Facebook has been accused of tricking users with fake notifications to pressure them into agreeing to its GDPR-complaint terms.
A lawsuit, filed by NOYB, a non-profit digital rights organization led by privacy activist Max Schrems, explains how two red “pending” notification dots appear on the message and notification icons when users are shown the new terms of service. They have to agree to the documents, handing Facebook their personal data, in order to investigate those alerts. The complaint says the icons will appear even when there are no notifications.
The General Data Protection Regulation (GDPR) is a strict set of rules passed by the E.U. that gives users more control over their data.
“The controller used additional ‘tricks’ to pressure the users,” the lawsuit reads, “For example, the consent page included two fake red dots that indicated that the user has new messages and notifications, which he/she cannot access without consenting – even if the user did not have such notifications or messages in reality. The only option for a user was therefore to accept the new terms and privacy policy, or to delete the account. There was no option to disagree, opt-out or say no in any other way, shape or form.”
Facebook, for its part, told the Daily Dot that the red notification icons are generic visuals meant to reassure users that the terms they’re agreeing to do, in fact, come from the social platform. The icons were supposedly added so people wouldn’t suspect they were agreeing to a phishing notification.
The company also provided a more detailed statement about its approach to the GDPR.
“We have prepared for the past 18 months to ensure we meet the requirements of the GDPR,” said Erin Egan, Facebook’s chief privacy officer. “We have made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information. Our work to improve people’s privacy doesn’t stop on May 25th. For example, we’re building Clear History: a way for everyone to see the websites and apps that send us information when you use them, clear this information from your account, and turn off our ability to store it associated with your account going forward.”
Users are not required to agree to its updated data policy, but they must agree to the terms of service in order to use Facebook.
NOYB believes Facebook is in violation of article 5 of the GDPR, which states personal data should be “processed lawfully, fairly and in a transparent manner in relation to the data subject (‘lawfulness, fairness and transparency’).” Gaining clear consent from users to collect their data is among the core tenants of the GDPR. Companies that violate the new privacy regulation face fines of up to 4 percent of their annual turnover. In Facebook’s case, that adds up to €1.4 billion, or about $1.63 billion.
The claims against Facebook for its peculiar method of allegedly getting users to click through the terms of service is one in a series of complaints filed against the social network on May 25, the day the GDPR went live. Google was also caught in the flurry of lawsuits aimed at the two largest advertising players on the internet. Schrems claims the company’s use of checkboxes to agree to data sharing is in violation of the GDPR’s itemized consent, which says users should be able to pick and choose what they agree to.
Schrems also filed a lawsuit against Instagram and WhatsApp for the same $1.63 billion penalties, amounting to a grand total of more than $4.5 billion against Facebook.
Schrems told the Financial Times that the company’s updated terms were far from GDPR-compliant: “They totally know that it’s going to be a violation. They don’t even try to hide it,” he said.
However, Facebook doesn’t believe it’s in violation of the privacy laws.
The GDPR forces companies that do business in the E.U. to adopt new privacy and security practices. Over the past months, tech firms have scrambled to release new terms of service that comply with the regulation, while others have abandoned the E.U. altogether to avoid steep penalties.
Among those not willing to take the risk are popular newspapers under Tronc and Lee Enterprises media publishing groups, including the Los Angeles Times, the New York Daily News, and Chicago Tribune.
The spotlight has been pointed squarely at Facebook after it was revealed to have failed to prevent a political data firm from manipulating the personal information of 87 million users. During CEO Mark Zuckerberg’s testimony before Congress, Facebook was frequently criticized for its lengthy, convoluted privacy agreements and terms that force users into an all-or-nothing decision. Under the GDPR, the social giant will need to be more transparent and flexible with how it asks users to hand over their data—or it could face substantial fines.
Editor’s note: This story has been updated for clarity and context.