Last updated on 01 July 2022 by William Blesch (Legal and data protection research writer at TermsFeed)
On April 16, 2021, an Australian Federal Court judge ruled in the case of Australian Competition and Consumer Commission (ACCC) v Google LLC. In that decision, the judge found that Google misled consumers during the set-up stages of their Android devices.
According to the Australian court, Google didn't clarify that the "Location History" setting wasn't the only application responsible for collecting and tracking private, personal information. In this case, the personal information was location data.
Moreover, Google included another setting called 'Web & App Activity' that was turned on by default. This setting also allowed the tech giant to collect and use location information. In other words, users had to know about the setting and turn it off manually in order to prevent Google from collecting their personal information.
At the end of proceedings, the court found Google to have breached a number of statutes in the Australian Consumer Law (ACL), including sections 18, 29(1)(g), and 34, all of which relate to deceptive behavior.
Penalties for Google's conduct are not yet determined, although it's likely Google will face fines in the millions of dollars. Meanwhile, the ACCC is currently drawing up detailed declarations as to why and how Google's activities were wrong and compliance orders, which Google will have to abide by if it wishes to do future business in Australia.
For its part, Google's executives are deliberating on an appeal to the ACCC's decision.
Let's take a deeper look at this case, what it means for businesses, and what you can do to make sure you don't end up making the same mistakes that Google made.
During the last few years, the ACCC has taken an increasing interest in privacy. For instance, in 2019, the ACCC put out a report that recommended wide-ranging reforms of privacy law in Australia.
Just some of the reforms the court recommended include reinforcing the Australian Privacy Act of 1988 and making its protections stronger. The Privacy Act is currently under review, with a discussion paper set to be released sometime in 2021.
With the increased interest in privacy on the part of the ACCC, it's interesting to note that the court considers its ruling against Google to be a "world-first" in terms of holding big tech companies accountable in the areas of data collection and privacy.
That's why best practices for displaying disclosures on mobile phones suggest ensuring that vital information is easy to read and displayed prominently during regular use of a mobile app and not buried somewhere in a legal document.
Obviously, mobile screens are much smaller than tablet, laptop, or desktop computer screens, which means any information you present to users must be condensed. Alternatively, you could present information over multiple screens, which smartphone users would swipe through.
In the case against Google, the judge assessed user behavior and what their reasonable actions might be when notified of a company's data collection practices. He then ruled that Google misled users by leaving out crucial information regarding its settings.
Essentially, the entire ACCC case revolved around two specific settings on Android devices. These were the Web & App Activity settings and the Location History settings. The first had a default "on" setting, while the other was turned off by default.
According to the ACCC, between January 2017 and December 2018, Google breached numerous sections of the ACL by misleading customers into thinking that it couldn't obtain personal data from them with these default settings. However, the truth was that Google could easily acquire personal location data through the Web & App Activity's default setting.
The court made its case by demonstrating the behavior of three different groups of Android users.
The first group set up their phones and were shown specific "Privacy and Terms" screens. The second group chose to turn off their Location History setting either at the point of set-up or at a later time. The third group decided to turn off their Web & App Activity settings after the set-up of their Android devices.
The court then further split up the groups into categories depending on which screens they were shown on different devices and at other times.
However, the actual heading for the Web & App Activity setting didn't refer to "location" in any way. Instead, it just used the word "activity."
The judge in the case ultimately concluded that reasonable users going through Google's disclosure screens would not have clicked on all the necessary links to understand the company's data collection practices fully.
As previously noted, the ACCC considers its ruling against Google to be a "world-first" when it comes to holding major corporations accountable for the dishonest collection of personal location data.
Increasingly, lawmakers and the courts are targeting business practices, especially those of major corporations, that disregard privacy and data protection laws and violate consumers' trust.
With that said, it isn't just big companies that are in the legal crosshairs for privacy violations. Small to medium-sized enterprises are just as at risk. Although the ACCC decision is specifically related to Google's information collection practices related to personal location data, it expresses its language in terms of personal information and consumer privacy.
In other words, the Australian court's decision could have far-reaching ramifications for business owners and developers that collect any kind of personal information, and specifically from consumers.
A rule of thumb would be to ensure that all your business practices related to data collection and personal privacy are fully transparent. Having expert legal counsel specializing in data protection and privacy laws on retainer would be a wise course of action.
It's a fair bet that Google has their own team of expert lawyers to help them in this area, yet they still fell afoul of the law. However, much depends on intent. Honest business owners should work with their attorneys to ensure they provide consumers with the most transparent, straightforward data collection notices and disclosures possible.
It should go without saying that they should also be presented without the intent to mislead or deceive your customers.
For example, dishonest behavior might be leaving relevant information out of a setting's description. It could be intentionally burying pertinent information in legal jargon that no one but attorneys understand. It may also be something as seemingly innocuous as specific terms insufficiently brought to the user's attention.
Take the time to think about things from your customer's point of view. Show that you care by looking at your app and its settings from your customers' perspective.
Remember that it's a mistake to assume the majority of people will take the time to meticulously go over each and every piece of legal information you present to them. Therefore, you should try to make sure that vital information is presented in headings (that people usually skim when reading) and that you include it in overall representations you make to customers.
Recall that privacy regulations are likely to become more strict over time. Therefore, you should have a culture of respecting the privacy of your customers. It all comes down to following a bit of the Golden Rule. Think about how you would want information presented to you and then respect your customers by giving them what you expect for yourself.
Explain what each app and setting does in full. Be transparent about what their defaults are, and the results of those defaults happen to be. For example, your collection notice should be as transparent as possible about the actual effect of enabling or disabling individual settings.
Remember that consumers have a right to know what they agree to.
Here's a quick checklist of things to keep in mind:
The Federal Court of Australia found that Google behaved in a misleading, deceptive manner and falsely represented the way in which it collected, used, and stored personal data. Specifically, personal location information.
The Australian court believes it is the first in the world to probe Google's practices related to the collection of a user's location data. The court's ruling clarifies to business owners and app developers that representations made in their privacy settings and Privacy Policies could lead to lawsuits in Australia under the ACL.
Additionally, the court's decision means that businesses must now set an increasingly high bar for themselves when it comes to their data collection disclosures in order to avoid allegations of misleading or deceptive conduct.
Keep in mind that you should:
Finally, be aware that the Federal Court's ruling was made less than one month after the ACCC began proceedings against Google in another case related to a 2016 change in Google's data collection practices wherein the company failed to gain explicit consent from users.
All in all, the Australian legal cases against Google's privacy violations show that the ACCC is committed to enforcing compliance with data protection and privacy law. Business owners and app developers should expect the Australian move toward strict enforcement of privacy law to continue and expand.
In light of the above, developing a robust set of practices that you follow to help prevent potential lawsuits and legislative violations is a must.
This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.
01 July 2022