Norwegian Consumer Council publish a new report on consumer privacy  looking at three digital services that relate to the GDPR

Front page of NCC reportThe Norwegian Consumer Council (NCC) is an interest organisation for consumers funded by the Norwegian government. Part of the NCC work is to promote consumer rights such as privacy, security and balanced contracts in digital products and services.

In the past, NCC have published reports on how mobile apps fail to respect consumer rights  , and how connected devices such as toys lack basic security and privacy-protective measures  .

NCC have published a new report part of their work on consumer privacy and the right to make informed choices. In their latest report, NCC look at user settings updates in three digital services that relate to the new General Data Protection Regulation (GDPR).

In May 2018, European service providers confronted consumers with a wide array of GDPR updates. Amongst these services, users of Facebook, Google's services, and Windows 10 had to click through and approve update messages as part of the companies' attempt to comply with the GDPR. These popups contained references to new user terms, and presented a number of user settings related to the ways that the companies may collect, process, and use personal data. Facebook, Google, and Microsoft were chosen as examples, as they are some of the world's largest digital service-providers. The examples used in NCC report serve to illustrate the problematic aspects that consumers face when using digital services.

As NCC argue, providers of digital services use a vast array of user design techniques in order to nudge users toward clicking and choosing certain options. This is not in itself a problem, but the use of exploitative design choices, or "dark patterns", is arguably an unethical attempt to push consumers toward choices that benefit the service provider.

NCC find that the use of these techniques could in some cases be deceptive and manipulative and we find it relevant to raise questions whether this is in accordance with important data protection principles in the GDPR, such as data protection by design and data protection by default.

You can read the report here  .