The Australian Competition and Consumer Commission (ACCC) today announced it is suing Google for misleading consumers about its collection and use of personal location data.
The case is the consumer watchdog’s first move against a major digital platform following the publication of the Digital Platforms Inquiry Final Report in July.
The ACCC follows regulators in countries including the US and Germany in taking action against the way “tech giants” such as Google and Facebook harvest and exploit their users’ data.
What did Google do?
ACCC Chair Rod Sims said Google “collected, kept and used highly sensitive and valuable personal information about consumers’ location without them making an informed choice”.
The ACCC alleges that Google breached the Australian Consumer Law (ACL) by misleading its users in the course of 2017 and 2018, including by:
not properly disclosing that two different settings needed to be switched off if consumers did not want Google to collect, keep and use their location data
not disclosing on those pages that personal location data could be used for a number of purposes unrelated to the consumer’s use of Google services.
Some of the alleged breaches can carry penalties of up to A$10 million or 10% of annual turnover.
A spokesperson for Google is reported to have said the company is reviewing the allegations and engaging with the ACCC.
Turning off “Location History” did not turn off location history
According to the ACCC, Google’s account settings on Android phones and tablets would have led consumers to think changing a setting on the “Location History” page would stop Google from collecting, keeping and using their location data.
The ACCC says Google failed to make clear to consumers that they would actually need to change their choices on a separate setting titled “Web & App Activity” to prevent this location tracking.
Location data is used for much more than Google Maps
Google collects and uses consumers’ personal location data for purposes other than providing Google services to consumers. For example, Google uses location data to work out demographic information, target advertising, and offer advertising services to other businesses.
Digital platforms increasingly track consumers online and offline to create highly detailed personal profiles on each of us. These profiles are then used to sell advertising services. These data practices create risks of criminal data breaches, discrimination, exclusion and manipulation.
Concealed data practices under fire around the world
The ACCC joins a number of other regulators and consumer organisations taking aim at the concealed data practices of the “tech giants”.
This year, the Norwegian Consumer Council published a report – Deceived by Design – which analysed a sample of Google, Facebook and Microsoft Windows privacy settings. The conclusion: “service providers employ numerous tactics in order to nudge or push consumers toward sharing as much data as possible”.
The report said some aspects of privacy policies can be seen as “dark patterns”, or “features of interface design crafted to trick users into doing things that they might not want to do”.
In Canada, an investigation into how Facebook gets consent for certain data practices by the Office of the Privacy Commissioner of Canada was highly critical.
It found that the relevant data use policy “contained blanket statements referencing potential disclosures of a broad range of personal information, to a broad range of individuals or organisations, for a broad range of purposes”. The result was that Facebook users “had no way of truly knowing what personal information would be disclosed to which app and for what purposes”.
Is Facebook next?
The ACCC was highly critical of the data practices of a number of large digital platforms when the Final Report of the Digital Platforms Inquiry was published in July this year. The platforms included included Facebook, WhatsApp, Twitter and Google.
The report was particularly scathing about privacy policies which were long, complex, difficult to navigate and low on real choices for consumers. In its words, certain common features of digital platforms’ consent processes
leverage digital platforms’ bargaining power and deepen information asymmetries, preventing consumers from providing meaningful consents to digital platforms’ collection, use and disclosure of their user data.
The report also stated the ACCC was investigating whether various representations by Google and Facebook respectively would “raise issues under the ACL”.
The investigations concerning Facebook related to representations concerning its sharing of user data with third parties and potential unfair contract terms. So far no proceedings against Facebook have been announced.
Will this change anything?
While penalties of up to A$10 million or 10% of annual turnover (in Australia) may sound significant, last year Google made US$116 billion in advertising revenue globally.
In July, the US Federal Trade Commission settled with Facebook on a US$5 billion fine for repeatedly misleading users about the fact that personal information could be accessed by third-party apps without the user’s consent, if a user’s Facebook “friend” gave consent. Facebook’s share price went up after the FTC approved the settlement.
But this does not mean the ACCC’s proceedings against Google are a pointless exercise. Aside from the impact on Google’s reputation, these proceedings may highlight for consumers the difference between platforms which have incentives to hide data practices from consumers and other platforms – like the search engine DuckDuckGo – which offer privacy-respecting alternatives.
Katharine Kemp receives funding from The Allens Hub for Technology, Law and Innovation. She is a Member of the Advisory Board of the Future of Finance Initiative in India, the Centre for Law, Markets & Regulation and the Australian Privacy Foundation.