It’s all over the news. The ACCC has instituted proceedings (Google Proceedings) in the Federal Court against Google LLC and Google Australia Pty Ltd (together, Google), alleging the tech giant engaged in misleading conduct and made false or misleading representations to consumers about the personal location data Google collects, keeps and uses.
The ACCC claims that from at least January 2017, Google breached the Australian Consumer Law when it made on-screen representations on Android mobile phones and tablets that the ACCC alleges misled consumers about the location data Google collected or used when certain Google Account settings were enabled or disabled.
‘We are taking court action against Google because we allege that as a result of these on-screen representations Google has collected, kept and used highly sensitive and valuable personal information about consumers’ location without them making an informed choice,’ ACCC chair Rod Sims said.
The Google Proceedings come hot on the heels of the ACCC’s case against HealthEngine (HealthEngine Proceeding). In the HealthEngine Proceeding, the ACCC is alleging that HealthEngine, which runs a medical appointment booking app, misled consumers by collecting personal information for the purpose of providing the medical appointment service but also passing on that personal information to law firms seeking clients for personal injury claims. In other words, misleading consumers about what they were doing with their personal data.
The ACCC is sending a crystal clear message to the market: don’t mislead consumers about the way in which you use their personal data. In privacy terms, this is known as ‘functional creep’, collecting personal information for one purpose and using it for another entirely different purpose (and not being open and transparent about that).
The ACCC has come out swinging when it comes to privacy related matters in a way the Office of the Australian Information Commissioner (OAIC) has not been able to do in regulating the Privacy Act (likely due to a number of factors, including resourcing).
In our view, the ACCC’s Google Proceedings and HealthEngine Proceedings, together with the ACCC’s 600+ page Digital Platform Inquiry, signal a new era of consumer-focused privacy reform in Australia where compliance with the Privacy Act is not going to be the end of the story when it comes to the collection and use of personal information.
In order for organisations to stay on the right side of the law and not mislead individuals about their personal information it is clear that organisations must:
- Take a ‘privacy by design’ approach and think about privacy at the start of a project. This is best done by conducting a privacy impact assessment which can assess the use of data and put in place adequate controls;
- Be open and transparent with individuals and consumers about how their personal information is being used – relying on bundled consent in privacy policies and collection statements for a secondary use and disclosure is increasingly becoming pretty risky given the ACCC’s actions;
- Don’t be creepy! To avoid misleading consumers about the way in which you use and disclose their personal information – be mindful of functional creep. Consider the reason why the consumer gave you their personal information in the first place and whether you are using their personal information for that purpose (again, conducting a Privacy Impact Assessment for new projects is crucial).