Insights

Privacy pandemic? The ACCC now takes an interest in privacy

Corporate

Privacy just went viral. If you thought privacy was only under the watch of the Office of the Australian Information Commissioner (OAIC) and the Privacy Act 1988 (Cth), you would be wrong. The Australian Competition and Consumer Commission (ACCC) is also taking an increasing interest in privacy practices, particularly as they relate to misleading and deceptive conduct. In a recent case against Google LLC (Google), the ACCC alleges that Google misled account holders to expand the collection and use of their personal information, engaged in misleading or deceptive conduct and made a false or misleading representation in its privacy policy.

The ACCC's recent action comes after it launched a similar suit in October 2019 and highlights the regulator's willingness to use section 18 of the Australian Consumer Law (ACL) as a mechanism to regulate digital markets. Australian businesses are now firmly on notice that the collection of data, particularly personal information, poses a privacy and consumer law double-threat, prompting the need to consider the interaction between obligations on the handling of data and how consumers are informed about such processes.

As such, this is an issue for serious Board-level attention and the development of policies and procedures to avoid heavy regulatory fines under both regimes.

Businesses playing in digitally-integrated markets, involved in data aggregation, dealing with data sets and "data on demand" may need to incorporate new contractual terms within their services agreements (including in relation to data collection practices) to help manage this evolving regulatory reach.

Key takeaways for businesses

All businesses should take note of the ACCC's focus on section 18 of the ACL as a further means to ensure compliance with privacy obligations. To avoid falling foul, businesses that operate in Australia need to:

  • be aware that statements in personal information collection notices and privacy policies can contain representations to consumers;
  • be clear and accurate about the representations made in collection notices and privacy policies, and ensure that the obligations imposed on the business can be and are adhered to;
  • be aware that informed consent to changes in the use of information will likely only be sufficient where the question and implications can be genuinely understood by consumers;
  • be aware that businesses may be exposed to liabilities under the ACL and the Privacy Act 1988 (Cth) for essentially the same actions;
  • be aware that the ACCC and the Office of the Australian Information Commissioner will be focussing more closely than ever on digital platforms and digitally integrated markets.

A more detailed review of the case

Conduct in relation to consent

  • Google collects information about its users' internet browsing activity on its own services and on Google partner websites which use Google's ad-management technology, DoubleClick (the third party websites).
  • Before 2016, Google only used user data on Google-owned services such as Google Search, Google Maps and YouTube and did not combine information from third party websites.
  • Between 2016 and 2018, Google expanded the scope of personal information collected and began combining third party website personal information with that already stored by Google. Thereby linking users' third party data to other personal information held by Google and enabling the delivery of more targeted advertising.
  • Google prompted users to click "I agree" to a pop-up notification which purported to explain the change to the collection and use of personal information.

The notification stated:

We’ve introduced some optional features for your account, giving you more control over the data Google collects and how it’s used, while allowing Google to show you more relevant ads.

Under the heading "What changes if you turn on these new features?" Google stated:

  1. More information will be available in your Google Account making it easier for you to review and control.
  2. Google will use this information to make ads across the web more relevant for you.

The regulator considers that the notification only represented that Google was seeking consent to turn on features that would result in:

  • more information being visible in the account holder's Google account; and
  • the use of that information to make advertisements more relevant to account holders.

As a consequence, it is argued that the notification was misleading in contravention of section 18 and/or section 34 of the ACL because consumers could not have properly understood the changes in relation to the collection of information from third party websites and how that information would be used.

Representations in the privacy policy

Throughout the relevant period, Google's privacy policy included a statement that:

"[w]e will not reduce your rights under this Privacy Policy without your explicit consent."

Prior to the implementation of the changes to the third party website information handling, Google's privacy policy stated that it:

"will not combine [third party website cookie information] with personally identifiable information unless we have your opt-in consent."

At the time the changes were being implemented, Google removed this statement and replaced it with:

"[d]epending on your account settings, your activity on other sites and apps may be associated with your personal information in order to improve Google’s services and the ads delivered by Google."

The ACCC argues that Google, through its privacy policy, made a representation that it would not reduce its account holders' rights without consent. By altering its policy to permit the use of third party website information, the regulator alleges that Google failed to obtain explicit consent from users as required by the policy.

As a consequence, it is argued that the representation in the privacy policy was misleading in contravention of sections 18, 29 and/or 34 of the ACL to the extent that the change to the privacy policy did reduce its account holders' rights under the privacy policy.

All information on this site is of a general nature only and is not intended to be relied upon as, nor to be a substitute for, specific legal professional advice. No responsibility for the loss occasioned to any person acting on or refraining from action as a result of any material published can be accepted.

Key
Contacts

James Kelly

James Kelly

Lawyer