There were headlines earlier this year when the Federal Court handed down a $60 million penalty to Google LLC (Google) for engaging in misleading or deceptive conduct, for statements made about collection of user location data. That was the first of two similar cases brought by the Australian Competition and Consumer Commission (ACCC) against Google alleging misleading conduct with respect to user privacy.
This month the Federal Court issued its decision on the second such case, and found that, unlike in the first case, Google had not engaged in misleading or deceptive conduct when seeking consent from account holders to combine their user data and data from third-party sites and apps for the purpose of improving targeted advertising.
The two Google decisions illustrate that short summaries presented to individuals can be appropriate vehicles for privacy consents, but also the importance of ensuring that those summaries are accurate.
Recap – ACCC’s first case
In Australia, the use of personal information is regulated by the Privacy Act 1988 (Cth) (Privacy Act) and is administered by the Office of the Australian Information Commissioner (OAIC). These recent proceedings in the Federal Court were unusual, in that they were not brought by the OAIC under the Privacy Act but were instead brought by the ACCC under the Australian Consumer Law (ACL).
In the first case, the ACCC alleged Google made misleading or deceptive statements to users about collection of location data. The Federal Court ruled in favour of the ACCC, finding that Google had engaged in misleading and deceptive conduct, imposing penalties on Google totalling $60 million. A summary of the decisions can be found in our articles here and here.
Current decision
This further case relates to steps taken by Google to combine user account data with data about individuals’ use of third-party sites and apps not owned by Google, for the purpose of creating advertising targeted to the individual (Advertising Activities).
Google had previously stated that it would not combine those sources of data without the express consent of users, and in 2016 it began seeking this consent. Google provided notice to users regarding this change through ‘notifications’ including a summary of the changes and diagrams and sought their consent to those changes. The ACCC alleged that, based on the notice provided, ‘consumers could not have properly understood the changes Google was making nor how their data would be used, and so did not – and could not – give informed consent’.
The Federal Court therefore considered whether the notification from Google failed to inform, or adequately inform, users that Google was seeking consent to undertake the proposed Advertising Activities.
Google’s Privacy Policy had also stated that it would ‘not reduce your rights under this Privacy Policy without your explicit consent’. Google made changes to its Privacy Policy to reflect the proposed Advertising Activities, which the ACCC alleged amounted to a reduction of individuals’ rights, and therefore was contrary to Google’s previous statements.
Background and the ACCC’s contentions
In mid-2016, Google displayed a notification to users with a Google account on the individual’s desktop and/or mobile devices. Signed-in account holders who had enabled various privacy settings were asked to consent to the Advertising Activities. The combined information would allow Google to better tailor its targeted ad services to account holders, which in turn would potentially allow Google to increase its revenue. To consent, the user needed to agree to the changes by clicking a button displaying text such as “I Agree” or “Yes, I’m in – turn on these new features”. Users seeking more details could click through for further information.
The ACCC alleged that the notification was presented in a way which encouraged the user to provide consent without accurately reflecting what Google was proposing to do.
The ACCC claimed that statements such as “more information will be available in your Google Account, making it easier for you to review and control” and “Google would use this information to make ads across the web more relevant for you” did not explain that Google would be collecting data from third party websites and combining it with the account holder’s personal information.
The ACCC also alleged that Google’s changes in its Privacy Policy in respect of the Advertising Activities constituted a reduction in user rights and therefore required explicit consent (per previous statements from Google), and that this consent was not obtained.
The ACCC alleged that the above conduct breached several sections the Australian Consumer Law relating to misleading or deceptive conduct.
Court’s findings:
The Court rejected the ACCC’s allegations, finding that the notification was sufficient to seek consent from the account holders for the conduct Google wished to engage in.
In reaching this decision, the Court considered the wording of the notifications and the evidence produced by Google to explain how Google had decided on how it would go about seeking consent.
Google spent substantial time developing the notification, including engaging focus groups, to arrive at the final wording. Google considered that the notification would be read by various individuals who would either skip, skim or read the notification, referred to as “Skippers, Skimmers and Readers”. The notification wording had been designed to maximise engagement with all groups of people to maximise the rate of consent. To cater to these groups, Google used a ‘simplified’ notification wording and diagram to quickly get across the changes to the account holder. If the account holder wanted further information before accepting, they could click on links in the notification to access further information.
This ‘layered’ approach to consent is not unusual, and even encouraged by the OAIC, which advises:
A notice may also be provided in layers, from a full explanation to a brief refresher as individuals become more familiar with how the APP entity operates and how personal information is handled. Brief privacy notices on forms or signs may be supplemented by longer notices made available online or in brochures.
In the location data case, a similar issue arose, but the Court was of the view that the high-level information presented to users was not reflective of the true underlying position explained in more detailed documentation, and therefore was misleading or deceptive.
The ACCC alleged that Google’s attempts in this Advertising Activities case to maximise the likelihood of obtaining consent showed that Google had some intention to mislead and deceive. The Federal Court rejected this assertation, noting it was ‘hardly surprising that [Google] wanted Account Holders to consent’. The Court accepted that the notification had been ‘designed for consent’ and did not consider this alone to be evidence of misleading or deceptive conduct. Further, the Court found that the wording of the notification accurately reflected the changes which were being made, despite not detailing the nuances of the changes.
The Court noted that ultimately account holders had the decision to consent and was satisfied that the notification was sufficient to get across to account holders the impact of the changes.
The Court also accepted that ‘Although the text of Google’s Privacy Policy changed… the change of text made by the June 2016 Privacy Update did not mean that Google reduced its existing Account Holders’ rights under the Privacy Policy’, and therefore did not require the consent of users.
The ACCC’s case was accordingly dismissed.
Two down, one more to go
In addition to the ACCC’s two cases against Google, the OAIC has also brought proceedings in the Federal Court against Facebook, for alleged breaches of the Privacy Act and APPs said to have arisen as part of the Cambridge Analytica scandal. We discussed this case in:
- March 2020, when the OAIC filed proceedings;
- April 2021, after the Federal Court found at least an arguable case to answer for both Facebook Inc in the US and Facebook Ireland Limited, and allowed service of the claim outside of Australia; and
- February this year, when the Full Court of the Federal Court rejected an appeal which sought to have Facebook Inc excluded from the matter, leaving the claim only against Facebook Ireland, with the Court deciding that Facebook Inc appeared to be carrying on a business in Australia which involved the collection of personal information.
On that basis, the complaint remains against both Facebook entities. The substance of the case is yet to be decided.
Given recent changes to the Privacy Act including significant increases to maximum penalties (see here for more information) and the various cases being bought by the ACCC and OAIC, we expect that the focus on privacy enforcement will continue.
This article was written by Daniel Kiley, Partner and Kayla Costa, Solicitor.
