The ACCC is suing Google for misleading millions. But calling it out is easier than fixing it



Shutterstock

Katharine Kemp, UNSW

Australia’s consumer watchdog is suing Google for allegedly misleading millions of people after it started tracking them on non-Google apps and websites in 2016.

The Australian Competition and Consumer Commission (ACCC) says Google’s pop-up notification about this move didn’t let users make an informed choice about the increased tracking of their activities.

Google uses some of this data in its targeted advertising business. It can also collect sensitive information about us from third-party websites and apps which it may use in its non-advertising businesses.

The ACCC isn’t the first to claim Google hasn’t been straight about how it uses our data, nor is this the first time it has sued Google.

But even if Google gave us the whole story, what can we actually do about growing surveillance?




Read more:
Every step you take: why Google’s plan to buy Fitbit has the ACCC’s pulse racing


Google tracks your activities beyond Google

While it would take a separate article to list all the ways Google tracks your activities online and offline, the ACCC is concerned about two of the company’s data practices in particular.

First, Google has been collecting data about what you do on websites that may not seem related to Google at all. This is combined with other data collected by Google’s own services including YouTube, Gmail, Google Maps and Chrome.

The reason Google can do this is that third-party websites and apps also use Google’s services, such as ad serving or Google Analytics.

Their agreements with Google allow it to embed its technology into the websites and apps and send your activity information back to Google, without alerting you.

Second, the ACCC is concerned Google has combined its own extensive Google account holder datasets with personal data collected by ad tech company DoubleClick, which Google acquired in 2007.
This is despite Google initially claiming it wouldn’t do this without users opting in.

The data Google collects, and how it’s used

Google’s technologies are embedded in millions of third-party websites (and likely many of the ones you use).

So it’s well placed to collect data about your online activities, including research you might do on intimate topics such as depression, miscarriage, abortion, diabetes, weight loss, heart disease, divorce, erectile dysfunction and so on.

Google can then combine this data with the information it already has about you from its own services, such as where you live, what you buy, where you go and who you associate with.

Google says it doesn’t use users’ health data or other “sensitive” data for its targeted advertising business. But it does not promise it won’t collect such sensitive data, keep it, combine it with data about our other activities or use it for non-advertising business purposes.

For example, Google has made moves to enter various health services markets. And there’s speculation it may start supplying health products and life insurance in future.

Further, unless you have changed the “ad personalisation” settings in your Google account, Google can use data from third-party sites which it does not classify as “sensitive” to target you with ads. This data could include whether you’re searching for baby clothes, travel insurance, retirement living, or a house in a specific suburb.

But even if you have opted out of personalised ads, Google’s privacy policy doesn’t say it will stop collecting and retaining the data itself.

Online search for 'depression'.
Google has access to enough information to build highly detailed profiles of users, covering different aspects of their lives.
Shutterstock

What was misleading?

The ACCC claims Google’s 2016 notification about its increased tracking was misleading. The notice led with the benign headline, “Some new features for your Google Account”, followed by:

We’ve introduced some optional features for your account, giving you more control over the data Google collects and how it’s used, while allowing Google to show you more relevant ads.

The statements further down in the notification were arguably unclear about what Google actually planned to change. The ACCC says the notification was misleading because:

Consumers could not have properly understood the changes Google was making nor how their data would be used and so did not – and could not – give informed consent.

It claims Google also misled consumers by stating in its privacy policy that it would not reduce users’ rights under the policy without their explicit consent, but then did exactly that.




Read more:
94% of Australians do not read all privacy policies that apply to them – and that’s rational behaviour


Privacy concerns warrant legal backing

In this case, the ACCC’s issue is that Google didn’t give consumers the real story about its plan to vastly increase personal data collection and use this information for commercial purposes. The ACCC’s action against Google should be a warning to all companies that currently fudge their privacy terms.

But what if Google had been transparent and the pop-up box instead said: “we are going to start collecting your personal data whenever you use third-party websites or apps that use Google technologies”?

Given the millions of websites using Google technologies, is it even possible for consumers to avoid this?

In Germany, the Federal Cartel Office last year found Facebook had abused its dominance by insisting on collecting users’ personal data via embedded technologies on non-Facebook websites and apps.

It argued Facebook’s market power gave it the ability to impose these practices on users, even against their wishes.

Australia does not have an “abuse of dominance law” to address single-firm exploitative conduct, such as raising prices or imposing intrusive privacy terms. Facebook currently collects data about Facebook users – and even non-users – from third-party websites and apps in Australia, without alerting us.

Facebook logo with multiple 'dislike' buttons.
Facebook has also come under fire for tracking its users’ activities on non-Facebook websites.
Shutterstock

The ACCC may succeed in proving misleading conduct by Google. And it might obtain a substantial fine against Google – potentially up to 10% of Google’s turnover in Australia.

But to stop tech giants from doing whatever they like with our data, we’ll need to consider a broader law against unfair practices.




Read more:
Australia’s privacy watchdog is taking Facebook to court. It’s a good start


The Conversation


Katharine Kemp, Senior Lecturer, Faculty of Law, UNSW, and Academic Lead, UNSW Grand Challenge on Trust, UNSW

This article is republished from The Conversation under a Creative Commons license. Read the original article.

The ACCC is suing Google over tracking users. Here’s why it matters



The ACCC has been highly critical of how many large digital platforms use data.
Shutterstock

Katharine Kemp, UNSW

The Australian Competition and Consumer Commission (ACCC) today announced it is suing Google for misleading consumers about its collection and use of personal location data.

The case is the consumer watchdog’s first move against a major digital platform following the publication of the Digital Platforms Inquiry Final Report in July.

The ACCC follows regulators in countries including the US and Germany in taking action against the way “tech giants” such as Google and Facebook harvest and exploit their users’ data.

What did Google do?

ACCC Chair Rod Sims said Google “collected, kept and used highly sensitive and valuable personal information about consumers’ location without them making an informed choice”.

The ACCC alleges that Google breached the Australian Consumer Law (ACL) by misleading its users in the course of 2017 and 2018, including by:

  • not properly disclosing that two different settings needed to be switched off if consumers did not want Google to collect, keep and use their location data

  • not disclosing on those pages that personal location data could be used for a number of purposes unrelated to the consumer’s use of Google services.

Some of the alleged breaches can carry penalties of up to A$10 million or 10% of annual turnover.

A spokesperson for Google is reported to have said the company is reviewing the allegations and engaging with the ACCC.

The two separate settings that users needed to change to disable location tracking.
Android screenshots, Author provided

Turning off “Location History” did not turn off location history

According to the ACCC, Google’s account settings on Android phones and tablets would have led consumers to think changing a setting on the “Location History” page would stop Google from collecting, keeping and using their location data.

The ACCC says Google failed to make clear to consumers that they would actually need to change their choices on a separate setting titled “Web & App Activity” to prevent this location tracking.

Location data is used for much more than Google Maps

Google collects and uses consumers’ personal location data for purposes other than providing Google services to consumers. For example, Google uses location data to work out demographic information, target advertising, and offer advertising services to other businesses.

Digital platforms increasingly track consumers online and offline to create highly detailed personal profiles on each of us. These profiles are then used to sell advertising services. These data practices create risks of criminal data breaches, discrimination, exclusion and manipulation.




Read more:
Here’s how tech giants profit from invading our privacy, and how we can start taking it back


Concealed data practices under fire around the world

The ACCC joins a number of other regulators and consumer organisations taking aim at the concealed data practices of the “tech giants”.

This year, the Norwegian Consumer Council published a report – Deceived by Design – which analysed a sample of Google, Facebook and Microsoft Windows privacy settings. The conclusion: “service providers employ numerous tactics in order to nudge or push consumers toward sharing as much data as possible”.

The report said some aspects of privacy policies can be seen as “dark patterns”, or “features of interface design crafted to trick users into doing things that they might not want to do”.

In Canada, an investigation into how Facebook gets consent for certain data practices by the Office of the Privacy Commissioner of Canada was highly critical.

It found that the relevant data use policy “contained blanket statements referencing potential disclosures of a broad range of personal information, to a broad range of individuals or organisations, for a broad range of purposes”. The result was that Facebook users “had no way of truly knowing what personal information would be disclosed to which app and for what purposes”.

Is Facebook next?

The ACCC was highly critical of the data practices of a number of large digital platforms when the Final Report of the Digital Platforms Inquiry was published in July this year. The platforms included Facebook, WhatsApp, Twitter and Google.

The report was particularly scathing about privacy policies which were long, complex, difficult to navigate and low on real choices for consumers. In its words, certain common features of digital platforms’ consent processes:

leverage digital platforms’ bargaining power and deepen information asymmetries, preventing consumers from providing meaningful consents to digital platforms’ collection, use and disclosure of their user data.

The report also stated the ACCC was investigating whether various representations by Google and Facebook respectively would “raise issues under the ACL”.

The investigations concerning Facebook related to representations concerning its sharing of user data with third parties and potential unfair contract terms. So far no proceedings against Facebook have been announced.




Read more:
94% of Australians do not read all privacy policies that apply to them – and that’s rational behaviour


Will this change anything?

While penalties of up to A$10 million or 10% of annual turnover (in Australia) may sound significant, last year Google made US$116 billion in advertising revenue globally.

In July, the US Federal Trade Commission settled with Facebook on a US$5 billion fine for repeatedly misleading users about the fact personal information could be accessed by third-party apps without the user’s consent, if a user’s Facebook “friend” gave consent. Facebook’s share price went up after the FTC approved the settlement.

But this does not mean the ACCC’s proceedings against Google are a pointless exercise. Aside from the impact on Google’s reputation, these proceedings may highlight for consumers the difference between platforms which have incentives to hide data practices from consumers and other platforms – like the search engine DuckDuckGo – which offer privacy-respecting alternatives.The Conversation

Katharine Kemp, Senior Lecturer, Faculty of Law, UNSW, and Co-Leader, ‘Data as a Source of Market Power’ Research Stream of The Allens Hub for Technology, Law and Innovation, UNSW

This article is republished from The Conversation under a Creative Commons license. Read the original article.