ACCC Lawsuit Accuses Google of Misusing Personal Data

Merry Marwig
Merry Marwig  |  November 1, 2019

The Australian Competition and Consumer Commission (ACCC) filed a lawsuit against Google for allegedly misleading consumers about the personal data it collects, keeps and uses.

The allegation is that Google misrepresented what data it collects about users regarding Google’s “Location History” and “Web & App Activity” settings. If a user turned off Location History settings, the user’s location was still tracked by the company. The only way to fully opt out of location tracking would be to turn off both Location History and the Web & App Activity. 

The ACCC said these settings are misleading. “We allege that Google misled consumers by staying silent about the fact that another setting also had to be switched off,” ACCC chair Rod Sims said in a press release.

“Many consumers make a conscious decision to turn off settings to stop the collection of their location data, but we allege that Google’s conduct may have prevented consumers from making that choice.” Sims continued, “We are taking court action against Google because we allege that as a result of these on-screen representations, Google has collected, kept, and used highly sensitive and valuable personal information about consumers’ location without them making an informed choice.” 

This allegation has spurred discussions about introducing additional privacy legislation in Australia. The ACCC’s Digital Platforms Inquiry final report recommends in Chapter 7 that privacy legislation be strengthened by:

  • 16(a) Update the definition of “personal information” in the Privacy Act to clarify that it captures technical data such as IP addresses, device identifiers, location data, and any other online identifiers that may be used to identify an individual.
  • 16(b) Strengthen notification and consent requirements to ensure consumers can make informed decisions about the personal data they allow digital platforms to collect.
  • 16(c) Strengthen consent requirements and pro-consumer defaults: Require consent to be obtained whenever a consumer’s personal information is collected, used or disclosed by an APP entity, unless the personal information is necessary for the performance of a contract to which the consumer is a party, is required under law, or is otherwise necessary for an overriding public interest reason. Valid consent should require a clear affirmative act that is freely given, specific, unambiguous and informed (including about the consequences of providing or withholding consent). This means that any settings for data practices relying on consent must be pre-selected to ‘off’ and that different purposes of data collection, use or disclosure must not be bundled. Where the personal information of children is collected, consents to collect the personal information of children must be obtained from the child’s guardian. It may also be appropriate for the consent requirements to be implemented along with measures to minimise consent fatigue, such as not requiring consent when personal information is processed in accordance with a contract to which the consumer is a party, or using standardised icons or phrases to refer to certain categories of consents to facilitate consumers’ comprehension and decision-making. 
  • 16(d) Enable the erasure of personal information: Require APP entities to erase the personal information of a consumer without undue delay on receiving a request for erasure from the consumer, unless the retention of information is necessary for the performance of a contract to which the consumer is a party, is required under law, or is otherwise necessary for an overriding public interest reason. 
  • 16(e) Introduce direct rights of action for individuals: Give individuals a direct right to bring actions and class actions against APP entities in court to seek compensation for an interference with their privacy under the Privacy Act. 

16(f) Higher penalties for breach of the Privacy Act: Increase the penalties for an interference with privacy under the Privacy Act to mirror the increased penalties for breaches of the Australian Consumer Law.

“Transparency and inadequate disclosure issues involving digital platforms and consumer data were a major focus of our Digital Platforms Inquiry, and remain one of the ACCC’s top priorities,” Sims said. 

Expect further discussions of privacy legislation in Australia in the coming months.

See the Best Data Privacy Software →

Don’t fall behind.

Subscribe to the latest software news & updates from the expert analysts at G2.

By submitting this form, you are agreeing to receive marketing communications from G2.
Merry Marwig
Author

Merry Marwig

Merry Marwig is a market research analyst at G2 focused on the privacy and data security software markets. Using G2’s dynamic research based on unbiased user reviews, Merry helps companies best understand what privacy and security products and services are available to protect their core businesses, their data, their people, and ultimately their customers, brand, and reputation. Merry's coverage areas include: data privacy platforms, data subject access requests (DSAR), identity verification, identity and access management, multi-factor authentication, risk-based authentication, confidentiality software, data security, email security, and more.