GDPR requires clear consent and justification for any personal data collected from users, and these guidelines have pushed companies across the internet to revise their privacy policies and collection practices. But there is still widespread uncertainty over how European regulators will treat the requirements, and many companies are still unprepared for enforcement.
Both Google and Facebook have rolled out new policies and products to comply with GDPR, but Schrems’ complaints argue those policies don’t go far enough. In particular, the complaint singles out the way companies obtain consent for the privacy policies, asking users to check a box in order to access services. It’s a widespread practice for online services, but the complaints argue that it forces users into an all-or-nothing choice, a violation of the GDPR’s provisions around particularized consent.
Shrems told the Financial Times that the existing consent systems were clearly noncompliant. “They totally know that it’s going to be a violation,” he said. “They don’t even try to hide it.”
The lawsuits are broken up into specific products, with one filed against Facebook and two others against its Instagram and WhatsApp subsidiaries. A fourth suit was filed against Google’s Android operating system.
