30 April 2021
In a ‘world-first’ proceeding of its kind, the Australian Competition and Consumer commission (ACCC) launched proceedings against Google LLC & Google Aus (Google) in 2020, alleging Google misled Android users as to how much of their personal data (i.e. geolocation) was being collected. On 16 April 2021, The Federal Court handed down its decision.
Overview of decision
The Federal Court ruled that Google misled consumers in the initial set-up process of their Android devices by not making it clear enough that the ‘Location History’ setting was not the sole application setting responsible for collecting and tracking location data (i.e. personal information).
The Court found that between January 2017 and December 2018 an additional setting titled ‘Web & App Activity’, which was turned on by default, also allowed Google to collect and use location data. That is, this setting also had to be turned off to stop location data being collected. ACCC successfully established that Google had breached sections 18, 29(1)(g) and 34 of the Australian Consumer Law relating to misleading and deceptive conduct.
Whilst penalties for Google are yet to be determined, the ACCC is pursuing declarations (a statement confirming how and why Google’s actions were wrong), compliance orders (requiring that Google act in a certain way in the future) and penalties in the millions of dollars. The ACCC is also proposing that Google provide a prominent notice to Australian customers to explain how they collect personal data with respect to location data settings in a more transparent manner.
Google is currently considering an appeal of the decision.
Why should you care?
The ACCC’s initiation of proceedings against Google is a ‘world-first’ (according to the ACCC) instance of a regulator targeting a major corporation in relation to dishonest collection of location data. This is of particular significance given that the ACCC is not specifically tasked with enforcing privacy and data laws and standards. We are continuing to see regulators shifting their focus to Big Tech practices in line with growing consumer awareness about privacy and data protection. Given the ACCC is also considering enforcement action against Google’s advertising strategies, it appears Big Tech companies are already in regulatory cross-hairs for anti-competitive behaviour. However, in recent times the ACCC has prosecuted a number of ‘consumer privacy’ cases with great success against SME’s as well as the Tech giants.
Although this decision is related to the collection of location data, it is couched in terms of ‘consumer privacy’ and personal information. We consider it significant for all businesses that collect personal information in general and from consumers in particular. Businesses need to ensure that they are fulfilling their Consumer Law and Privacy obligations, and to provide data collection notices without misleading or deceiving customers.
What should you do?
Businesses should ensure their collection notices are sufficiently thorough and accurate in setting out exactly what settings and/or applications will collect, use and disclose personal information, and explain the real effect of all settings and applications. Collection notices should be transparent in conveying the real effect of disabling or enabling a setting so that consumers are properly informed as to what they are agreeing to. But this is not limited to location data – all privacy policies and data collection notices should be clear and transparent to avoid any misinterpretation or misleading effect. Also, for any sensitive or health information, it is likely that burying the use or disclosure in your privacy policy may not be sufficient – the ACCC requires you to ‘call out’ certain uses and disclosures.
Checklist:
-
frequently review your privacy policy and collection notices and ensure that they are bespoke, updated and relevant to your business;
-
do not rely on ‘fine-print’ in your privacy policy if any sensitive or health information is involved – consider if the use or disclosure should be brought to the attention of the consumers;
-
actively keep your customers informed on what data you are collecting, what it is being collected for, who it is being disclosed to and consider if any additional or upfront notice or reminder is required;
-
remove any language that would have the effect of confusing or misleading customers (even if you clarify in the body of your privacy policy – first impressions are crucial); and
-
actively consider how consumers might interpret or misinterpret your policy and/or collection notices, and clarify the language accordingly.
How can we help?
Clyde & Co has the largest dedicated and rapidly expanding cyber incident response and privacy practice in Australia and New Zealand. Our experienced team have dealt with over 1000 data breach and technology related disputes and some of the regions most significant privacy related matters in recent times, including a number of the largest and most complex incidents in Asia Pacific to date. The firm's cyber and privacy practice provides an end-to-end risk solution to clients. From advice, strategy, transactions, innovations, pre-incident readiness and incident response through to regulatory investigations, proceedings, third party claims (including group litigation) and recoveries, the team assists corporate clients, insurers, insureds and brokers across the full cyber and privacy lifecycle. Our team is also highly regarded for its expertise and experience in managing all forms of disputes across sectors including advising on some of the most newsworthy class actions commenced in Australia.
For further information, please contact:
Alec Christie, Partner, Clyde & Co
Alec.Christie@clydeco.com