(Not) Ok Google: Tech giant sued for misleading privacy notice

As we discussed in our last Cyber Update, Woolworths Group (Woolworths) was recently issued an infringement notice for $1,003,800 by the Australian Communications and Media Authority (ACMA) – the largest fine it has ever issued.

The fine, along with some stringent undertakings, was in respect of 5 million breaches of the Spam Act 2003 (Cth) between October 2018 and July 2019.

In a recent development, Google LLC (Google) has become the latest target in an increasing regulatory crackdown.

The allegations against Google

The Australian Competition and Consumer Commission (ACCC) commenced legal proceedings against Google alleging that:

  • Firstly, by the decision in 2016 to combine personal information in consumers’ Google accounts with information about their activities on 'non-Google sites', Google misled consumers by:
    • failing properly to inform them; and
    • not obtaining their explicit informed consent.  
  • These ‘non-Google’ sites displayed ads and used Google technology known as ‘DoubleClick’, resulting in identifying information and names of consumers' held by Google being linked to their 'non-Google' activity.
  • The ACCC alleged this contributed to the performance of Google’s advertising business.
  • Secondly, the ACCC claimed Google misled consumers about a change to its privacy policy.
  • On 28 June 2016 Google deleted the statement Google “will not combine DoubleClick cookie information with personally identifiable information unless we have your opt-in consent” from its privacy policy; and
  • inserted the words “[d]epending on your account settings, your activity on other sites and apps may be associated with your personal information in order to improve Google’s services and the ads delivered by Google.

However, the privacy policy also stated “[w]e will not reduce your rights under this Privacy Policy without your explicit consent.

It is from this portion the ACCC alleged the misrepresentation derived.

The ACCC Chair, Mr Rod Sims was not complimentary in his statements:

“The use of this new combined information allowed Google to increase significantly the value of its advertising products, from which it generated much higher profits.”

and

.…“The ACCC considers that consumers effectively pay for Google’s services with their data, so this change introduced by Google increased the “price” of Google’s services, without consumers’ knowledge”.

Lavan comment

Organisations need be alive to the legal obligations which arise when navigating the interplay of marketing, business structures and their cyber networks.

In addition to their legal obligations under both state and federal law, Australian organisations who operate in the European Union (EU), will also need to consider their compliance with the General Data Protection Regulation (GDPR).

The proceedings against Google and Woolworths highlight some key takeaways:

  • it is integral to have a well drafted and up to date cyber and privacy policy that is compliant with the relevant legislation and government guidelines; and
  • you must ensure that users give informed consent to any changes you make to your privacy policy.

Lavan can assist you with preparing changes to your cyber and privacy policy, work with you on how to announce the changes to users so that you or your organisation does not find itself in a similar position as Google – and avoid allegations of a lack of informed consent and misleading conduct.

If you have any queries in relation to this article, please do not hesitate to contact Iain Freeman or Lorraine Madden.