Google vs. Australia ACCC: What it Means for Your Privacy Practices

Google vs. Australia ACCC: What it Means for Your Privacy Practices

The results of a recent Australian court case could make you rethink how safe and "covered" you are by your Privacy Policy and its disclosure of your plans to process personal information.

On April 16, 2021, an Australian Federal Court judge ruled in the case of Australian Competition and Consumer Commission (ACCC) v Google LLC. In that decision, the judge found that Google misled consumers during the set-up stages of their Android devices.

Note that the court handed down the ruling even though it was plain that Google had a Privacy Policy in place.

According to the Australian court, Google didn't clarify that the "Location History" setting wasn't the only application responsible for collecting and tracking private, personal information. In this case, the personal information was location data.

Moreover, Google included another setting called 'Web & App Activity' that was turned on by default. This setting also allowed the tech giant to collect and use location information. In other words, users had to know about the setting and turn it off manually in order to prevent Google from collecting their personal information.

At the end of proceedings, the court found Google to have breached a number of statutes in the Australian Consumer Law (ACL), including sections 18, 29(1)(g), and 34, all of which relate to deceptive behavior.

Penalties for Google's conduct are not yet determined, although it's likely Google will face fines in the millions of dollars. Meanwhile, the ACCC is currently drawing up detailed declarations as to why and how Google's activities were wrong and compliance orders, which Google will have to abide by if it wishes to do future business in Australia.

For its part, Google's executives are deliberating on an appeal to the ACCC's decision.

Let's take a deeper look at this case, what it means for businesses, and what you can do to make sure you don't end up making the same mistakes that Google made.


An Increasing Interest in Privacy on the Part of the ACCC

During the last few years, the ACCC has taken an increasing interest in privacy. For instance, in 2019, the ACCC put out a report that recommended wide-ranging reforms of privacy law in Australia.

Just some of the reforms the court recommended include reinforcing the Australian Privacy Act of 1988 and making its protections stronger. The Privacy Act is currently under review, with a discussion paper set to be released sometime in 2021.

With the increased interest in privacy on the part of the ACCC, it's interesting to note that the court considers its ruling against Google to be a "world-first" in terms of holding big tech companies accountable in the areas of data collection and privacy.

The reason the ACCC considers its decision to be a "world-first" has to do with its broad application and because it addresses information provided to users on smartphone screens. Now, you can make privacy disclosures in full in a Privacy Policy. However, most people don't read Privacy Policies unless the company directs them to do so.

That's why best practices for displaying disclosures on mobile phones suggest ensuring that vital information is easy to read and displayed prominently during regular use of a mobile app and not buried somewhere in a legal document.

There are two main reasons why you need a Privacy Policy:

✓ They're legally required: Privacy Policies are legally required by global privacy laws if you collect or use personal information.

✓ Consumers expect to see them: Place your Privacy Policy link in your website footer, and anywhere else where you request personal information.

Excerpt from TermsFeed Testimonials:

"I needed an updated Privacy Policy for my website with GDPR coming up. I didn't want to try and write one myself, so TermsFeed was really helpful. I figured it was worth the cost for me, even though I'm a small fry and don't have a big business. Thanks for making it easy."

Stephanie P.
Generated a Privacy Policy

Generate a Privacy Policy, 2021 up-to-date, for your business (web, mobile and others) with the Privacy Policy Generator from TermsFeed.

Obviously, mobile screens are much smaller than tablet, laptop, or desktop computer screens, which means any information you present to users must be condensed. Alternatively, you could present information over multiple screens, which smartphone users would swipe through.

In the case against Google, the judge assessed user behavior and what their reasonable actions might be when notified of a company's data collection practices. He then ruled that Google misled users by leaving out crucial information regarding its settings.

Organizations that would learn a lesson from Google's mistake should consider providing mobile users (and on other devices) with pertinent, detailed information about their data collection and use practices as a part of the overall (outside the Privacy Policy) customer journey.

ACCC v Google LLC (No 2) Specifics

ACCC v Google LLC (No 2) Specifics

Essentially, the entire ACCC case revolved around two specific settings on Android devices. These were the Web & App Activity settings and the Location History settings. The first had a default "on" setting, while the other was turned off by default.

According to the ACCC, between January 2017 and December 2018, Google breached numerous sections of the ACL by misleading customers into thinking that it couldn't obtain personal data from them with these default settings. However, the truth was that Google could easily acquire personal location data through the Web & App Activity's default setting.

The court made its case by demonstrating the behavior of three different groups of Android users.

The first group set up their phones and were shown specific "Privacy and Terms" screens. The second group chose to turn off their Location History setting either at the point of set-up or at a later time. The third group decided to turn off their Web & App Activity settings after the set-up of their Android devices.

The court then further split up the groups into categories depending on which screens they were shown on different devices and at other times.

The Conflict

According to Google, users should be given all disclosures at once. Further, users should read the disclosures as a whole. The company emphasized that the screens users saw contained links to Google's Privacy Policy that provided them with further information on Google's data collection practices.

In Google's view, users who cared enough to pay attention to the disclosure screens would click on the links to its Privacy Policy. Google also argued that the word "activity" clearly included "location" if users read the Privacy Policy in conjunction with the disclosure screens.

However, the actual heading for the Web & App Activity setting didn't refer to "location" in any way. Instead, it just used the word "activity."

The judge in the case ultimately concluded that reasonable users going through Google's disclosure screens would not have clicked on all the necessary links to understand the company's data collection practices fully.

Why Should Business Owners and Developers Care About This?

Why Should Business Owners and Developers Care About This?

As previously noted, the ACCC considers its ruling against Google to be a "world-first" when it comes to holding major corporations accountable for the dishonest collection of personal location data.

Increasingly, lawmakers and the courts are targeting business practices, especially those of major corporations, that disregard privacy and data protection laws and violate consumers' trust.

With that said, it isn't just big companies that are in the legal crosshairs for privacy violations. Small to medium-sized enterprises are just as at risk. Although the ACCC decision is specifically related to Google's information collection practices related to personal location data, it expresses its language in terms of personal information and consumer privacy.

In other words, the Australian court's decision could have far-reaching ramifications for business owners and developers that collect any kind of personal information, and specifically from consumers.

A rule of thumb would be to ensure that all your business practices related to data collection and personal privacy are fully transparent. Having expert legal counsel specializing in data protection and privacy laws on retainer would be a wise course of action.

It's a fair bet that Google has their own team of expert lawyers to help them in this area, yet they still fell afoul of the law. However, much depends on intent. Honest business owners should work with their attorneys to ensure they provide consumers with the most transparent, straightforward data collection notices and disclosures possible.

It should go without saying that they should also be presented without the intent to mislead or deceive your customers.

Essential Takeaways from the ACCC Decision

Essential Takeaways from the ACCC Decision

Don't make Google's mistake of believing that because you have a Privacy Policy that you are completely covered legally. In many cases, as demonstrated by the Australian court case, simply having a Privacy Policy isn't enough.

You should review your Privacy Policy to make sure that you can legally collect, process, store, and share personal information. However, you must also make every effort to ensure that the language is clear, simple to understand, and is not confusing, misleading, or deceptive in any way.

For example, dishonest behavior might be leaving relevant information out of a setting's description. It could be intentionally burying pertinent information in legal jargon that no one but attorneys understand. It may also be something as seemingly innocuous as specific terms insufficiently brought to the user's attention.

Take the time to think about things from your customer's point of view. Show that you care by looking at your app and its settings from your customers' perspective.

Remember that it's a mistake to assume the majority of people will take the time to meticulously go over each and every piece of legal information you present to them. Therefore, you should try to make sure that vital information is presented in headings (that people usually skim when reading) and that you include it in overall representations you make to customers.

Recall that privacy regulations are likely to become more strict over time. Therefore, you should have a culture of respecting the privacy of your customers. It all comes down to following a bit of the Golden Rule. Think about how you would want information presented to you and then respect your customers by giving them what you expect for yourself.

What Should Business Owners and Developers Do Now?

What Should Business Owners and Developers Do Now?

Make sure that your data collection notices and Privacy Policy are comprehensive and accurate when laying out precisely what applications and settings will collect. Be sure to list the reasons for collection and how the data will be used and disclosed.

Explain what each app and setting does in full. Be transparent about what their defaults are, and the results of those defaults happen to be. For example, your collection notice should be as transparent as possible about the actual effect of enabling or disabling individual settings.

Remember that consumers have a right to know what they agree to.

Here's a quick checklist of things to keep in mind:

  • Don't rely on the fine print within your Privacy Policy.
  • Consider if particular points are especially relevant to the collection of personal data and whether you should "call out" that information and essentially "shove it in the face" of the consumer.
  • Take the initiative in keeping your customers informed about what data you're collecting, why it's being collected, who it's being collected for, and whether you disclose that data to any third party.
  • Take out any language that's legalese. Use simple, plain language instead. Remember that first impressions matter.
  • Think about the overall presentation of information and whether the design encourages or discourages consumers from reading it. This includes the organization of elements, such as the use of headings, length of text, text color, text size, and placement of links.
  • Review your collection notices and Privacy Policy on a regular basis to ensure that they're tailored specifically to your needs, are relevant, and up-to-date.

Summary

The Federal Court of Australia found that Google behaved in a misleading, deceptive manner and falsely represented the way in which it collected, used, and stored personal data. Specifically, personal location information.

The Australian court believes it is the first in the world to probe Google's practices related to the collection of a user's location data. The court's ruling clarifies to business owners and app developers that representations made in their privacy settings and Privacy Policies could lead to lawsuits in Australia under the ACL.

Additionally, the court's decision means that businesses must now set an increasingly high bar for themselves when it comes to their data collection disclosures in order to avoid allegations of misleading or deceptive conduct.

Keep in mind that you should:

  • Not assume that users will read all of the information you make available to them.
  • Carefully think about whether the language used in data collection notices and Privacy Policies are likely to be understood by consumers.
  • Think about the organization of the information you present to users remembering that how its organized can be as important as the content.
  • Remember that you should disclose critical information up front. There's a chance the court won't look kindly on incorrect information that's presented upfront, but that's later corrected in a "deeper layer" of available information. You need to get it right from the very beginning. Otherwise, courts may find your upfront statement misleading or deceptive.
  • Be extremely specific about how the privacy settings a user chooses will impact the treatment of their personal information. For instance, if a user turns "Location History" off, it should be clear whether you will still use their location data or not. General statements about how a user's choice "may affect" the functionality of the settings or app may also not be enough to satisfy the courts.

Finally, be aware that the Federal Court's ruling was made less than one month after the ACCC began proceedings against Google in another case related to a 2016 change in Google's data collection practices wherein the company failed to gain explicit consent from users.

All in all, the Australian legal cases against Google's privacy violations show that the ACCC is committed to enforcing compliance with data protection and privacy law. Business owners and app developers should expect the Australian move toward strict enforcement of privacy law to continue and expand.

In light of the above, developing a robust set of practices that you follow to help prevent potential lawsuits and legislative violations is a must.

William B.

William B.

Legal writer.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.