How Do You Legally Change Your Privacy Policy?

The recent ACCC v Google LLC decision provides useful advice. Google recently defeated an action by the ACCC in Australia. The ACCC claimed that Google had misled users when it watered down the privacy rights of its users via an inadequate privacy policy update. There are key lessons organisations can glean from Google’s win in court about how to legally change your privacy policy.  

Facts of the Recent ACCC v Google LLC Decision 

In December 2022, the Federal Court of Australia dismissed a claim by the Australian Competition and Consumer Commission (ACCC) that Google LLC had misled users about an amendment to its privacy policy.  

The claim stemmed from an opt-in notification Google displayed on both computer desktops and in users’ mobile applications. The notification asked users to opt-in to changes that would combine the data collected via their Google accounts and activities on non-Google sites.  

This would improve Google’s advertising capabilities.  

The ACCC alleged that account holders were not adequately advised regarding the changes since users needed to be signed in to their Google account to see the opt-in notice. However, this claim failed because the judge presiding over the case was satisfied that users who did not opt in did not have their data combined. In other words, the court found that Google combined the data only in cases where specific opt-in consent was obtained.   

Read the ACCC Press Release about Australian Competition and Consumer Commission v Google LLC (No 2) [2022] FCA 1476. 

Read the Federal Court’s judgement. 

Quick Tips: How Can Organisations Update Their Privacy Notice Effectively?  

• The key lesson here is that clear opt-in notifications offer crucial protections for your organisation (so long as you respect the opt-outs).  
• Organisations should also consider that: Where a choice exists between your organisation’s interests and your customer’s privacy interests, respect your customer’s interests.  
• Users may elect to opt-in to more data-intensive programs to access the benefits but giving them the option is key. 
• Organisations should expect regulators to continue (and to increase) scrutiny regarding customer consent and data collection.  

Digging Deeper: Designing Consents for Different Customers 

The judge considered how Google came to its decision to update its policy the way it did. Yates J (the judge who heard the ACCC v Google appeal) noted that Google undertook significant market research to understand how customers respond to privacy notice updates.  

Google’s intention was to maximise the number of individual users who consented to its updated privacy notice. However, through its research, Google also recognised that different users respond differently to privacy notices. As a result, it designed its privacy notice to appeal to the various types of users – “skippers, skimmers and readers”. Yates J noted the following:  

“Google’s appreciation that its Account Holders comprised “Skippers, Skimmers and Readers” explains why the Notification was presented in a way that provided links to enable Account Holders to obtain more information in relation to Google’s proposal, should that have been their desire when considering the Notification. In its internal documents, Google described this as presenting a “layered story”. This is a pithy way of explaining the cascading form of the Notification, with the increasing levels of detail….” 

This is significant for Australian organisations since it recognises the importance of tailoring privacy policies to the end user. It also shows the importance of documenting your reasoning for your privacy decisions plus the value of layering.  

Other Best Practices To Legally Change Your Privacy Policy 

In addition to implementing the above tips, we suggest that organisations consider the following best practices for privacy policy updates:  

• Consider the privacy policy to be a living document. It’s not something you should ‘set and forget’. It should be regularly reconsidered and updated whenever your privacy and/or data handling practices change.  

Given the incredibly broad range of activities that can affect your privacy practices, it’s essential that your team knows and understands at least the basics of organisational privacy. Everything from implementing a new payment system (operations) to collecting email addresses in exchange for gated content (marketing) can impact your privacy policy. The right people must be alerted to these changes.  

• Ensure your updates are visible to users. It’s a good practice to send notifications in advance of the update via email and through a pop-up notification on the website. 
• Transparency and clarity in your privacy documents remain key. In the ACCC v Google judgement, Yates J refers to one aspect of Google’s privacy policy as ‘tolerably clear’, despite being ‘awkwardly worded’. Organisations should strive to communicate their privacy practices in a way that is better than ‘tolerably clear’.  

Update Your Privacy Policy with Privacy 108

If your organisation needs to implement or update its privacy policy, reach out. Our team is experienced in drafting privacy policies from scratch and reviewing and improving existing policies.

We can also help with other privacy-related policies and procedures including:

• Collection notices;
• Consent forms including marketing consents;
• Cookie policies and consent banners;
• Employee Privacy Policy;
• CCTV Policy and procedure;
• Workplace Surveillance Policy and procedures;
• Data breach response Policy and procedures;
• Privacy complaint handling procedures;
• Data retention and deletion policies and procedures.; and
• Information security policies and procedures.