Since publishing its final Digital Platforms Inquiry report in July 2019, the Australian Competition and Consumer Commission (ACCC) has issued two privacy related proceedings against Google – first in October 2019 and again last week. We considered the first proceedings in our previous article, 'Is the ACCC becoming a second privacy regulator?' This post considers the proceedings issued last week.
Proceedings issued last week – ACCC alleges Google mislead consumers with respect to the combination of their data
The ACCC alleges that Google misled Australian consumers in order to obtain their consent to expand the scope of personal information that Google could collect and combine about consumers' internet activity, for use by Google, including for targeted advertising.
The ACCC's case is two-fold:
ACCC alleges that Google did not properly inform account holders of changes to its collection and use of personal information
First, the ACCC alleges that Google did not properly inform account holders (Users) of a change in 2016 to its collection and use of personal information, and therefore did not obtain informed consent from the Users. This change was to start combining personal information in a User's Google account with information about the User's activities on third party sites that used Google technology to display ads. Google then allegedly improved the commercial performance of its advertising business using this combined data.
The ACCC has explained that, to obtain consent to start combining User's data, Users were prompted to click “I agree” to a pop-up notification from Google. This notification included the following statements:
- “Some new features for your Google Account
We’ve introduced some optional features for your account, giving you more control over the data Google collects and how it’s used, while allowing Google to show you more relevant ads”
- “More information will be available in your Google Account making it easier for you to review and control”
- “Google will use this information to make ads across the web more relevant for you”
The ACCC alleges this consent process was misleading. As summarised by its chair, Rod Sims, the ACCC's case involves a view “that many consumers, if given an informed choice, may have refused Google permission to combine and use such a wide array of their personal information for Google’s own financial benefit”.
The notification provided to a User depended on the device and Google service being used. It appears from the ACCC's media release that some of the notifications included more information than outlined above.
Potentially misleading statement about privacy
Secondly, the ACCC has raised concerns with respect to a statement in Google's privacy policy that committed Google to seeking explicit consent before reducing a user's rights. The ACCC has alleged that statement “[w]e will not reduce your rights under this Privacy Policy without your explicit consent.” is misleading because Google did not in fact obtain the explicit consent referred to.
By way of context, before 28 June 2016, Google's privacy policy stated that it “will not combine DoubleClick cookie information with personally identifiable information unless we have your opt-in consent”. DoubleClick is a company, acquired by Google in 2008, that supplies ad-serving technology services to publishers and advertisers. Once Google started combining its users’ data, this provision was amended to “[d]epending on your account settings, your activity on other sites and apps may be associated with your personal information in order to improve Google's services and the ads delivered by Google”.
Further information on the proceedings is available in the ACCC's media release.
- Since the ACCC's final Digital Platforms Inquiry report, the ACCC has taken an increasingly active role in the regulation of consumer privacy protections through enforcement of the Australian Consumer Law.
- Organisations must consider the requirements of the Australian Consumer Law when making privacy notifications, seeking privacy consents and handling personal information. In particular, organisations should:
- Ensure that any statements in relation to the handling of personal information (including in privacy policies and privacy collection notices) are accurate, comprehensive, complete and up-to-date.
- Remember that silence or omission can potentially be misleading, not just explicit representations. What is left out, or what is not conveyed in sufficiently clear or complete terms, can raise consumer law risks.
- Be mindful of how consent is obtained from consumers; transparent information must be clearly provided to consumers so they can make an informed choice. Requiring consumers to take proactive steps to locate this information may undermine the validity of the consent.
- Ensure the organisation’s privacy policy does not include any commitments (that are beyond its obligations at law) that cannot be met or that the organisation does not intend to meet. Failure to comply with these commitments or making commitments that will not be met may be misleading.
- Consider clearly setting out what the organisation will not do with personal information. Given the increasing number of allegations being made against companies in relation to the handling of data, building trust with customers and clients in relation to privacy protections is more important than ever.