This article is more than 1 year old

Activists hate them! One weird trick Facebook uses to fool people into accepting GDPR terms

You (actually may not) have a new message waiting for you

Facebook has been accused of purposefully misleading netizens into accepting its GDPR-friendly privacy policy – by tricking them with fake notifications.

Folks are shown the social network's updated terms and conditions to agree to, with what appears to be pending notifications from friends in the top right corner – such as unread messages and other alerts. Netizens have to agree there and then to hand over their personal data to see the awaiting texts and notices, even though none may actually be waiting for them.

Max Schrems

Max Schrems is back: Facebook, Google hit with GDPR complaint


That is just one of the claims against the company in a legal challenge that was filed the day that privacy-protecting GDPR legislation came into force.

Under the European law, companies are required to gain consent before they are allowed to use individuals' personal data – a situation that put info-hoarding Facebook and other tech giants into a difficult bind.

Facebook derives most of its income from gathering as much personal information about people as possible, and then packaging those records to be useful for advertisers. But in order to keep gathering that data it had to get its millions of European users to explicitly agree to it.

We previously covered how Facebook had carefully designed its user interface to make it time-consuming for users to withhold their private information, while repeatedly offering a single button to end the process and give it permission to continue scooping up their personal data. The company also gave lengthy and one-sided arguments for why users should continue to allow it to gather and store their data.

But the Silicon Valley giant took that misdirection one stage further, according to privacy activist Max Schrems' latest lawsuit, when it placed red circles above the two icons at the top of the page that indicate users have received new messages and notifications – a core interactive component of the entire Facebook experience – and implied that you needed to agree to its new terms of service to see them.

facebook dots

Oh look, a message from one of my friends! Message reads: Sucker.

Join the dots

If a user hadn't agreed to Facebook's new terms – which include the continued gathering and storage of their personal data – as the May 25 deadline crept closer, the two red dots appeared even where there weren't any messages or notifications.

"The controller used additional 'tricks' to pressure the users," the legal filing read: "For example, the consent page included two fake red dots that indicated that the user has new messages and notifications, which he/she cannot access without consenting – even if the user did not have such notifications or messages in reality. The only option for a user was therefore to accept the new terms and privacy policy, or to delete the account. There was no option to disagree, opt-out or say no in any other way, shape or form."

This approach, the lawsuit claimed, violated GDPR since it is neither fair nor transparent.

This dots approach and the user-interface fudging came on top of a range of other methods the company used to pressure individuals into agreeing to Facebook's terms. For example, if European users did not go through the Facebook-guided process before the deadline, their account was simply blocked when there was no obvious need for the company to do so.

It also made it hard for punters to find the option to delete their account – which would have killed off the social network's access to their data altogether and was the only other option to agreeing to new terms and conditions – by hiding the delete option in small text below a large colored button that led them back to the Facebook-guided process.

In short, the Mark-Zuckerberg-run biz went to great lengths to get people to unwittingly agree to let it soak up and sell any and all data it gathers about them.

The lawsuit – along with similar ones filed against Google, and two Facebook-owned companies, Instagram and WhatsApp – argues broadly that "forced consent" is not consent. ®

More about


Send us news

Other stories you might like