Privacy policies from companies including Facebook, Google and Amazon don’t fully meet the requirements of GDPR, according to the pan-European consumer group BEUC.
An analysis of policies from 14 of the largest internet companies shows they use unclear language, claim “potentially problematic” rights, and provide insufficient information for users to judge what they are agreeing to.
“A little over a month after the GDPR became applicable, many privacy policies may not meet the standard of the law,” said Monique Goyens, BEUC’s director general. “This is very concerning. It is key that enforcement authorities take a close look at this.”
The group analysed the privacy policies on a sentence-by-sentence basis, flagging up lines that were vague or overreaching. When Google, for instance, tells users that “we collect information about your activity in our services, which we use to do things like recommend a YouTube video you might like”, it is flagged as “unclear”, for not completely specifying what the information is used for.
Amazon warns users that “our business changes constantly and our Privacy Notice will change also”, a line that is noted as “problematic permissions”, because it could give the company the right to change privacy policies without securing further consent.
BEUC hopes train an AI model, in conjunction with the European University Institute in Florence, to automatically scan privacy policies and detect clauses that may fail to meet GDPR requirements.
Their analysis follows the filing of legal complaints against Facebook and Google on the day that GDPR came in to effect.
In the complaints, related to Facebook, Instagram, WhatsApp and Google’s Android operating system, European consumer rights organisation Noyb argued that the companies have forced users into agreeing to new terms of service, in breach of the requirement in the law that such consent should be freely given.
Max Schrems, the chair of Noyb, said at the time: “Facebook has even blocked accounts of users who have not given consent. In the end users only had the choice to delete the account or hit the agree button. That’s not a free choice, it more reminds of a North Korean election process.”
In a statement, Amazon said: “Protecting the privacy of our customers is always a top priority and has been built into our services for years.
“We have introduced a new Privacy Help page that shows customers how they can easily manage and access their information across our retail, entertainment services, and devices, as well as centralised privacy settings for Alexa that give customers control over their data.”
Google told the Guardian: “We have updated our Privacy Policy in line with the requirements of the GDPR, providing more detail on our practices and describing the information that we collect and use, and the controls that users have, in clear and plain language.
“We’ve also added new graphics and video explanations, structured the Policy so that users can explore it more easily, and embedded controls to allow users to access relevant privacy settings directly.”
Facebook has been contacted for comment.