The Australian Competition and Consumer Commission (ACCC) launched proceedings in the Federal Court of Australia against Google for misleading Australian consumers about its privacy collection practices.

The ACCC alleges Google misled consumers when it failed to properly inform consumers, and failed to gain explicit informed consent, about its decision to combine personal information in consumers’ Google accounts with information about those individuals’ activities on non-Google sites to display targeted advertisements.

This meant this data about users’ non-Google online activity became linked to their names and other identifying information held by Google, when this had not previously occurred.  Armed with the newly linked data, Google was able to provide more effective targeted ads. 

The ACCC also alleges that Google misled consumers about a related change to its privacy policy.  Despite there being a pop up notice that purported to obtain the individuals’ consent to the change in practice, the ACCC alleges that consent was not genuinely and freely given because individuals could not understand what implications flowed from the change, and that this also breached Google’s own statement in its privacy policy that it would not make detrimental changes to its data handling practices without individuals’ consent.

The case demonstrates the clear linkage between consumer protection law and privacy law, which is a theme arising from the ACCC’s Digital Platform Inquiry – final report [1].

Of note, it is interesting that:

  • the consumer protection regulator, the ACCC, is bringing the proceedings rather than the privacy regulator, the Office of the Australian Information Commissioner (OAIC). It is a consumer protection claim rather than a privacy claim, even though it relates to privacy practices;
  • the regulator considers that the ‘price’ paid for a service is data – which makes it explicitly the consideration for any contract formed, but simultaneously excludes that term from the unfair terms regime in Australia (potentially at odds with the CCPA in California which looks to enable customers to refuse to ‘pay’ with data);
  • as a result of bringing the proceedings this way, the expanded enforcement and penalty regimes under the Competition and Consumer Act 2010 are available (including a penalty of 10% of the economic value of the impugned conduct). The ACCC has alleged that the impugned conduct was designed to increase the value of Google’s suite of services, so this is obviously a key consideration.  By contrast, the maximum financial penalty under the Privacy Act 1988 (Cth) is $2.1m for serious or repeated privacy breaches; and
  • this case explores the efficacy of consent in an online environment.  In the post-GDPR world, consent is an increasingly problematic basis on which to process data.  However, privacy law is not the only relevant perspective here.  In an online environment, consumer protection law makes unilateral changes to terms a potentially unfair term (subject of course to the note above about price not able to be an unfair term), and further, Google’s own terms said that consent would be sought for any negative changes (possibly to deal with the unfair terms issue), but consent for those new collection practices may not actually have been required under Australia’s privacy laws (consent is only required in very limited circumstances).  Therefore, it will be complicated to work out how those competing perspectives on consent will be ultimately resolved and the Court’s treatment of them will be very instructive across various spheres of online contracting.

[1] Digital Platforms Inquiry – final report (2019), Australian Competition and Consumer Commission, published 26 July 2019.