25 November 2021

ACCC v Google LLC (No.2) [2021] FCA 367 – Have you properly disclosed how your business collects consumer data?

Mobile devices have become central to our lives. So essential, in fact, that the term nomophobia has been created – fear of being without your mobile phone.

Of course they also carry a wealth of personal data, which represents a gold mine to advertisers and those seeking insights into consumer behaviour.

Regulators are fighting to adapt to this new world and protect users. For example, the Australian Competition and Consumer Commission (ACCC) recently took Google to court (ACCC v Google LLC (No. 2) [2021] FCA 367) drawing on provisions under the Australian Consumer Law (ACL) to deal with consumer privacy.

The case is important as it gives guidance on how information needs to be provided on mobile devices so consumers are not misled. This case builds on previous ‘fine print’ cases and shows how the law is being adapted to contemporary issues.

Background

The case shows the importance for organisations to prominently identify how they collect and use customer data. Failure to do so can create false and misleading impressions on users who may think their personal data is not being collected when it actually is. With the publics’ concerns about privacy, and how personal information is collected and used by companies, this is an area coming under increasing scrutiny from the ACCC.  

The case concerned two settings on Android devices: “Location History” and “Web & App Activity”. When setting up a new device, the default setting for Location History was “off” and for Web & App Activity was “on”. If either or both of these settings was on, Google could collect and store data about the user’s location.

While it was apparent from the prompt screens shown to users either setting up their device, or when reviewing their settings, that Location History while activated would allow Google to collect location data, it was not clear on the face of the prompt in relation to the Web & Activity setting (which was turned on by default) that it would also allow Google to collect and use location data if this setting was switched on.

The Privacy and Terms screen allowed users to choose ‘Agree’, ‘Don’t create the account’ or ‘More Options’. Google and ACCC accepted that most users would click ‘Agree’ without reading any of the other nested screens, and the Court found those users were not likely to have been misled as they didn’t take appropriate steps to inform themselves when they could have. However, the ACCC’s case did not include these users. 

Its case focused on a subset of users (that the parties agreed was “atypical”) who were interested in privacy issues and clicked on the ‘More Options’ button. Those users were presented with a Location heading and a Web & Activity heading, both of which had a ‘Learn More’ button that led to an additional screen with more information. However, the Web & App Activity heading under the ‘More Options’ screen did not include the word ‘location’, and instead referred to ‘activity’.

The ACCC argued there were three classes of this subset of users who were misled:

  1. users who had heightened concerns about security and would be misled by the Privacy and Terms screen when considering what settings should be activated

  2. users who chose to have the Location History turned off, and would be misled into believing this was the only setting that influenced collection of personal location data

  3. users who had considered turning Web & App Activity off but, were misled by Google’s representations (or lack thereof) regarding the collection of location data under this setting and chose to leave the setting on.

The ACCC ran its case on a number of grounds under the ACL, including s18 (misleading or deceptive conduct). The ACCC was partially successful in its case and succeeded in demonstrating misleading or deceptive conduct in respect of the display screens shown to users in the above categories.

Google submitted that all the screens should be read as a whole, stating they contained links to Google’s Privacy Policy, which provided further detail on their data collection practices. Additionally, Google argued that the word ‘activity’ clearly included location, when read together with the earlier ‘Privacy and Terms’ screen or when the ‘Learn more’ link was clicked. Google also submitted that a user in this category would necessarily be privacy focused and would pay careful attention to the information on the various screens.

While some users would take the time to carefully examine and consider all disclosures and terms and conditions to inform themselves of the use of their data, the Court recognised that not all privacy-focused users would behave that way. Where users rely on a simple summary of information which is set out for them as to the effect of a particular setting, failure to sufficiently detail the information which would be important to consumers in their decision may be misleading and deceptive. The Court held a number of consumers would simply click through and not visit each prompt or read the full terms in detail. The information displayed to consumers was insufficient to properly notify consumers of the collection of their data and was held to be likely to have been misleading to some consumers in the above classes.

Insights from the case

This case demonstrates the importance of transparent and clear notices regarding the collection and use of personal data. Businesses need to make sure that their privacy policies, terms and conditions, and notices to consumers are concise and clearly outline the collection and use of personal data.

It is not enough to expect consumers to read the fine print. Businesses such as app and software developers should assume that many consumers will rely on screen prompts only, and therefore place important information prominently in those locations.

How to do this on devices with small screens is an obvious question. One option may be to prevent users from setting up their devices unless certain screens and information have been accessed. As noted above, if a user fails to read information made available to them, the user then assumes a degree of risk and would have some difficulty demonstrating they had been misled.

While enforcement of the privacy laws is not generally within the ACCC’s jurisdiction, its ongoing monitoring of digital platform services, coupled with the publication of its Digital Platform Services Inquiry 2020-2025 Interim Report, make clear its intent. The ACCC is cracking down on consumer privacy breaches and will use its powers under the ACL to protect consumer interests in the privacy sphere.

Businesses should ensure not only that they comply with relevant privacy laws, but that they are transparent with consumers about how personal data will be collected and used.

Authors: Jason Sprague & Jonathan Harris