UNSW Business School logo
UNSW BusinessThink logo
UNSW BusinessThink logo

The ACCC is suing Google – but is calling it out easier than fixing it?

Opinion | 3 August 2020

Following a privacy policy change in 2016, Google has been collecting users' data from third-party websites and apps, and the ACCC argues users were misled into signing away their privacy, writes UNSW Law's Katharine Kemp

Australia’s consumer watchdog is suing Google for allegedly misleading millions of people after it started tracking them on non-Google apps and websites in 2016.

The Australian Competition and Consumer Commission (ACCC) says Google’s pop-up notification about this move didn’t let users make an informed choice about the increased tracking of their activities. Google uses some of this data in its targeted advertising business. It can also collect sensitive information about us from third-party websites and apps which it may use in its non-advertising businesses.

The ACCC isn’t the first to claim Google hasn’t been straight about how it uses our data, nor is this the first time it has sued Google. But even if Google gave us the whole story, what can we actually do about growing surveillance?

Google tracks your activities beyond Google

While it would take a separate article to list all the ways Google tracks your activities online and offline, the ACCC is concerned about two of the company’s data practices in particular.

First, Google has been collecting data about what you do on websites that may not seem related to Google at all. This is combined with other data collected by Google’s own services including YouTube, Gmail, Google Maps and Chrome.

Woman accessing YouTube on her phone and computer (1).jpg
Google collects your data from websites that may not seem related to Google as well as from its own websites like YouTube. Image: Shutterstock

The reason Google can do this is that third-party websites and apps also use Google’s services, such as ad serving or Google Analytics.

Their agreements with Google allow it to embed its technology into the websites and apps and send your activity information back to Google, without alerting you.

Second, the ACCC is concerned Google has combined its own extensive Google account holder datasets with personal data collected by ad-tech company DoubleClick, which Google acquired in 2007. This is despite Google initially claiming it wouldn’t do this without users opting in.

The data Google collects, and how it’s used

Google’s technologies are embedded in millions of third-party websites (and likely many of the ones you use).

So it’s well placed to collect data about your online activities, including research you might do on intimate topics such as depression, miscarriage, abortion, diabetes, weight loss, heart disease, divorce, erectile dysfunction and so on.

Google can then combine this data with the information it already has about you from its own services, such as where you live, what you buy, where you go and who you associate with.

Woman exercising with fitbit.jpg
Concerns have been raised over Google supplying health products and life insurance using consumers' health data in the future. Image: Shutterstock

Google says it doesn’t use users’ health data or other “sensitive” data for its targeted advertising business. But it does not promise it won’t collect such sensitive data, keep it, combine it with data about our other activities or use it for non-advertising business purposes. For example, Google has made moves to enter various health services markets. And there’s speculation it may start supplying health products and life insurance in future. 

Further, unless you have changed the “ad personalisation” settings in your Google account, Google can use data from third-party sites which it does not classify as “sensitive” to target you with ads. This data could include whether you’re searching for baby clothes, travel insurance, retirement living, or a house in a specific suburb.

But even if you have opted out of personalised ads, Google’s privacy policy doesn’t say it will stop collecting and retaining the data itself.

What was misleading?

The ACCC claims Google’s 2016 notification about its increased tracking was misleading. The notice led with the benign headline, “Some new features for your Google Account”, followed by:

"We’ve introduced some optional features for your account, giving you more control over the data Google collects and how it’s used while allowing Google to show you more relevant ads."

Computer screen showing Facebook.jpg
Facebook has also recently come under fire for tracking its users’ activities on non-Facebook websites. Image: Shutterstock

The statements further down in the notification were arguably unclear about what Google actually planned to change. The ACCC says the notification was misleading because: "Consumers could not have properly understood the changes Google was making nor how their data would be used and so did not – and could not – give informed consent."

It claims Google also misled consumers by stating in its privacy policy that it would not reduce users’ rights under the policy without their explicit consent but then did exactly that.

Privacy concerns warrant legal backing

In this case, the ACCC’s issue is that Google didn’t give consumers the real story about its plan to vastly increase personal data collection and use this information for commercial purposes. The ACCC’s action against Google should be a warning to all companies that currently fudge their privacy terms.

But what if Google had been transparent and the pop-up box instead said: “We are going to start collecting your personal data whenever you use third-party websites or apps that use Google technologies”?

Given the millions of websites using Google technologies, is it even possible for consumers to avoid this?

Person touching search bar .jpg
Google has the ability to collect data about sensitive searchers from millions of third-party websites. Image:Shutterstock

In Germany, the Federal Cartel Office last year found Facebook had abused its dominance by insisting on collecting users’ personal data via embedded technologies on non-Facebook websites and apps. It argued Facebook’s market power gave it the ability to impose these practices on users, even against their wishes.

Australia does not have an “abuse of dominance law” to address single-firm exploitative conduct, such as raising prices or imposing intrusive privacy terms. Facebook currently collects data about Facebook users – and even non-users – from third-party websites and apps in Australia, without alerting us.

The ACCC may succeed in proving misleading conduct by Google. And it might obtain a substantial fine against Google – potentially up to 10 per cent of Google’s turnover in Australia. But to stop tech giants from doing whatever they like with our data, we’ll need to consider a broader law against unfair practices.

Katharine Kemp is a Senior Lecturer in the Faculty of Law at UNSW Sydney and Academic Lead at the UNSW Grand Challenge on Trust. This article is was originally published by The Conversation.

Regulation Security Privacy Data Customer experience Consumers Brands Digital
Republish this article

Republish

You are free to republish this article both online and in print. We ask that you follow some simple guidelines.

Please do not edit the piece, ensure that you attribute the author, their institute, and mention that the article was originally published on Business Think.

By copying the HTML below, you will be adhering to all our guidelines.

Press Ctrl-C to copy

Related

Opinion

Who is OpenAI’s Sam Altman, and why does it matter that he got fired?

Opinion

Have economists underestimated climate change's financial hit?

Opinion

Three strategies to de-risk supply chains amid geopolitical tensions

Opinion

How to get rid of spam and unwanted email from your inbox