Time to review your data collection policies and practices?

Businesses must take note of the lessons from Australian Competition and Consumer Commission v Google LLC (No 2) [2021] FCA 367. In this decision, the Federal Court addressed the collection and use of Android users’ personal data by Google LLC and Google Australia Pty Ltd (collectively, Google), providing guidance around what businesses should be aware of in today’s digital world.

Background

The decision concerned mobile users who, between January 2017 and October 2019:

• owned a mobile which used the Android operating system and on which Google Mobile Services was installed; and
• were signed into their Google Account on that mobile; or
• were in the process of setting up a Google Account on that mobile.

In managing or setting up their Google Account, users could adjust the “Location History” and “Web & App Activity” settings to suit their preference. The default position for these settings was:

• Location History ➔ off; and
• Web & App Activity ➔ on.

The effect of the default settings was that Google could could obtain, retain and use personal location data when a user was active on various apps, including Google services such as Google Maps.

Importantly, users setting up their Google Account were only directed to the screen where the settings could be adjusted if they clicked on the “More Options” button at the end of Google’s Privacy and Terms page. Otherwise, users could simply click “I agree” to proceed with the set up process or “Don’t create the account”.

The proceedings

In late 2019, the Australian Competition and Consumer Commission (ACCC) commenced proceedings against Google, alleging that in breach of the Australian Consumer Law (ACL), it engaged in misleading or deceptive conduct, made false or misleading representations and engaged in conduct that was liable to mislead the public regarding their goods or services.

Put simply, the ACCC’s case was that Android users were misled to believe that the default Location History and Web & App Activity settings prevented Google from obtaining and using their personally identifiable location data, when in actual fact such data was able to be accessed and used by Google.

Decision

In April 2021, the Federal Court partially found in favour of the ACCC, determining that Google breached the ACL by:

• its misleading representations to Android users that their location data would not be collected if the Location History setting was turned off; and
• not properly disclosing to users that the Web & App Activity setting also had to be turned off to prevent the collection of their location data.

The parties recently agreed to orders including that Google would pay $60 million in penalties.

Lessons

We can expect continued scrutiny of data collection practices and more cases of this nature in the future. Although the Federal Court’s decision relates to unique representations made by a large global corporation, it serves as a timely reminder for businesses, no matter how small, to review their data collection practices, policies and representations about data collection.

Some of the key takeaways include:

• businesses must be transparent about the types of data they are collecting and how it is collected and used, to enable consumers to make informed decisions about how they share their data;
• privacy policies or other terms and conditions won’t save a business from engaging in misleading or deceptive conduct if the overall impression of the representation is misleading or deceptive. This is particularly so because, as was recognised by the Court, most consumers will not read, or will not read carefully, the contents of a privacy policy; and
• businesses may contravene the ACL if they mislead, or are likely to mislead, only a small portion of users.
  

This article provides general commentary only. It is not legal advice. Before acting on the basis of any material contained in this article, seek professional advice.

Author: Annabel Nettle, associate in our disputes practice