The report, compiled by academics from two Belgian universities at the request of the Belgian Privacy Commission, found that the changes may fall foul of European law.
In December Facebook announced plans to revise its data use policy, and the changes were brought in last month. Under the updated policy, Facebook has greater ability to track its users as they move around the web, use their profile pictures for commercial purposes, and collect more location data.
"To be clear: the changes introduced in 2015 weren't all that drastic. Most of Facebook's 'new' policies and terms are simply old practices made more explicit. Our analysis indicates, however, that Facebook is acting in violation of European law," the Interdisciplinary Centre for Law & ICT (ICRI), a research centre at the Faculty of Law of KU Leuven and one of the departments whose academics authored the study, writes.
According to the report, Facebook relies too heavily on the use of opt-outs to sig
nify consent. The study says such a strategy is "problematic" in light of the view of Article 29 Working Party, a grouping of European data watchdogs, that inaction does not imply consent.
"As a result, Facebook's opt-out system for advertising does not meet the requirements for legally valid consent," the study says.
The report found that Facebook makes it too hard for users to take control of their privacy, such as by making opt-outs difficult to find, and offers them too few options to do so - for example, users can't opt out of having their name or profile picture used for sponsored stories.
The academics also found the wording of the policy to be too vague - it doesn't go into details of what "advertising purposes" photos may be put to, or provide details on who the "third parties" or "partners" are that Facebook may share user data with. Because of that ambiguity, users can't truly be said to be giving their consent to Facebook's use of their data.
"To be valid, consent must be 'freely given', 'specific', 'informed' and 'unambiguous'. Given the limited information Facebook provides and the absence of meaningful choice with regard to certain processing operations, it is highly questionable whether Facebook's current approach satisfies these requirements," the report says.
Facebook's data usage policy also contains unfair contract terms, according to the study, including limiting its liability to $100 and granting itself rights to unilaterally alter its terms of service. Both such provisions contravene a European Commission consumer protection law.
While the academics note that Facebook has become more explicit about what data is collects for location tracking purposes, such as wi-fi and Bluetooth, it recommends that due to the unique nature of location data, its setting should be opt-in, with all parameters turned off by default. Facebook should also explain in greater detail about how, when, and why it collects users' location data, and make sure it's only collected for as long as it's necessary to offer services that users have requested.
The study underlines how Facebook offers its users a simple choice over the new data use policy: accept it, or stop using the service.
"For many data uses, the only choice for users it to simply 'take-it-or-leave-it'. If they do not accept, they can no longer use Facebook and may miss out on content exclusively shared on this platform. In other words, Facebook leverages its dominant position on the [online social network] market to legitimise the tracking of individuals' behaviour across services and devices."
The Dutch privacy watchdog, College Bescherming Persoonsgegevens, has also raised questions over Facebook's data use policy. Last year, it asked Facebook to delay rolling out the new policy in order for it to investigate the potential consequences for Dutch users of the social network.
A Facebook spokesperson said: "We recently updated our terms and policies to make them more clear and concise, to reflect new product features and to highlight how we're expanding people's control over advertising. We're confident the updates comply with applicable laws. As a company with international headquarters in Dublin, we routinely review product and policy updates including this one with our regulator, the Irish Data Protection Commissioner, who oversees our compliance with the EU Data Protection Directive as implemented under Irish law."
Read more on this story