Complaints have been filed against Facebook, Google, Instagram and WhatsApp within hours of the new GDPR data protection law taking effect.
The companies are accused of forcing users to consent to targeted advertising to use the services.
Privacy group noyb.eu led by activist Max Schrems said people were not being given a “free choice”.
If the complaints are upheld, the websites may be forced to change how they operate, and they could be fined.
What’s the issue?
The General Data Protection Regulation (GDPR) is a new EU law that changes how personal data can be collected and used. Even companies based outside the EU must follow the new rules if offering their services in the EU.
In its four complaints, noyb.eu argues that the named companies are in breach of GDPR because they have adopted a “take it or leave it approach”.
The activist group says customers must agree to having their data collected, shared and used for targeted advertising, or delete their accounts.
This, the organisation suggests, falls foul of the new rules because forcing people to accept wide-ranging data collection in exchange for using a service is prohibited under GDPR.
“The GDPR explicitly allows any data processing that is strictly necessary for the service – but using the data additionally for advertisement or to sell it on needs the users’ free opt-in consent,” said noyb.eu in a statement.
“GDPR is very pragmatic on this point: whatever is really necessary for an app is legal without consent, the rest needs a free ‘yes’ or ‘no’ option.”
Privacy advocate Max Schrems said: “Many users do not know yet that this annoying way of pushing people to consent is actually forbidden under GDPR in most cases.”
The complaints were filed by four EU citizens with local regulators in Austria, Belgium, France and Germany.
Analysts and regulators had expected complaints to be filed shortly after the introduction of the law, as organisations and privacy advocates argue over how the law should be interpreted.
Some companies based outside the EU have temporarily blocked their services across Europe to avoid falling foul of the new legislation.
However, others such as Twitter have introduced granular controls that let people opt out of targeted advertising.
Companies that fall foul of GDPR can be – in extreme cases – fined more than £17m.
Facebook said in a statement that it had spent 18 months preparing to make sure it met the requirements of GDPR.