10 May 2021

When is a privacy policy not enough? (ACCC v Google LLC (No 2))

This article is written by Kirsten Bowe, Oceane Pearse and Patrick Gunning.

Your organisation plans to process personal information. You have checked the privacy policy and the intended use is covered in the policy.  Happy days!  Nothing more to do, right?  Not so fast …

In the recent case of Australian Competition and Consumer Commission v Google LLC (No 2) [2021][1] a Federal Court judge found that, despite there being no suggestion that the privacy policy was lacking, the presentation of information to customers on a mobile phone screen was misleading in specific circumstances as to how location data would be collected, stored and used.  The factual details are complex.  The judge accepted that if users read all of the relevant screens, or read the privacy policy, users may not have been misled.  However, the judge found that it was not reasonable to expect users would have read all of the screens or the privacy policy.  In that context the judge found that some reasonable users in the relevant class would have been misled in respect of some of the claims (on other claims the Australian Competition & Consumer Commission (ACCC) was unsuccessful).    

While this judgement may be appealed, it highlights the need to consider not just the privacy policy, but also the other information provided to users, the context in which that information is provided, and whether the information made available would be misleading if not read with further information which is also available but in a separate location. 

In this alert we take a closer look at the factual circumstances and findings in this case and what organisations should be thinking about outside of their privacy policy when collecting personal information.

ACCC’s increasing interest in privacy

The ACCC has taken an increasing interest in privacy over recent years.  In the ACCC’s Digital Platforms Inquiry Report in 2019, the ACCC recommended a broad reform of Australian Privacy Law, including strengthening protections under the Privacy Act 1988 (Cth) (Privacy Act).  A review of the Privacy Act is currently underway, with a discussion paper set to be released in 2021.

Ahead of any such reform, the ACCC has turned to existing legislation, such as the Australian Consumer Law (ACL) under sch 2 of the Competition and Consumer Act 2010 (Cth), to take action against what it alleges to be misleading and deceptive conduct in relation to the collection and use of personal information, even if such use is not a breach of the Privacy Act.

One of the first cases of this type brought by the ACCC was against HealthEngine, Australia’s largest online health marketplace, for a breach of the ACL in the context of its provision of personal information to private health insurers and its publication of online patient reviews.  In mid-2020, HealthEngine, was found to have misled consumers in breach of sections 18, 29 and 34 of the ACL.[2]  In that case the court concluded Health Engine’s conduct was misleading, notwithstanding it’s privacy policy, because it was not sufficiently clear that third parties would be provided with personal information.  The court also found that the ACL had been breached in relation to the selective publication of only positive patient reviews. HealthEngine admitted that it divulged the personal information of over 135,000 patients to third party private health insurance brokers without disclosing this to customers.  HealthEngine further admitted that it had refrained from publishing around 17,000 authentic patient reviews, but published approximately 3,000 reviews that had been edited to remove negative features.  In total, HealthEngine was ordered to pay $2.9 million in penalties for these contraventions.  

More recently, on 16 April 2021, the Federal Court of Australia found that Google had misled consumers in various representations regarding the collection and use of personal location data from Android mobile devices between January 2017 and December 2018.  The ACCC was successful in respect of some (but not all) of its claims.  The ACCC considers this decision a “world-first” in the area of privacy and data collection by big tech companies.  The period for appeal is still open and so this decision may yet be appealed.

This latest case is interesting, and of broad application, because it deals with the information provided to users on mobile phone screens.  This necessarily requires a shortened presentation of information that may be included in the full privacy policy and may need to be presented over multiple screens.  Some of the judge’s assessment of user behaviour and what may be reasonable should be taken into account by organisations when assessing what information is provided to users as part of their customer journey on a device (outside of their privacy policy) about how their personal information is used and collected.   

Other Australian consumer protection regulators are also taking an interest in the means by which suppliers of goods and services to Australian consumers explain privacy issues to those consumers.  In NSW, Australia’s most populated state, the legislature has enacted a consumer protection measure that deems any term of supply of goods or services to a consumer that “permits the supplier to provide data about the consumer, or data provided by the consumer, to a third party in a form that may enable the third party to identify the consumer” to be a term that “may substantially prejudice the interests of the consumer”.[3]  The consequence of that statutory deeming provision is that a supplier “must, before supplying a consumer with goods or services, take reasonable steps to ensure the consumer is aware of the substance and effect of” the term.  In other words, this requires affected suppliers to be more transparent about the substance and effect of the relevant contractual term of supply that permits the supplier to disclose identifiable consumer data to a third party prior to the consumer entering into the supply contract.  This statute has been in force since 1 July 2020, and contravention of this provision attracts the same (substantial) pecuniary penalties as for a contravention of the ACL.[4]  We are not aware of any enforcement proceedings having been taken by NSW Fair Trading in relation to this issue, but that must only be a matter of time.

What was ACCC v Google LLC (No 2) case about?

The ACCC case centred around two particular settings on Android devices, the Location History and Web & App Activity settings.  While the Location History setting was by default turned ‘off’, the Web & App Activity setting was defaulted to ‘on’.  With the Web & App Activity setting turned ‘on’, Google could obtain, retain and use personal location data. 

The ACCC claimed that in breach of ss 18, 29 and 33 or 34 of the ACL, users of Android devices between January 2017 and December 2018, were misled to believe that these default settings did not allow Google to obtain and use personally identifiable location data. 

The ACCC ran its case by dividing Android users during the relevant time periods into three separate categories.  The first involved users who set up their devices between certain dates and were shown particular ‘Privacy and Terms’ screens.  The second related to users who had decided to turn their Location History setting ‘off’, whether during the set up of the device or at a later time.  The third category concerned users who had decided to turn their Web & App Activity setting ‘off’ after the set up of the device.  These categories were split into further classifications, according to the different screens users were shown at different dates and on different devices. 

The factual description of the categories and the different claims is complex.  The first category of claim provides a useful example of the claims and some of the interesting judicial commentary.  We will limit our focus to that first category.

The set up claims

The first category of claims related to the set up of the Android devices in the applicable period.  There were 3 layers of screens in question. 

All users had to view the ‘Privacy and Terms’ screen, which gave the user the opportunity to click on one of 3 buttons – ‘Agree’, ‘Don’t create the account’ or ‘More Options’.  The parties accepted that most users would “blow through” the Privacy and Terms screen and click ‘Agree’ without visiting any of the other nested screens.  The ACCC’s case did not include these users.  The ACCC’s case focused on a subset of users (that the parties agreed was “atypical”) who were interested in privacy related issues and clicked on the ‘More Options’ button.  On the ‘More Options’ page, users were presented with a Location and a Web & Activity heading, both of which had an opportunity to click a ‘Learn More’ button to go to an additional screen with more information.  Notably, the Web & App Activity heading under the ‘More Options’ screen did not include the word ‘location’, and instead referred to ‘activity’.

Google submitted that all of these screens should be read as a whole, and emphasised that these screens contained links to Google’s Privacy Policy, which provided further detail on their data collection practices.  Additionally, Google argued that the word ‘activity’ clearly included location, when read together with the earlier ‘Privacy and Terms’ screen or when the ‘Learn more’ link was clicked.  Furthermore, Google submitted that a user in this category would necessarily be privacy-focused and would therefore pay careful attention to the information displayed on the various screens.

Thawley J considered that the degree of attention paid to the screens would have varied according to the user’s interest.  Ultimately, his Honour held that some reasonable users in the first category, acting reasonably, would not have clicked on all the links necessary to gain a full understanding.  As a result, these users “would have incorrectly concluded from Google’s conduct as a whole… that the Location History setting was the setting which therefore controlled whether Google would obtain personal data about the user’s location”.[5]  The ACCC was therefore successful in making its case for the first category of users.

Interesting commentary on how to apply the ACL

In reaching this conclusion Thawley J made a number of comments that will be useful in considering the application of the ACL to other scenarios. 

  1. The Court must put itself in the position of the relevant consumer setting up their device.[6]

    In this case, Thawley J commented that Google’s arguments were more attractive the longer one looks at the screens.  However, he concluded that that is not the appropriate approach.  “The screens were read by users setting up the device. Such users, even ones with heightened privacy concerns, would not re-read screens with the kind of careful attention that has been necessary in considering the various arguments put by the parties”.[7]

  2. While the relevant materials must be read as a whole, they must be read in the way the consumers would have read them.[8]

    That is to say, it is not a matter of looking at one screen in isolation.  But it is also not a matter of looking at all available material if the consumer would not have done so.  On this basis Thawley J expressly stated “In my view, reasonable members of the class would not have read the Privacy Policy and would have assumed that it had been accurately summarised”.[9]

  3. It is enough to demonstrate that some ‘reasonable users’ have been misled or were likely to have been misled.

    It was necessary to consider ordinary or reasonable members of the class excluding extreme or fanciful responses.[10]  The court rejected the submission that this required the court to determine a single response from a single hypothetical ‘reasonable user’.  “The number or proportion of reasonable users who were misled, or were likely to have been misled, does not matter for the purposes of establishing contravention”.[11]  The fact that some people were not misled, is not the point.[12]  It was accepted by the parties there is no “not insignificant number test”.[13]  As a result, it is a question of whether some reasonable users had been misled or were likely to have been misled, but it is not necessary to demonstrate any particular portion of reasonable users were misled or likely to be misled. 

  4. A range of factors may be relevant in determining whether conduct gives rise to a representation that may be misleading or deceptive.[14]

    These include:
    • Representations may be express or implied from words or conduct;
    • Conduct must be considered as a whole, and must be assessed in context – it is wrong to simply analyse the separate effect of multiple representations; and
    • Where there are conflicting statements in consumer materials, the prominence of those conflicting statements and the likelihood of the consumer reading and absorbing neutralising materials.

    What are the key takeaways from this decision?

    Reviewing your privacy policy is not enough! It is critical to review your privacy policy to ensure you can use and process personal information in the way intended.  But this is not enough on its own.  While the ACL has always applied to consumer representations, this case highlights the need to look beyond the privacy policy to ensure that representations being made to consumers are not misleading or deceptive, including as a result of relevant terms not being sufficiently brought to the attention of the user. 

    Care must be taken in summarising or paraphrasing. In summarising data collection and usage practices it is not just what is said, but what is not said, that contributes to the overall representation.

    Put yourself in the shoes of the consumer. Review your customer collateral from the customers’ perspective, taking into account the context of when a customer will be reading those materials.  You cannot assume a customer will carefully and meticulously pore over the legal terms.  How you use headings and what information is emphasised will go to the overall representations made to customers.

    Increasing focus on privacy. This is another (albeit partial) success for the ACCC in using the ACL in the context of privacy and personal information.  We expect the ACCC and other regulators to continue to look closely at privacy related issues through their regulatory lens while the privacy review is underway.  

    [1] FCA 367 (‘Google (No 2)’).

    [2] Australian Competition and Consumer Commission v HealthEngine Pty Ltd [2020] FCA 1203.

    [3] Fair Trading Act 1987 (NSW) s 47A.

    [4] Ibid s 70(3).

    [5] Google (No 2) (n 1) [219].

    [6] Ibid [86].

    [7] Ibid [202].

    [8] Ibid [168].

    [9] Ibid [183].

    [10] Ibid [16].

    [11] Ibid [17].

    [12] Ibid [96].

    [13] Ibid [88].

    [14] Ibid [83].

Key contacts

Data Central

Have you checked out our new Data Hub? Data Central contains a range of resources to help our clients minimise the legal, regulatory and commercial risks this data-driven environment presents and ensure that its full value is being realised.

Share on LinkedIn Share on Facebook Share on Twitter
    You might also be interested in

    Through examining both the CBDC and its use, Project Atom demonstrates the potential to improve operational efficiency, risk management and innovation in wholesale funding.

    08 December 2021

    On 8 September 2021, the High Court handed down its highly anticipated judgment in the case of Fairfax Media Publications Pty Ltd v Voller; Nationwide News Pty Limited v Voller; Australian News...

    14 September 2021

    .au Domain Administration Limited (auDA), the entity responsible for developing and administering rules for .au domain names, has announced that from 24 March 2022, entities will be able to register ...

    06 September 2021

    China’s launch of a central bank digital currency (CBDC) has become a question of when and not if. The more important question for businesses is: how do I get ready for a digital RMB?

    27 April 2021

    This site uses cookies to enhance your experience and to help us improve the site. Please see our Privacy Policy for further information. If you continue without changing your settings, we will assume that you are happy to receive these cookies. You can change your cookie settings at any time.

    For more information on which cookies we use then please refer to our Cookie Policy.