Facebook, Google and Microsoft push users away from privacy-friendly options on their services in an "unethical" way, according to a report by the Norwegian Consumer Council.
It studied the privacy settings of the firms and found a series of "dark patterns", including intrusive default settings and misleading wording.
The firms gave users "an illusion of control", its report suggested.
Both Google and Facebook said user privacy was important to them.
The report - Deceived by Design - was based on user tests which took place in April and May, when all three firms were making changes to their privacy policies to be in compliance with the EU's General Data Protection Regulation (GDPR).
It found examples of
- privacy-friendly choices being hidden away
- take-it-or-leave it choices
- privacy-intrusive defaults with a longer process for users who want privacy-friendly options
- some privacy settings being obscured
- pop-ups compelling users to make certain choices, while key information is omitted or downplayed
- no option to postpone decisions
- threats of loss of functionality or deletion of the user account if certain settings not chosen
For example, Facebook warns anyone who wishes to disable facial recognition that doing so means that the firm "won't be able to use this technology if a stranger uses your photo to impersonate you".
The report concluded that users are often given the illusion of control through their privacy settings, when they are not getting it.
"Facebook gives the user an impression of control over use of third party data to show ads, while it turns out that the control is much more limited than it initially appears," the report said.
"And Google's privacy dashboard promises to let the user easily delete data, but the dashboard turns out to be difficult to navigate, more resembling a maze than a tool for user control," it added.
Microsoft received praise for giving equal weight to privacy-friendly and unfriendly options in its set-up process in Windows 10.
The consumer watchdog concluded: "The combination of privacy-intrusive defaults and the use of dark patterns nudge users of Facebook and Google, and to a lesser degree Windows 10, towards the least privacy-friendly options to a degree that we consider unethical.
"We question whether this is in accordance with the principles of data protection by default and data protection by design, and if consent given under these circumstances can be said to be explicit, informed and freely given."
In response, Google said: "Over the last 18 months, in preparation for the implementation of the EU's new data protection regulation, we have taken steps to update our products, policies and processes to provide all our users with meaningful data transparency and straightforward controls across all our services.
"We're constantly evolving these controls based on user experience tests - in the last month alone, we've made further improvements to our Ad Settings and Google Account information and controls."
Facebook said: "We have prepared for the past 18 months to ensure we meet the requirements of the GDPR. We have made our policies clearer, our privacy settings easier to find and introduced better tools for people to access, download, and delete their information."
Microsoft told the BBC: "We have seen the report from Norway and would like to reinforce that we are committed to GDPR compliance across our cloud services, and provide GDPR-related assurances in our contractual commitments."
Shortly after GDPR came into force in May, Google and Facebook were accused of breaking the laws by privacy group noyb.eu, set up by activist Max Schrems.
It complained that people were not being given a free choice when it came to choosing new privacy settings.