privacy settings clearly steer people towards choosing certain options. For example, Facebook’s facial recognition options show users a bright blue box urging them to accept the company scanning their faces for its files, while the option to decline this scanning is hidden inside a page you only see by clicking “manage data settings.”
Consumer groups from a range of European countries, including Norway, the U.K. and France, on Wednesday sent letters to their national privacy regulators, asking them to probe these so-called “dark patterns” tactics. American consumer groups, led by the Electronic Privacy Information Center (EPIC,) are also asking the Federal Trade Commission to look into the practice.
In a report called “Deceived By Design,” the Norwegian Consumer Council accused Facebook and Google—as well as Microsoft with Windows 10, to a lesser extent—of employing “design, symbols and working that nudge users away from the privacy friendly choices.”
Facebook (FB) and Google (GOOGL) come under particular criticism for threatening users “with loss of functionality or deletion of the user account if the user does not choose the privacy intrusive option.”
“These companies manipulate us into sharing information about ourselves,” said Finn Myrstad, the watchdog’s director of digital services. “This shows a lack of respect for their users, and [the companies] are circumventing the notion of giving consumers control of their personal data.”
Is this all illegal, though? The consumer authorities argue it is, because the new EU privacy regime says people have to genuinely consent to having their personal data processed by tech companies. “However, the practices deployed by companies raise questions as to whether consent in this case can be considered informed and freely given,” reads the Norwegian Consumer Council’s letter to that country’s data protection authority.
The letter also says users aren’t “given the full picture” about how their information will be used, and the privacy settings “make it difficult for individuals to protect their personal data.” Both of these may also violate the General Data Protection Regulation (GDPR)—a law that threatens companies with fines of up to 4% of global annual revenues for serious violations.
The earlier complaints about alleged GDPR violations also hinge on the issue of proper consent—there, campaigners say Google and Facebook broke the rules by forcing users to agree to having their data exploited for marketing purposes in order to keep using the companies’ core services, even though marketing is not essential for delivering those core services.
“We build privacy and security into our products from the very earliest stages. Over the last 18 months, in preparation for the implementation of the EU’s new data protection regulation, we have taken steps to update our products, policies and processes to provide all our users with meaningful data transparency and straightforward controls across all our services,” said a Google spokesperson.
The spokesperson added that Google was “constantly evolving these controls based on user experience tests.”
“Our approach complies with the law, follows recommendations from privacy and design experts, and are designed to help people understand how the technology works and their choices,” a Facebook spokesperson said.
This article was updated to include Facebook’s response.