$60 million reasons to get your privacy practices right
As the digital world continues to expand, users of these digital platforms may find that their privacy is at risk. Businesses need to consider privacy expansively, both from the “privacy” perspective, as well as the “consumer” perspective.
Google has recently received the first public enforcement outcome arising out of the Digital Platforms Inquiry (Inquiry) conducted by the Australian Competition and Consumer Commission (ACCC). On top of this, the Courts handed Google one of the largest penalties since the maximum fines for breaching the Australian Consumer Law (ACL) were increased in 2018.
Google and the ACCC
In December 2017, the ACCC was directed to conduct the Inquiry, looking at the effect that digital platforms have on competition in the market..
The ACCC’s investigations following the Inquiry resulted in Google being ordered to pay $60 million for making misleading representations to Australian consumers about the collection and use of their personal information (location data on Android phones) between January 2017 and December 2018.
Data collection and user transparency
Google was found to have represented to Android users (Users) that there was only one setting that affected whether Google collected, kept and used personal information about the user’s location – this setting was titled “location history”. However, the additional “web & app activity” setting also affected whether Google could collect, store and use users’ location data. The issue was that this additional setting was turned on by default, and users were not aware of how this setting affected their personal location data. If users were aware of this additional setting, would made a different choice and turned it off?
The ACCC estimated that approximately 1.3 million users in Australia may have viewed the conduct that was found to breach the ACL.
The majority of Google’s conduct occurred prior to the maximum penalty increasing in September 2018. We can therefore assume that if Google had engaged in this conduct more recently, the penalties would be substantially higher.
How should businesses think about digital Privacy?
In the context of privacy, this case is noteworthy as it is the first court case arising out of the ACCC’s Inquiry. The case was brought by the ACCC on consumer protection and “misleading and deceptive conduct” grounds, and not on “privacy grounds” by the Australian Privacy Regulator, the Office of the Australian Information Commissioner (OAIC).
Data protection and privacy compliance should not be considered on its own through the traditional “privacy” and “OAIC” lens. Rather, privacy needs to be considered far more expansively, from the “misleading and deceptive conduct” and “ACCC” perspective as well.
As the ACCC brings greater focus to “unfair terms” in standard form consumer and small-business contracts (which privacy statements and privacy consent requests may well be), we may also see “privacy” cases brought by the ACCC under this guise.
Top privacy considerations for businesses
- Businesses must be accurate, truthful and transparent about the types of personal information they collect, and how that personal information is used. This extends to the content of the privacy policy, collection statements, notification statements and consent requests etc used by the business.
- Imposing significant penalties and enforcing them, hopes to send a strong message to digital platforms and other businesses, large and small, that they must not mislead consumers about how their personal information is being collected and used.
- Businesses need to have expansive thinking when considering privacy, through the OAIC lens of privacy, as well as through the consumer protection lens of the ACCC.
For further information or a review of your privacy documentation, please contact one of our Privacy experts.
The information contained in this article is general in nature and cannot be relied on as legal advice nor does it create an engagement. Please contact one of our lawyers listed above for advice about your specific situation.
more
insights
stay up to date with our news & insights
$60 million reasons to get your privacy practices right
As the digital world continues to expand, users of these digital platforms may find that their privacy is at risk. Businesses need to consider privacy expansively, both from the “privacy” perspective, as well as the “consumer” perspective.
Google has recently received the first public enforcement outcome arising out of the Digital Platforms Inquiry (Inquiry) conducted by the Australian Competition and Consumer Commission (ACCC). On top of this, the Courts handed Google one of the largest penalties since the maximum fines for breaching the Australian Consumer Law (ACL) were increased in 2018.
Google and the ACCC
In December 2017, the ACCC was directed to conduct the Inquiry, looking at the effect that digital platforms have on competition in the market..
The ACCC’s investigations following the Inquiry resulted in Google being ordered to pay $60 million for making misleading representations to Australian consumers about the collection and use of their personal information (location data on Android phones) between January 2017 and December 2018.
Data collection and user transparency
Google was found to have represented to Android users (Users) that there was only one setting that affected whether Google collected, kept and used personal information about the user’s location – this setting was titled “location history”. However, the additional “web & app activity” setting also affected whether Google could collect, store and use users’ location data. The issue was that this additional setting was turned on by default, and users were not aware of how this setting affected their personal location data. If users were aware of this additional setting, would made a different choice and turned it off?
The ACCC estimated that approximately 1.3 million users in Australia may have viewed the conduct that was found to breach the ACL.
The majority of Google’s conduct occurred prior to the maximum penalty increasing in September 2018. We can therefore assume that if Google had engaged in this conduct more recently, the penalties would be substantially higher.
How should businesses think about digital Privacy?
In the context of privacy, this case is noteworthy as it is the first court case arising out of the ACCC’s Inquiry. The case was brought by the ACCC on consumer protection and “misleading and deceptive conduct” grounds, and not on “privacy grounds” by the Australian Privacy Regulator, the Office of the Australian Information Commissioner (OAIC).
Data protection and privacy compliance should not be considered on its own through the traditional “privacy” and “OAIC” lens. Rather, privacy needs to be considered far more expansively, from the “misleading and deceptive conduct” and “ACCC” perspective as well.
As the ACCC brings greater focus to “unfair terms” in standard form consumer and small-business contracts (which privacy statements and privacy consent requests may well be), we may also see “privacy” cases brought by the ACCC under this guise.
Top privacy considerations for businesses
- Businesses must be accurate, truthful and transparent about the types of personal information they collect, and how that personal information is used. This extends to the content of the privacy policy, collection statements, notification statements and consent requests etc used by the business.
- Imposing significant penalties and enforcing them, hopes to send a strong message to digital platforms and other businesses, large and small, that they must not mislead consumers about how their personal information is being collected and used.
- Businesses need to have expansive thinking when considering privacy, through the OAIC lens of privacy, as well as through the consumer protection lens of the ACCC.
For further information or a review of your privacy documentation, please contact one of our Privacy experts.