Late next month, the European Union’s GDPR will go into effect. The General Data Protection Regulation is a significant change to privacy law that even countries based outside of Europe must comply with (because the internet is, you know, global and borderless). The thrust of the GDPR is that it requires informed consent from users when a tech company wants to collect personal information, and it requires users to be able to revoke that permission and view all of the data a company holds on them.
Ahead of the law going into effect on May 25, tech companies are reviewing their privacy policies, updating them, and building tools to let users review the permissions they’ve granted and change them. In a briefing attended yesterday by TechCrunch, Facebook demoed its GDPR review process, which underwhelmed those in attendance. The process, according to Josh Constine, is clearly designed to keep people from changing their privacy permissions or leaving the service entirely.
As you’ll see at each step, you can hit the pretty blue “Accept And Continue” button regardless of whether you’ve scrolled through the information. If you hit the ugly grey “Manage Settings” button, you have to go through an interstitial where Facebook makes it’s argument trying to deter you from removing the info before letting you make and save your choice. It feels obviously designed to get users to breeze through it by offering no resistance to continue, but friction if you want to make changes.
Some of the choices Facebook presents users with takes an “all or nothing” approach. Users who don’t want to be targeted with info they put into Facebook’s personality categories need to remove that info from their profile entirely. For facial recognition, if a user wants to be notified of potential photos of them uploaded by other users, they also need to consent to being a suggested friend to tag in said photo.
When it comes to the terms of service, Facebook users can hit the big, blue “I Accept” button, or click on “a tiny ‘see your options’ hyperlink” to be taken to a page where Facebook tries its best to prevent you from leaving the site.
First, Facebook doesn’t mention its temporary deactivation option, just the scary permanent delete option. Facebook recommends downloading your data before deleting your account, which you should. But the fact that you’ll have to wait (often a few hours) before you can download your data could push users to delay deletion and perhaps never resume. And only if you keep scrolling do you get to another tiny “I’m ready to delete my account” hyperlink instead of a real button.
There are also controls for teenagers. If users between 13 and 15 have added their religious views, political views, or sexual preference to their profile, they need parental consent to keep them up. The process, via TechCrunch: “Users merely select one of their Facebook friends or enter an email address, and that person is asked to give consent for their ‘child’ to share sensitive info.” So basically anyone, including a fake account set up by the underage user, can give approval.
All of this led Constine, and others in the room reportedly, to conclude that Facebook’s compliance with the GDPR was following the letter of the law but not the spirit. The review process is designed to keep people on Facebook through laziness or convenience, while not agreeing to the terms sends users through an arduous process. If one were to read a little further into it, the design tricks imply that Facebook is worried that users will abandon the platform if not steered in one direction.