Australian Competition & Consumer Commission sues Google for misleading and deceptive conduct… but it really is a breach of data privacy case
July 27, 2020 |
Last Friday the Australian Competition & Consumer Commission (“ACCC”) announced that it has commenced proceedings against Google LLC alleging misleading and deceptive conduct in failing to inform consumers and obtain their informed consent from 2016 that it was combining their personal information in Google accounts with information gleaned from their activities in non Google sites which use Google technology. The ACCC also alleges that Google misled consumers about changes to its privacy policy.
The ACCC has not released the concise statement and the case has not appeared on the Federal Court website as yet. It is interesting, and something of a relief, that the ACCC is stepping up and taking on privacy related cases instead of the Australian Information Commissioner. Unfortunately the Commissioner has a lamentable track record in enforcing privacy breaches, particularly in the Federal Court.
The nature of the case as described by the ACCC seems to follow a tried and true approach used by the Federal Trade Commission in the United States, attacking privacy and data breaches through breaches of contractual terms or misleading and deceptive conduct. It is also an approach that the Federal Court is more comfortable with. To date the Federal Court has produced judgments that betray a bewildering befuddlement regarding privacy principles; namely the Privacy Commission v Telstra Corporation [2017] FCAFC 4 (also known as the Ben Grubb decision) and AIT 18 v Australian Information Commissioner [2018] FCAFC 192. Given the dearth of decisions relating to the Privacy Act these judgments have been a significant blow to the development of a coherent understanding of how the Privacy Act operates in practice.
Now two Australian regulators have Federal Court proceedings on foot, the Information Commissioner in a civil penalty proceedings against Facebook and this proceeding by the ACCC as well as an action against Google in October last year (File reference NSDI 1760/2019). The October action alleged that Google misled Android users about steps needed to disable its ability to track and use their location data. The Concise Statement is found here. That case is summarised by ACCC as:
The ACCC has instituted proceedings in the Federal Court against Google LLC and Google Australia Pty Ltd (together, Google), alleging they engaged in misleading conduct and made false or misleading representations to consumers about the personal location data Google collects, keeps and uses.
The ACCC claims that from at least January 2017, Google breached the Australian Consumer Law when it made on-screen representations on Android mobile phones and tablets that the ACCC alleges misled consumers about the location data Google collected or used when certain Google Account settings were enabled or disabled.
The representations were made to consumers setting up a Google Account on their Android mobile phones and tablets, and to consumers who later accessed their Google Account settings through their Android mobile phones and tablets.
“We are taking court action against Google because we allege that as a result of these on-screen representations, Google has collected, kept and used highly sensitive and valuable personal information about consumers’ location without them making an informed choice,” ACCC Chair Rod Sims said.
Collection of data representation
The ACCC’s case regarding the collection of location data focuses on two Google Account settings: one labelled ‘Location History’; and another labelled ‘Web & App Activity’.
The ACCC alleges that from January 2017 until late 2018, it was misleading for Google to not properly disclose to consumers that both settings had to be switched off if consumers didn’t want Google to collect, keep and use their location data.
Instead, the ACCC alleges that when consumers set up a Google Account on their Android phone or tablet, consumers would have incorrectly believed, based on Google’s conduct, that ‘Location History’ was the only Google Account setting that affected whether Google collected, kept or used data about their location.
Similarly, if consumers later accessed their Google Account settings on their Android device, Google did not inform them that by leaving ‘Web & App Activity’ switched on, Google would continue to collect location data.
“Our case is that consumers would have understood as a result of this conduct that by switching off their ‘Location History’ setting, Google would stop collecting their location data, plain and simple,” Mr Sims said.
“We allege that Google misled consumers by staying silent about the fact that another setting also had to be switched off.”
“Many consumers make a conscious decision to turn off settings to stop the collection of their location data, but we allege that Google’s conduct may have prevented consumers from making that choice.”
The ACCC also alleges that from around mid-2018 until late 2018, Google represented to consumers that the only way they could prevent Google from collecting, keeping and using their location data was to stop using certain Google services, including Google Search and Google Maps. However, this could be achieved by switching off both ‘Location History’ and ‘Web & App Activity’.
Use of data representation
The ACCC also alleges that Google’s on-screen statements explaining how location data would be used when customers accessed their ‘Location History’ and ‘Web & App Activity’ settings were misleading.
From March 2017 when a consumer accessed the ‘Web & App Activity’ settings, and from May 2018 when a consumer accessed the ‘Location History’ setting, Google displayed on-screen messages that represented that location data would only be collected and used by Google for the consumer’s use of Google services.
Google did not disclose that the data may be used by Google for a number of other purposes unrelated to the consumer’s use of Google’s services.
“We consider that because of Google’s failure to disclose this use of data, consumers were and still are deprived of the opportunity to make an informed choice about whether to share their personal location data with Google,” Mr Sims said.
“Transparency and inadequate disclosure issues involving digital platforms and consumer data were a major focus of our Digital Platforms Inquiry, and remain one of the ACCC’s top priorities.”
By making the collection and use of data representations, the ACCC alleges that Google also engaged in conduct liable to mislead the public about the nature, characteristics and suitability for purpose of the Android operating system, Google services and Google Pixel phones.
The ACCC is seeking penalties, declarations and orders requiring the publication of corrective notices and the establishment of a compliance program.
Background:
Google LLC is a multinational company incorporated in the United States with its headquarters in Mountain View, California. It is a subsidiary of Alphabet Inc.
Google Australia Pty Ltd is a subsidiary of Google LLC and conducts certain aspects of Google LLC’s business in Australia, including the distribution of Pixel phones.
In addition to its use in providing consumers with Google Services, such as Google Maps, Google also uses location data for advertising purposes, which include:
-
- to personalise advertisements for other users;
- to infer demographic information;
- to measure the performance of advertisements;
- to promote, offer to supply or supply advertising services to third parties; and/or
- to produce anonymized, aggregated statistics (such as store visit conversions statistics) and share those statistics with advertisers.
Google LLC supplies a range of software products and services to Australian consumers, including:
-
- the Google Play Store;
- Google Search;
- Google Chrome;
- Google Maps;
- Gmail; and
- YouTube.
These services are accessed using Google Accounts. Some of them, such as the Google Play Store, can only be accessed if a consumer has signed into a Google Account, while others, such as YouTube, have less functionality if the user has not signed in.
The default setting for new Google Accounts is for “Location History” to be turned “off” (or “paused”) and the “Web & App Activity” setting to be turned “on”.
If “Location History” is turned “on”, Google regularly collects and keeps personal data relating to the user’s location. However, even if “Location History” is turned off, when the Web & App Activity setting is turned “on”, Google obtains and keeps personal data relating to the user’s activities on Google apps and services, including personal data in relation to the user’s location.
The ACCC’s Digital Platforms Inquiry final report recommended that privacy legislation be strengthened, including by:
-
- updating the definition of “personal information” in the Privacy Act to clarify that it captures technical data such as IP addresses, device identifiers, location data, and any other online identifiers that may be used to identify an individual; and
- strengthening notification and consent requirements to ensure consumers can make informed decisions about the personal data they allow digital platforms to collect.
Examples:
The examples below are hypothetical and outline how the ACCC alleges Google’s conduct may have allowed Google to collect data when “Location History” was switched off.
Hypothetical Example A
John uses the Google Maps app on his Android phone to get directions from his office in Sydney’s CBD to Archibald Fountain in Hyde Park. John opens the Google Maps app and manually enters “Archibald Fountain, Hyde Park” as the destination. Following directions given by Google Maps and holding his mobile device, John walks from his office to Archibald Fountain.
Google saves data about John’s location in his Google Account even though “Location History” was switched off because leaving on “Web & App activity” allowed Google to save this data through John’s use of Google Maps.
Hypothetical Example B
Mary is at a shopping centre in Townsville. She opens the Google Assistant app on her Android phone and uses the voice recognition functionality to ask “Where is the post office?” As part of this activity, Google saves data about Mary’s location in her Google Account even though “Location History” was switched off because leaving on “Web & App activity” allowed Google to save this data through Mary’s use of the Google Assistant service.
Images
Data collection representation
The below images show a version of the description of the Location History and Web & App Activity settings shown to consumers setting up a Google Account on their Android mobile device between 30 April 2018 and 19 December 2018:
The below image shows a statement shown to consumers who used their Android mobile device to turn off (or “pause”) the Location History setting between early 2017 and late 2018:
The below images show statements shown to consumers who used their Android mobile device to access the Web & App Activity setting between early 2017 and late 2018:
Data use representation
The below image shows a statement shown to consumers who used their Android mobile device to turn off (or “pause”) the Location History setting from late 2018 to date.
The below image shows a statement shown to consumers who accessed the Web & App Activity setting from late 2018 to date:
This proceeding is scheduled to be heard from 30 November – 4 December 2020 by Justice Thawley in New South Wales. There will be a case management hearing before his Honour Justice this Friday.
In relation to the latest proceeding the ACCC statement provides:
The ACCC has launched Federal Court proceedings against Google LLC (Google), alleging Google misled Australian consumers to obtain their consent to expand the scope of personal information that Google could collect and combine about consumers’ internet activity, for use by Google, including for targeted advertising.
The ACCC alleges Google misled consumers when it failed to properly inform consumers, and did not gain their explicit informed consent, about its move in 2016 to start combining personal information in consumers’ Google accounts with information about those individuals’ activities on non-Google sites that used Google technology, formerly DoubleClick technology, to display ads.
This meant this data about users’ non-Google online activity became linked to their names and other identifying information held by Google. Previously, this information had been kept separately from users’ Google accounts, meaning the data was not linked to an individual user.
Google then used this newly combined information to improve the commercial performance of its advertising businesses.
The ACCC also alleges that Google misled consumers about a related change to its privacy policy.
“We are taking this action because we consider Google misled Australian consumers about what it planned to do with large amounts of their personal information, including internet activity on websites not connected to Google,” ACCC Chair Rod Sims said.
“Google significantly increased the scope of information it collected about consumers on a personally identifiable basis. This included potentially very sensitive and private information about their activities on third party websites. It then used this information to serve up highly targeted advertisements without consumers’ express informed consent,” Mr Sims said.
“We allege that Google did not obtain explicit consent from consumers to take this step.”
“The use of this new combined information allowed Google to increase significantly the value of its advertising products, from which it generated much higher profits.”
“The ACCC considers that consumers effectively pay for Google’s services with their data, so this change introduced by Google increased the “price” of Google’s services, without consumers’ knowledge,” Mr Sims said.
“I agree” notification
The conduct is alleged to have impacted millions of Australians with Google accounts.
From 28 June 2016 until at least December 2018, Google account holders were prompted to click “I agree” to a pop-up notification from Google that purported to explain how it planned to combine their data, and sought the consumers’ consent for this.
Some new features for your Google Account
We’ve introduced some optional features for your account, giving you more control over the data Google collects and how it’s used, while allowing Google to show you more relevant ads.
The notification also stated, “More information will be available in your Google Account making it easier for you to review and control”; and “Google will use this information to make ads across the web more relevant for you.”
Before June 2016, Google only collected and used, for advertising purposes, personally identifiable information about Google account users’ activities on Google owned services and apps like Google Search and YouTube.
After June 2016, when consumers clicked on the “I agree” notification, Google began to collect and store a much wider range of personally identifiable information about the online activities of Google account holders, including their use of third-party sites and apps not owned by Google.
Previously, this additional data had been stored separately from a user’s Google account.
Combined with the personal data stored in Google accounts, this provided Google with valuable information with which to sell even more targeted advertising, including through its Google Ad Manager and Google Marketing Platform brands.
The ACCC alleges that the “I agree” notification was misleading, because consumers could not have properly understood the changes Google was making nor how their data would be used, and so did not – and could not – give informed consent.
“We believe that many consumers, if given an informed choice, may have refused Google permission to combine and use such a wide array of their personal information for Google’s own financial benefit,” Mr Sims said.
Privacy policy change
Before 28 June 2016, Google stated in its privacy policy that it “will not combine DoubleClick cookie information with personally identifiable information unless we have your opt-in consent.”
On 28 June 2016, Google deleted this statement and inserted the following statement: “[d]epending on your account settings, your activity on other sites and apps may be associated with your personal information in order to improve Google’s services and the ads delivered by Google.”
Google’s privacy policy also states: “[w]e will not reduce your rights under this Privacy Policy without your explicit consent.”
The ACCC alleges that Google did not in fact obtain consumers’ explicit consent for this change to the privacy policy, and that Google’s statement that it would not reduce consumers’ rights without their explicit consent was therefore misleading.
“Google made a clear representation about how it would protect users’ privacy. The ACCC alleges that Google made changes without obtaining the explicit consent it had promised consumers it would obtain before altering how it protected their private information,” Mr Sims said.
DoubleClick
In 2008, Google acquired DoubleClick, a supplier of ad-serving technology services to publishers and advertisers.
Google now supplies DoubleClick’s services through its Google Ad Manager and Google Marketing Platform brands, which are the leading suppliers of ad-tech intermediary services.
These services track users’ internet activity on third-party sites that display ads through the use of DoubleClick’s advertising technology.
Google’s acquisition of DoubleClick required approval by competition authorities including the US Federal Trade Commission and the European Commission. The ACCC also reviewed and cleared this transaction.
FTC and EC cleared the acquisition, and in doing so considered submissions from Google that it would not be able to combine DoubleClick’s data on consumers’ internet activity with its own data about consumers’ activity on Google services because, at the time, DoubleClick’s contracts with its users prevented Google from doing so.
The agencies did not, however, rely on these submissions in clearing the acquisition.
Before 28 June 2016, Google collected and stored this information on a non-personally identifiable basis, as stated in its privacy policy.
On 28 June 2016, it changed its privacy policy by removing the term explaining how it would treat this DoubleClick data.
Impact of the change – hypothetical example
Mary has a Google account. She regularly uses the internet on both her desktop computer and mobile device, while logged in to her Google account.
Before 28 June 2016, if Mary used a web browser on her desktop computer to visit non-Google websites, including websites that use DoubleClick technology, such as news or shopping sites or to research a health issue, Google did not save data about these activities with Mary’s Google account.
Similarly, if Mary used a non-Google app on her mobile device, for example, a fitness app, Google did not save data about this activity with her Google account.
While Google may have collected information about these activities, it stored this information separately from a user’s Google account.
After 28 June 2016, if Mary clicked “I agree” on the notification described above, Google started saving information about Mary’s activities on non-Google websites and apps that used Google/DoubleClick technology, with her Google account.
For example, if Mary was researching a personal health issue on her desktop computer and visited a health website that uses Google technology to display ads, Google would have saved data about this activity with Mary’s Google account.
Similarly, if Mary used a fitness app on her mobile device that used Google technology to display ads, Google would have saved data about this activity with Mary’s Google account.
Google uses information that is stored with a consumer’s Google account to show them targeted ads.
Images
Depending on the device and Google service being used by the consumer, the notification published by Google from 28 June 2016 was presented in a variety of ways. A copy of the notification in the form published to consumers using desktop devices is provided below for reference.
Source: Provided to the ACCC by Google Australia Pty Ltd
The relevant changes to Google’s Privacy Policy made on 28 June 2016 are also shown below for reference:
Source: Accessed from https://policies.google.com/privacy/archive?hl=en-US on 24 June 2020
Background
Google LLC (Google) is a multinational company incorporated in the United States with its headquarters in Mountain View, California. It is a subsidiary of Alphabet Inc.
Google supplies a range of services to consumers in Australia including Google Search, Google Maps, Gmail, YouTube, Google Play and Google Chrome.
Google also provides advertising services and analytics services to individuals and businesses. Advertising services are provided on Google services, such as Google Search, Google Maps and YouTube, as well as on websites and mobile device based applications not published or controlled by Google that partner with Google to display advertisements.
Google derives the majority of its revenue from its advertising and analytics services.
Note: The concise statement has not been attached as it has been filed on a confidential basis pending claims by Google.
The litigation is reported in the Australian in Google to ‘vigorously defend’ ACCC case which provides:
Google says it will defend itself against claims from Australia‘s consumer watchdog, which on Monday launched blockbuster Federal Court action against the tech giant.
The ACCC is alleging Google misled Australian consumers to obtain their consent to expand the scope of personal information that Google could collect and combine about consumers’ internet activity.
The Federal Court action, if it goes to trial, is expected to be closely watched around the world from both regulators and technology companies.
The alleged behaviour affects millions of Australians with Google accounts.
“In June 2016, we updated our ads system and associated user controls to match the way people use Google products: across many different devices,” a Google spokesman told The Australian.
“The changes we made were optional and we asked users to consent via prominent and easy-to-understand notifications. If a user did not consent, their experience of our products and services remained unchanged. We have co-operated with the ACCC’s investigation into this matter.
“We strongly disagree with their allegations and intend to defend our position.”
In its filing the ACCC alleges Google misled consumers when it failed to properly inform consumers, and did not gain their explicit informed consent, about its move in 2016 to start combining personal information in consumers’ Google accounts with information about those individuals’ activities on non-Google sites that used Google technology to display ads.
This meant this data about users’ non-Google online activity became linked to their names and other identifying information held by Google. Previously, this information had been kept separately from users’ Google accounts, meaning the data was not linked to an individual user.
“We are taking this action because we consider Google misled Australian consumers about what it planned to do with large amounts of their personal information, including internet activity on websites not connected to Google,” ACCC Chair Rod Sims said.
“Google significantly increased the scope of information it collected about consumers on a personally identifiable basis. This included potentially very sensitive and private information about their activities on third party websites. It then used this information to serve up highly targeted advertisements without consumers’ express informed consent.
“We allege that Google did not obtain explicit consent from consumers to take this step.
“The use of this new combined information allowed Google to increase significantly the value of its advertising products, from which it generated much higher profits. The ACCC considers that consumers effectively pay for Google’s services with their data, so this change introduced by Google increased the “price” of Google’s services, without consumers’ knowledge.“
The alleged behaviour relates to an ‘I agree’ pop-up from Google, from June 2016 until at least December 2018, in which users were prompted with information about how Google would use their data.
The ACCC alleges that the “I agree” notification was misleading, because consumers could not have properly understood the changes Google was making nor how their data would be used, and so did not – and could not – give informed consent.
“We believe that many consumers, if given an informed choice, may have refused Google permission to combine and use such a wide array of their personal information for Google’s own financial benefit,” Mr Sims said.
The story is also covered by the ABC in Google sued by ACCC for allegedly misleading consumers into signing away their privacy, Google sued by ACCC for allegedly linking data for ads without consent, itnews in ACCC takes second swing at Google for allegedly misleading customers and the Australian Financial Review in Google ‘mined personal data for ads’: ACCC court action.