Researchers in the U.S. and abroad say that privacy controls on Facebook and other platforms "nudge" users toward sharing the maximum amount of data through the design and language of the privacy settings.
Consumers Union, the advocacy division of Consumer Reports, which helmed a study of Facebook in the wake of the Cambridge Analytica third-party sharing fiasco that led to congressional hearings and increased scrutiny, said it is calling for an FTC investigation.
Facebook has also taken heat for reports it was sharing user information with device makers, including Chinese telecoms.
Consumers Union said the Consumer Reports study found "privacy-intrusive default settings, misleading wording, giving users an illusion of control, hiding away privacy-friendly choices, take-it-or-leave-it choices, and choice architectures where choosing the privacy-friendly option requires more effort for the users."
Facebook's business model relies on monetizing user data through targeted advertising.
Facebook is already being investigated by the FTC over whether the Cambridge Analytica sharing constituted a breach of a 2011 consent decree settling allegations Facebook deceived consumers by not keeping its privacy promises. The FTC is authorized to enforce such pledges under its Sec. 5 (unfair and deceptive practices) authority.
In the "nudging" department, Consumers Union said in Consumer Reports' online story about the study that Facebook users "can’t make changes to default settings before completing the sign-up process. Facebook also directs new users through a confusing dashboard of policies to learn how to change settings, and in some instances users need to perform a dozen or more clicks and swipes to find and adjust the appropriate settings."
While Facebook has a lot of privacy controls, they aren't easy to find, the study concluded. Facebook has said it is working to make its setting easier to use with a Privacy Shortcuts feature. The company had not returned a request for comment at press time.
Facebook has created an ad campaign promising the public that things are changing and it will be better protecting their data.
Consumer Reports pointed out in its story that, "like most websites, CR.org also collects user data."
The Consumer Reports study is being released at the same time as a Norwegian Consumer Council report, Deceived by Design, looking at the pop-up privacy boxes announcing companies' new privacy policies in Europe in the wake of the enhanced privacy framework -- General Data Protection Regulation or GDPR -- adopted by the EU in May.
The NCC looked at Facebook, Google and Microsoft and concluded that both Facebook and Google erect obstacles to privacy-friendly options required under the rules. Google had not responded to a request for comment at press time.
Jeff Chester, executive director of the Center for Digital Democracy, said that almost two dozen organizations in Europe are part of a letter-writing campaign to seven different regulatory jurisdictions.
The FTC is in the spotlight when it comes to overseeing online privacy since it is getting primary responsibility for both ISP and edge practices with the reclassification of internet access as an information service under the FCC's network-neutrality rules rollback.