On 16 April 2021, the Federal Court of Australia handed down its decision in Australian Competition and Consumer Commission v Google LLC (No 2) [2021] FCA 367 (ACCC v Google). The Court found that the ACCC had successfully shown that Google had misled consumers in the collection of their location data through Android devices.

The case: how Google allegedly misled consumers

The ACCC alleged that Google LLC and Google Australia (collectively Google) misled consumers about the collection and use of location data and various stages during the use of Android devices and the creation of Google accounts. The allegations revolved around two OS level settings, 'Location History' and 'Web App Activity', which together allowed a user to control whether Google was able to collect the user's personal data, including location history data.

The crux of the ACCC's case was that Google had misled consumers into believing that when Location History was turned off, Google would not obtain, retain or use personal data about the user's location. However, Google also collected personal data relating to the user's location when the user had enabled the Web App Activity setting. When a new user set up a Google Account on their Android phone, Location History would default to ‘off’ and Web App Activity would default to ‘on’.

Key issues

The ACCC contended that Google had misled its consumers in three specific scenarios:

• first, when a user initially set-up the device and was presented with the opportunity through the 'more options' link within the Privacy and Terms screen, to enable or disable the Location History or Web App Activity settings
• second, where a user had turned the Location History setting to 'on' and then later decided to turn it back off; and
• third, where a user considered turning off the Web & App Activity setting after initial set-up of their device.

In each of these scenarios, the Court considered whether Google had:

• engaged in misleading or deceptive conduct pursuant to section 18 of the Australian Consumer Law (ACL);
• made false or misleading representations contravening section 29(g)(1) of the ACL; and
• engaged in conduct that was liable to mislead the public regarding their goods (section 33 of the ACL) or services (section 34 of the ACL).

Outcome

The Court found that in all three scenarios, the ACCC had partially made out its case. This involved a consideration of hypothetical members of the relevant classes of users, as well as multiple potential responses from members of these classes of users, with the Court stating:

"… where the effect of conduct on a class of person … was in issue … the section must be regarded as contemplating the effect of the conduct on all reasonable members of the class ….. It may be that reasonable members of the class cannot be distilled into a single hypothetical person".

The Court further held that the identified hypothetical person is not capable of just one response or reaction:

"There may be situations where a hypothetical person might reasonably have been misled and might reasonably not have been misled".

The Court emphasised that confining a hypothetical member of the class to one response was artificial:

"one would not condone misleading conduct directed to the public at large just because 51% of consumers … would not be misled".

Each scenario then, in effect, considered the particular stage in the process of navigating Google's privacy documentation at which certain people would decide to cease navigating Google's systems – and if, at that point, they would have been misled or deceived. For example, whether a user initially setting up their Google Account and device may have been relatively easily misled or deceived. This is in contrast to whether a person was deciding to turn Location History off at a later date, and was particularly interested in their privacy and management of their data, was likely to take a greater interest in the documentation presented by Google, and only in some circumstances would be misled or deceived.

For Google, the risk exposure highlighted by these proceedings arose from the complex nature of the documentation through which Google informed consumers of how they would use their personal information.

For the ACCC, the partial findings do not mean the ACCC's case was lacking in a particular area, but rather that different consumers interact with particular information differently, and that where some consumers in a class of people may be misled, others will not.

Implications of the case

The ACCC's partial success in this case may bolster its foray into regulating, through the Competition and Consumer Act, the intersection between data, privacy and consumer law. The ACCC has already emphasised the need to regulate the interaction with consumer data in the Digital Platforms Inquiry Report, which was one of the documents which led to the Review of the Privacy Act (Privacy Act Review) currently being conducted by the Attorney-General's Department.

This case also follows other enforcement action against Google for allegedly misleading 'consumers about expanded use of their personal data' and proceedings against Facebook for misleading and deceptive conduct when promoting Facebook's Onavo Protect Mobile VPN. The ACCC was previously successful against HealthEngine for misuse of patient data when it shared patient data with third party insurance brokers.

Depending on the progress and outcome of the Privacy Act Review and any additional privacy and data specific regulatory powers that emerge from that review, the ACCC may feel encouraged by the decision and look to take further action. Although this decision is being hailed as a 'world first', the prosecution against Google follows a trend of a number of cases around the world prosecuting digital platforms for the alleged misuse of consumer data.

Potential risks are not limited to large organisations. Smaller organisations, or organisations that do not necessarily have the collection, storage and use of personal information at the core of their business, should ignore these regulatory trends at their peril.

To this end, it is important for organisations to regularly review privacy policies, collection notices and other privacy-related documents and their digital infrastructure more broadly. As part of such reviews, it is not only important to ensure technical compliance with Australian and global privacy regimes (such as the Privacy Act 1988 (Cth) in Australia, and the General Data Protection Regulation in the European Union), but to also ensure that the organisation's privacy policies and notices are fit for purpose and accessible. A key factor in the case against Google was that the manner in which Google informed consumers of how their location information would be managed was confusing to the extent that a reasonable consumer was likely to be misled or deceived when engaging with Google's systems.

Organisations need to consider whether the manner in which they inform consumers as to how their personal information is collected, used, stored and disclosed is sufficiently transparent so as to minimise the risk of similar ACCC enforcement action.