As we discussed in our last Cyber Update, Woolworths Group (Woolworths) was recently issued an infringement notice for $1,003,800 by the Australian Communications and Media Authority (ACMA) – the largest fine it has ever issued.
The fine, along with some stringent undertakings, was in respect of 5 million breaches of the Spam Act 2003 (Cth) between October 2018 and July 2019.
In a recent development, Google LLC (Google) has become the latest target in an increasing regulatory crackdown.
The allegations against Google
The Australian Competition and Consumer Commission (ACCC) commenced legal proceedings against Google alleging that:
- Firstly, by the decision in 2016 to combine personal information in consumers’ Google accounts with information about their activities on 'non-Google sites', Google misled consumers by:
- failing properly to inform them; and
- not obtaining their explicit informed consent.
- These ‘non-Google’ sites displayed ads and used Google technology known as ‘DoubleClick’, resulting in identifying information and names of consumers' held by Google being linked to their 'non-Google' activity.
- The ACCC alleged this contributed to the performance of Google’s advertising business.
- inserted the words “[d]epending on your account settings, your activity on other sites and apps may be associated with your personal information in order to improve Google’s services and the ads delivered by Google.”
It is from this portion the ACCC alleged the misrepresentation derived.
The ACCC Chair, Mr Rod Sims was not complimentary in his statements:
“The use of this new combined information allowed Google to increase significantly the value of its advertising products, from which it generated much higher profits.”
.…“The ACCC considers that consumers effectively pay for Google’s services with their data, so this change introduced by Google increased the “price” of Google’s services, without consumers’ knowledge”.
Organisations need be alive to the legal obligations which arise when navigating the interplay of marketing, business structures and their cyber networks.
In addition to their legal obligations under both state and federal law, Australian organisations who operate in the European Union (EU), will also need to consider their compliance with the General Data Protection Regulation (GDPR).
The proceedings against Google and Woolworths highlight some key takeaways:
If you have any queries in relation to this article, please do not hesitate to contact Iain Freeman or Lorraine Madden.
Disclaimer – the information contained in this publication does not constitute legal advice and should not be relied upon as such. You should seek legal advice in relation to any particular matter you may have before relying or acting on this information. The Lavan team are here to assist.