The ACCC has commenced proceedings against Google for its failure to properly inform and obtain consumers’ consent when collecting and using personal information online. It alleges that Google did not take the necessary steps to update its consumers about the consequences of combining users’ personal information with its activity on non-Google sites using DoubleClick technology. Previously, online activity from DoubleClick sites was separated from the activity on consumers’ Google accounts. However, Google enacted changes to combine these sources of information to improve their advertising and analytics businesses that are the predominant source of its revenue.
Google’s Privacy Policy
Google collects personal information from its new users that accept its Terms of Service and Privacy Policy. This enables Google to collect and store information about user’s activity and search queries when signed into their account to create targeted advertisements. In Google’s Privacy Policy, it outlined that it would not combine the data collected from Google websites with cookie information from non-Google sites unless explicit consent was provided.
From 28 June 2016 to December 2018, Google displayed a notification for signed-in Google users in Australia concerning new features to their accounts. The notification emphasised the “I agree” option, allowing Google to combine a wide range of personally identifiable information from DoubleClick sites for generating personalised advertisements. The ACCC alleged that this was misleading and deceptive conduct under Australian Consumer Law, as Google failed to properly inform its consumers about varying its Privacy Policy and obtain explicit consent to combine different sources of personal information. As over 80% of Australian Google consumers (13.5 million people) accepted the “I Agree” option, the ACCC argues that consumers should have been properly alerted about changes primarily enacted for Googles’ commercial benefit.
Lessons learnt
The ACCC’s proceedings against Google highlight the vigilant stance taken by regulators to monitor misleading and deceptive conduct relating to consumers’ personal information. The proceedings indicate that it is not enough just to have a privacy policy but ensure that its terms are actively enforced. From a privacy law perspective, this litigation indicates that businesses handling personal information must actively take precautions to ensure that it complies with the terms listed in their Privacy Policy, particularly if changes are for their own commercial objectives.
To ensure compliance with obligations under the Privacy Act and your Privacy Policy, the following steps should be taken:
- Actively and regularly reviewing your Privacy Policy to ensure it is accurate and up to date with your business operations;
- Establishing a clear procedure to fulfil the obligations outlined in your Privacy Policy;
- Collecting express informed consent from consumers through a collection notice at the time of collection; and
- Explicitly provide consumers with clear options about how their personal information is handled when changing your Privacy Policy.