The Norwegian Consumer Council found that the US tech giants' privacy updates clash with the new General Data Protection Regulation (GDPR), which forces companies to clarify what choices people have when sharing private information.
“These companies manipulate us into sharing information about ourselves,” the council's director of digital services, Finn Myrstad, said in a statement.
“(This) is at odds with the expectations of consumers and the intention of the new Regulation,” the 2018 study, entitled “Deceived By Design”, concluded.
Myrstad said the practices showed “a lack of respect for their users, and are circumventing the notion of giving consumers control of their personal data”.
The case for the new laws has been boosted by the recent scandal over the harvesting of Facebook users' data by British consultancy Cambridge Analytica for the 2016 US presidential election.
Information for the report was collected from mid-April to early June, a few weeks after the EU rules came into force.
The report exposed that Facebook and Google often set the least privacy-friendly option as a default and that users rarely change pre-selected settings.
Privacy-friendly choices “require more clicks and are often hidden,” it said.
“In many cases, the services obscure the fact that users have very few actual choices, and that comprehensive data sharing is accepted just by using the service,” the study said.
But Facebook on Wednesday denied covering up the options for users and said they had prepared for 18 months to meet the GDPR requirements.
“We have made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information,” the company's spokesman told Norwegian public broadcaster NRK.
The EU has billed the GDPR as the biggest shake-up of data privacy regulations since the birth of the web.
The social media giant and Google separately already face their first official complaints under the new law after an Austrian privacy campaigner accused them of forcing users to give their consent to the use of their
Companies can be fined up to 20 million euros or four percent of annual global turnover for breaching the strict new data rules for the European Union, a market of 500 million people.