Facts of the Recent ACCC v Google LLC Decision
The claim stemmed from an opt-in notification Google displayed on both computer desktops and in users’ mobile applications. The notification asked users to opt-in to changes that would combine the data collected via their Google accounts and activities on non-Google sites.
This would improve Google’s advertising capabilities.
The ACCC alleged that account holders were not adequately advised regarding the changes since users needed to be signed in to their Google account to see the opt-in notice. However, this claim failed because the judge presiding over the case was satisfied that users who did not opt in did not have their data combined. In other words, the court found that Google combined the data only in cases where specific opt-in consent was obtained.
Quick Tips: How Can Organisations Update Their Privacy Notice Effectively?
- The key lesson here is that clear opt-in notifications offer crucial protections for your organisation (so long as you respect the opt-outs).
- Organisations should also consider that: Where a choice exists between your organisation’s interests and your customer’s privacy interests, respect your customer’s interests.
- Users may elect to opt-in to more data-intensive programs to access the benefits but giving them the option is key.
- Organisations should expect regulators to continue (and to increase) scrutiny regarding customer consent and data collection.
Digging Deeper: Designing Consents for Different Customers
The judge considered how Google came to its decision to update its policy the way it did. Yates J (the judge who heard the ACCC v Google appeal) noted that Google undertook significant market research to understand how customers respond to privacy notice updates.
Google’s intention was to maximise the number of individual users who consented to its updated privacy notice. However, through its research, Google also recognised that different users respond differently to privacy notices. As a result, it designed its privacy notice to appeal to the various types of users – “skippers, skimmers and readers”. Yates J noted the following:
“Google’s appreciation that its Account Holders comprised “Skippers, Skimmers and Readers” explains why the Notification was presented in a way that provided links to enable Account Holders to obtain more information in relation to Google’s proposal, should that have been their desire when considering the Notification. In its internal documents, Google described this as presenting a “layered story”. This is a pithy way of explaining the cascading form of the Notification, with the increasing levels of detail….”
This is significant for Australian organisations since it recognises the importance of tailoring privacy policies to the end user. It also shows the importance of documenting your reasoning for your privacy decisions plus the value of layering.
- Ensure your updates are visible to users. It’s a good practice to send notifications in advance of the update via email and through a pop-up notification on the website.
We can also help with other privacy-related policies and procedures including:
- Collection notices;
- Consent forms including marketing consents;
- Cookie policies and consent banners;
- CCTV Policy and procedure;
- Workplace Surveillance Policy and procedures;
- Data breach response Policy and procedures;
- Privacy complaint handling procedures;
- Data retention and deletion policies and procedures.; and
- Information security policies and procedures.