On 29 October 2019, the Australian Competition and Consumer Commission (ACCC) commenced litigation in the Federal Court of Australia against Google LLC and Google Australia Pty Ltd (together, Google) for alleged contraventions of the Australian Consumer Law (ACL) relating to the collection, retention and use of users' location data on Android phones and tablets. The case concerns the adequacy of Google's disclosures to consumers about what location data Google would collect, how that data would be collected and how it would be used.
The ACCC is seeking pecuniary penalties under the new ACL penalty regime that has applied since 1 September 2018 and a range of other remedial orders.
The litigation is the first enforcement action by the ACCC against a digital platform since it published its Final Report of its Digital Platforms Inquiry in July 2019. It shows the ACCC taking enforcement action in relation in some of the key consumer and privacy related areas of concern it identified in the Final Report as well as in its later draft report of the ACCC's Customer loyalty schemes review published in September 2019.
The ACCC's case: Google deprived users of the opportunity to make an informed choice about whether to share their location data
The ACCC alleges that Google collected, kept and used Android users' location data without allowing users to make an informed choice about whether to enable or disable relevant settings, and in doing so engaged in misleading or deceptive conduct and made false or misleading representations to consumers.
The ACCC claims that when users set up a new Google Account on an Android phone or tablet, and subsequently accessed their Google Account settings through their Android device, Google made on-screen representations that a user's location data would not be tracked if the "Location History" setting was turned off (which was the default position set by Google).
However, the ACCC alleges that Google did not properly disclose to consumers that a second setting called "Web & App History", which was turned on by default and was accessed through a different part of the Settings page, also had to be turned off if consumers didn’t want Google to collect, keep and use their location data. The ACCC also claims that Google failed properly to disclose how the data it collected would be used.
“We consider that because of Google’s failure to disclose this use of data, consumers were and still are deprived of the opportunity to make an informed choice about whether to share their personal location data with Google …
Transparency and inadequate disclosure issues involving digital platforms and consumer data were a major focus of our Digital Platforms Inquiry, and remain one of the ACCC’s top priorities." − ACCC Chairman Rod Sims
The ACCC is seeking penalties, declarations and orders requiring the publication of corrective notices and the establishment of a compliance program.
The ACCC is using its consumer law enforcement toolkit to address concerns about consumers' privacy
The case is an important indicator of how the ACCC views the intersection of consumer law and privacy. It shows the ACCC using its existing consumer law enforcement tools to take court action and send a deterrence message where it thinks a company's data protection practices in relation to obtaining informed consent and the adequacy of disclosure might fall short of consumer expectations and breach the ACL.
In the Final Report of the Digital Platforms Inquiry and Appendix E of the draft report of the ACCC's Consumer loyalty schemes, the ACCC made a suite of recommendations relating to the need to strengthen privacy protections for consumers. These included:
- strengthening protections in the Privacy Act, including amending the definition of "personal information" to explicitly cover location data and other online identifiers, strengthening data collection notification and consent requirements, and introducing a direct right to bring individual or collective actions for interference with privacy (Recommendation 16);
- broader reform of Australia's privacy law to ensure it continues to effectively protect consumers' personal information in light of the increasing volume and scope of data collection in the digital economy (Recommendation 17); and
- introducing a statutory tort for serious invasions of privacy that may not be captured within the scope of the Privacy Act (Recommendation 19).
In the meantime, while the ACCC continues to advocate for these changes, we are likely to see more economy-wide enforcement action in the near future as the ACCC uses its existing toolkit to take action about conduct which it considers is false, misleading or deceptive. If the ACCC does not succeed in these cases, it is likely to push for law reform through the introduction of an "unfair business practices" prohibition to the ACL (Recommendation 21 of the Digital Platforms Inquiry Final Report).
Part of a global trend: Google is facing similar lawsuits in the United States and Europe – but this is the first to be brought by a regulatory authority
The ACCC's litigation against Google is consistent with the recent interest of overseas regulators and competition authorities in the overlap between competition law and privacy. It is also the latest in a growing list of international cases regarding the collection and use of users' personal information.
In August 2018 a class action against Google was filed in San Francisco, Patacsil v Google Inc (U.S. District Court, N.D. Cal., No. 18-05062). That class action alleges that Google violated the California Invasion of Privacy Act and California's constitutional right to privacy, by tracking the location history of Android and iPhone users even after they had turned off their "Location Services" setting. The plaintiffs seek injunctive relief and unspecified damages. The apparent similarity between this case and the ACCC's litigation may also indicate increased coordination in this area between competition regulators.
Similar class actions have since been filed against Google under a combination of California privacy law and other United States consumer and business legislation, including Lee, Smedley & David v Google Inc (Colorado consumer protection law), Kaufman v Google LLC (Florida consumer protection law) and Jack v Google, Inc (New York General Business law).
In November 2018, seven European consumer organisations (all members of the European Consumer Organisation) simultaneously filed complaints against Google for breach of the General Data Protection Regulation in relation to how it tracks users' location. The consumer groups referred Google to their respective national data protection authorities, alleging that Google misleads consumers into enabling "Location History" and "Web & App Activity" settings, and does not obtain users' free consent to collect and use location data. The groups also claim Google does not have a "legitimate interest" to collect and process location data.
Review your data collection practices now
All businesses that collect and use customers' personal data, whether directly or through a third party, especially those that actively or passively track users' location data, should review their data practices to:
- ensure that they provide users with a clear, concise, unambiguous and easily accessible notification about their data collection practices, including the data that is collected, how it used and to whom it is disclosed and for what purposes; and
- if user consent is obtained, ensure that consent is freely given, unambiguous, and informed (meaning users know what is being asked of them, and about the consequences of providing or withholding consent).
If you would like help reviewing your data collection practices, please get in touch.