The ACCC has issued proceedings against Google for allegedly misleading consumers about the collection and use of location data.

Key takeouts

The ACCC has issued proceedings against Google for allegedly misleading consumers about the collection and use of location data.

This proceeding is further evidence of the ACCC's increased interest in privacy-related regulatory issues, as foreshadowed in its Digital Platforms Inquiry Final Report.

This case has potentially broader impacts for organisations' privacy compliance arrangements, in particular, representations (including by omission) made in privacy policies and notices, as well as the overall impression created by organisations with respect to their use and handling of data.

The ACCC announced on 29 October 2019 that it has issued proceedings against Google LLC and Google Australia Pty Ltd (Google) for Google's alleged false and misleading representations to consumers about the personal location data that Google collects, holds and uses. The ACCC's case focuses on Google's representations in relation to two Google Account settings: the 'Location History' setting and the 'Web & App Activity' setting.

Google is alleged to have misled consumers to believe that their location history was not being collected when the Location History setting was turned off. In fact, the Web & App Activity setting also had to be turned off in order to stop Google from collecting the consumer's location data.

The ACCC also alleges that Google misrepresented the purposes for which the Location History and Web & App Activity data would be used. According to the ACCC, on-screen messages did not disclose to the consumer that their data might be used by Google for purposes beyond the stated purpose (being the consumer's use of Google's services).

The broader context

Unlike its counterpart in the United States (the Federal Trade Commission), until recently, the ACCC has not traditionally taken action against organisations in relation to misleading and deceptive conduct concerning the collection, use and disclosure of personal information.

The ACCC has now shown a broadening of its enforcement focus into the privacy sphere.

We saw the ACCC's first foray into this space earlier this year, when it commenced proceedings against HealthEngine for misleading and deceptive conduct. The ACCC has alleged that the online booking platform unlawfully shared patient data, including names, phone numbers, email addresses and date of birth, with insurance brokers. This matter is proceeding through the Federal Court.

The ACCC's action against Google is another example of the ACCC's use of consumer protection provisions to address privacy concerns. This action against Google is not unexpected, with the ACCC referring to its ongoing privacy-related investigations (including in relation to Google) in its Digital Platforms Inquiry Final Report (Final Report) published in July.

In the Final Report, the ACCC recommended, amongst other things, that Australia's privacy laws should be amended to include stronger consent and notification requirements; increased penalties under the Privacy Act (in line with the Australian Consumer Law); and, relevantly for the Google case, a broader definition of 'personal information' that captures technical data (such as location data and IP addresses).

More information about the ACCC's privacy-related findings in the Final Report can be found in our previous article on this topic, ACCC calls for privacy law reform and a move towards GDPR-style privacy laws.

It is clear from the recommendations in the Final Report, as well as from these proceedings, that the ACCC considers privacy and data protection issues to be serious consumer issues, falling well within the ambit of the Australian Consumer Law, that are worthy of litigation.

Lessons for organisations

Organisations should take the opportunity to regularly review their privacy policies, notices and other privacy-related statements that they make – as well as the overall impression conveyed – in relation to their handling of personal information. This review should not only ensure compliance with applicable privacy laws, but also that all such statements are accurate and do not convey a potentially false, misleading or deceptive representation or impression.

Organisations should expect that the ACCC will continue to closely scrutinise potential issues arising from direct and indirect representations concerning the collection, use and disclosure of personal information.