Relief for Google, but regulatory scrutiny will continue to intensify 5 min read
On 9 December 2022, the Federal Court dismissed an application by the Australian Competition and Consumer Commission (ACCC) that alleged Google LLC (Google) had contravened the Australian Consumer Law (ACL) by using on-screen notifications to inform and seek the consent of its account holders to changes to settings in their Google Accounts and to its privacy policy (Privacy Policy).
Google sought consent for these changes so it could expand its ability to serve account-based advertising to users following its acquisition of digital advertising service provider DoubleClick Inc in 2008. This advertising relied upon the combination of account holders' activity information on third-party websites and apps (eg information collected by DoubleClick cookies) with activity information from Google's own services.
The ACCC alleged that Google had engaged in misleading or deceptive conduct, and made false or misleading representations by:
- failing to adequately inform account holders it was seeking their consent to combine or associate their personal information from their activity on third-party websites and apps with their activity on the services supplied by Google to create, generate and deliver advertising;
- making representations that it was only seeking consent to 'turn on new features'; and
- representing it would not reduce an account holder’s rights under the Privacy Policy without obtaining their explicit consent, when Google did, in fact, reduce those rights.
ACCC Acting Chair Delia Rickard said the regulator would now 'carefully consider the judgment', noting that Google's conduct 'came to [the ACCC's] attention as a result of [its] work on the Digital Platforms Inquiry'.
Key takeaways
- The Federal Court dismissed the ACCC's claims that Google failed to obtain explicit and informed consent from consumers about the use of their activity information, and had acted contrary to representations made in its Privacy Policy.
- The first screen of the consent notification was critical—account holders needed to be adequately informed at that point what it was they were being asked to consent to.
- The conduct was brought to the ACCC's attention through its Digital Platform Services Inquiry.
- Businesses can expect continuing regulatory scrutiny around issues of consumer consent and data collection, including as a result of continued focus by the ACCC on an area that is also within the regulatory purview of the OAIC as the main Australian privacy regulator.
ACCC allegations
Between June 2016 and December 2018, Google sought consent from account holders to combine the personal information obtained from their activity on Google Services (ie Google Search, Google Maps, Gmail, YouTube, Google Play, Google Chrome) with data obtained from their activity on third-party websites and apps for the purposes of creating a combined account-based advertising offering (ie serving advertisements to the account holder regardless of the device used).1 In seeking consent from account holders, Google displayed a notification on account holder mobile and desktop devices in various forms which prompted user consent to the proposed changes (the Notification).
The Notification set out how an account holder's data across Google Services (including browsing data from Google Chrome, and activity on websites that show advertisements from Google) would be used to 'make ads across the web more relevant for you' if the account holder accepted the changes to the Privacy Policy and activated the new features set out in the Notification. The Notification contained illustrations reflecting this feature and notice that the settings could be changed at any time. It also ended with two buttons: 'More Options' and 'I agree'.2
The first page of the Notification as it appeared on Android mobile devices is shown below3:
ACCC alleged that Google's Notification was misleading
The ACCC alleged that Google's conduct in publishing the Notification was misleading or deceptive because:
- it failed to inform, or adequately inform, account holders that Google was seeking to combine activity information from Google Services and third-party websites and apps so that Google could serve more targeted advertisements;
- the Notification had the tendency to lead to a reasonable and legitimate expectation or understanding by account holders that the information presented about the positive changes to their access to the data that Google was collecting was all the information that was necessary for them to consider;4 and
- the text and format design of the Notification was designed to maximise the number of account holders who consented, rather than to maximise the number who understood the implications of agreeing to the proposed changes.5
ACCC alleged that Google reduced account holders' rights without their explicit consent
The ACCC also contended that Google reduced the rights of account holders by making various changes to the Privacy Policy in June 2016 (June 2016 Privacy Update). In particular, Google:
- deleted a statement relating to DoubleClick, a company purchased by Google in 2007/2008 which supplied ad tech services to publishers (which offer advertising inventory) and advertisers (which pay to use this inventory), which read: 'we will not combine DoubleClick cookie information with personally identifiable information unless we have your opt-in consent'; and
- inserted: 'Depending on your account settings, your activity on other sites and apps may be associated with your personal information in order to improve Google’s services and the ads delivered by Google'.6
Google's Privacy Policy also stated: We will not reduce your rights under this Privacy Policy without your explicit consent.
In this context, the ACCC alleged that by making the June 2016 Privacy Update without the explicit consent of account holders, Google had reduced account holders' rights.
Google accepted it made a representation requiring the explicit consent of a consumer, but argued there was no reduction of rights under the Privacy Policy owing to the deletion of the June 2016 Privacy Update.7
The court's findings
The Notification for 'Skippers, Skimmers and Readers' was not misleading
The ACCC alleged that Google designed the Notification to maximise the number of account holders who checked 'I agree' rather than to maximise those who understood the implications of agreeing to the changes. However, the court found it unsurprising that Google wanted account holders to consent and found that Google designed a Notification which gave account holders the information necessary to understand the changes Google wanted to make so that consent was given on an appropriately informed basis. Google did this with regard to the range of its account holders being 'Skippers, Skimmers and Readers'.8
Significantly, the court considered the different segments of the Notification to be different 'pages' as the consumer would be required to scroll through the Notification for the full text, even though it was presented as single pop-up or window.9 The court therefore described the first screen of the Notification as 'critical'—if Google had misled consumers by omitting information on the first screen, this would have been misleading or deceptive even if consumers then went on to read other pages of the Notification.10
The court nevertheless found that the first page of the Notification was not misleading and account holders, acting reasonably in their own interests, would have been adequately informed upon reading the Notification that if they agreed to the proposed changes their data relating to activity on third-party websites and apps could be combined with the data already stored in their Google Accounts.11 This was the case even if it did not use the language of 'combined or 'associated':
'If [consumers] agreed to the proposed changes, the “more information” in their Google Account would now include the new information with the personal information already existing in their accounts and that this information, as a whole, could be used by Google.'12
The court also found that the first page of the Notification told Account Holders, directly, that Google would use the additional information to 'tailor ads' on websites and apps that partner with Google to be more relevant to account holders. The court was satisfied that the accompanying diagram would have provided account holders with a simple graphical illustration of the combined information being used by Google to provide advertisements across the web on their signed-in devices.13
Google sought and received explicit consent to change the Privacy Policy via the Notification
The court found that the June 2016 Privacy Update did not itself provide Google authority to combine account holders' data, but that the Privacy Update should not be seen as isolated text. The wording must be seen in the context of the Notification and whether Account Holders accepted the proposed changes.14
The court determined that authority was provided by users clicking 'I agree' to the Notification and that the change in working reflected that, as a consequence of Google obtaining some account holders’ explicit consent to make the proposed changes, Google was authorised to combine and use the data of those account holders, as explained in the Notification.15 The court was therefore satisfied that Google sought account holders' consent and only combined or associated activity information from third-party websites and apps with their explicit consent.
The court also did not accept that by making the June 2016 Privacy Update, Google reduced account holders’ rights under the Privacy Policy without their explicit consent. Although the text of the Privacy Policy changed, its effect both before and after the Privacy Update was that Google could not combine DoubleClick cookie information with personally identifiable information without Account Holders’ opt-in consent. The June 2016 Privacy Update was no more than a reflection of the fact that Account Holders either consented to, or did not consent to, the proposed changes explained in the Notification, which included associating account holders' activity on third-party websites and third-party apps with the personal information in their Google accounts.16
What this means for businesses in Australia
Notifications that adequately inform users
This case highlights that businesses cannot necessarily rely on lengthy privacy updates as adequate information for consumers when changes, such as to the collection and use of their activity information, are made. The significance of the user experience and what they see on the first page or screen of a similar notification might be the difference between a finding that conduct is misleading or that users were adequately informed in respect of the consent they are asked to provide.
ACCC's ongoing focus on ad tech, consumer rights and transparency by digital platform
While the ACCC was unsuccessful on this occasion (but has until 28 February 2023 to file a notice of appeal) we expect it will continue to focus on ad tech, consumer rights and transparency by digital platform providers, particularly in the context of its findings and recommendations in the Digital Platform Services Inquiry. For example, the ACCC relevantly found that where there are few (or no) comparable alternative services available, or consumers feel compelled to use the service because their social or work networks are on them, consumers may need to accept undesirable terms of use which can involve the unwanted collection and use of consumers’ data, or greater exposure to unsolicited targeted advertising.17
However, the ACCC has conceded that any measures to safeguard consumers' privacy should not be considered until after the current review of the Privacy Act is completed. The Government has indicated that that review is expected to complete this year, with changes to the Privacy Act to follow in 2023.
This case highlights a potential difference in approach between consumer protection laws and privacy laws. As explained above, the court's judgement considered the importance of the first page of the Notification and the need to ensure that the first page was not in and of itself misleading. In contrast, paragraphs 1.12, 1.36 and 5.5 in Chapters 1 and 5 respectively of non-binding guidance from the OAIC (the main Australian privacy regulator with responsibility for enforcement of the Privacy Act) suggest that a 'layered' approach to privacy-related disclosures may be adopted, with a condensed version of a privacy policy being provided to consumers that outlines key information and contains direct links to the more detailed information in the full privacy policy. Such an inconsistency in regulatory approach has the potential to create difficulties for businesses seeking to comply with the expectations of both the ACCC and the OAIC in relation to transparent and understandable disclosures relating to their data and personal information-handling practices.
As considered in our previous Insight, the case also demonstrates how the ACCC has been willing to run cases using its consumer law toolbox to address privacy and data issues (eg such as misleading or deceptive conduct and false or misleading representations) where privacy concerns arise. However, the recent penalty increase associated with serious breaches of the Privacy Act 1988 (Cth) means these now match the penalty regime that applies to the ACL. It remains to be seen if the OAIC will have the resources to take a similarly active approach as the ACCC, however the increased focus on this area reinforces the need for organisations to be transparent in describing their data-handling practices in their privacy policies and privacy-collection notices.
Unfair contract terms will also be illegal from November 2023, so this may also become an enforcement tool the ACCC uses to address privacy concerns.
Please contact us if you would like to further understand the implications of this case for your business or the ACCC's focus on digital markets and the intersection between privacy laws and consumer protection laws.
Footnotes
-
Australian Competition and Consumer Commission v Google LLC (No 2) (ACCC v Google) [2022] FCA 1476 [85]-[87] (Yates J).
-
ACCC v Google, [89]-[107].
-
ACCC v Google, [91].
-
ACCC v Google, [124]-[125].
-
ACCC v Google, [141].
-
ACCC v Google, [263]-[269].
-
ACCC v Google, [270].
-
ACCC v Google, [143]-[145].
-
ACCC v Google, [89] – [91].
-
ACCC v Google, [239].
-
ACCC v Google, [243]-[245].
-
ACCC v Google, [245].
-
ACCC v Google, [250].
-
ACCC v Google, [271].
-
ACCC v Google, [274].
-
ACCC v Google, [283]-[290]
-
ACCC, Digital Platforms Services Inquiry Interim Report No 5 – Regulatory Reform, pg 43 [1.6.4.].