The Australian Competition and Consumer Commission has had a significant win against Google, after the Federal Court found Google misled some Android users about how to disable personal location tracking.
But will this decision actually change the behaviour of the big tech companies? The answer will depend on the size of the penalty awarded in response to the misconduct.
In theory, the penalty is $1.1 million per contravention. There is a contravention each time a reasonable person in the relevant class is misled. So the total award could, in theory, amount to many millions of dollars.
However, the actual penalty will depend on how the court characterises the misconduct. We believe Googleโs behaviour should not be treated as a simple accident, and the Federal Court should issue a heavy fine to deter Google and other companies from behaving this way in future.
The case arose from the representations made by Google to users of Android phones in 2018 about how it obtained personal location data.
The Federal Court held Google had misled some consumers by representing that โhaving Web & App Activity turned โonโ would not allow Google to obtain, retain and use personal data about the userโs locationโ.
In other words, some consumers were misled into thinking they could control Googleโs location data collection practices by solely switching โoffโ their location history, whereas the โWeb & App Activityโ setting also needed to be disabled to provide this protection.
The ACCC also argued consumers reading Googleโs privacy statement would be misled into thinking personal data was collected for their own benefit rather than Googleโs. However, the court dismissed this argument on the grounds that reasonable users wanted to turn the location history โoffโ, and therefore would have assumed that Google was obtaining as much commercial advantage as it could from use of the userโs personal location data.
This is surprising and might deserve further attention from regulators concerned to protect consumers from corporations โdata harvestingโ for profit.
The penalty and other enforcement orders against Google will be made at a later date.
The aim of the penalty is to deter Google specifically, and other firms like Google, from engaging in misleading conduct again. If penalties are too low they may be treated by wrongdoing firms as merely a โcost of doing businessโ.
However, in circumstances where there is a high degree of corporate culpability, the Federal Court has shown willingness to award higher amounts than in the past. This has occurred even where the regulator has not sought higher penalties.
In the recent Volkswagen Aktiengesellschaft vs ACCC judgment, the full Federal Court confirmed an award of $125 million against Volkswagen for making false representations about compliance with Australian diesel emissions standards.
In setting Googleโs penalty, a court will consider factors such as the nature and extent of the misleading conduct and any loss to consumers. The court will also take into account whether the wrongdoer was involved in โdeliberate, covert or reckless conduct, as opposed to negligence or carelessnessโ.
At this point, Google may well argue that only some consumers were misled; that it was possible for consumers to be informed if they read more about Googleโs privacy policies; that it was only one slip-up; and that its contravention of the law was unintentional. These might seem to reduce the seriousness or at least the moral culpability of the offence.
But we argue they should not unduly cap the penalty awarded. Googleโs conduct may not appear as โegregious and deliberately deceptiveโ as the Volkswagen case.
Equally, Google is a massively profitable company that makes its money precisely from obtaining, sorting and using its usersโ personal data. Therefore, we think the court should look at the number of Android users potentially affected by the misleading conduct and Googleโs responsibility for its own choice architecture, and work from there.
The Federal Court acknowledged not all consumers would be misled by Googleโs representations. The court accepted many consumers would simply accept the privacy terms without reviewing them, an outcome consistent with the so-called privacy paradox. Others would review the terms and click through to more information about the options for limiting Googleโs use of personal data to discover the scope of what was collected under the โWeb & App Activityโ default.
This might sound like the court was condoning consumersโ carelessness. In fact, the court made use of insights from economists about the behavioural biases of consumers in making decisions.
Consumers have limited time to read legal terms and limited ability to understand the future risks arising from those terms. Thus, if consumers are concerned about privacy they might try to limit data collection by selecting various options, but are unlikely to be able to read and understand privacy legalese like a trained lawyer or with the background understanding of a data scientist.
If one option is labelled โLocation Historyโ, it is entirely rational for everyday consumers to assume turning it off limits location data collection by Google.
The number of consumers misled by Googleโs representations will be difficult to assess. But even if a small proportion of Android users were misled, that will be a very large number of people.
There was evidence before the Federal Court that, after press reports arose of the tracking problem, the number of consumers switching off the โWebโ option increased by 500%.
Moreover, Google makes considerable profit from the large amounts of personal data it gathers and retains, and profit is important when it comes deterrence.
It has also been revealed that some employees at Google were not aware of the problem until an exposรฉ in the press. An urgent meeting was held, referred to internally as the โOh Shitโ meeting.
The individual Google employees at the โOh Shitโ meeting may not have been aware of the details of the system โ but that is not the point.
It is the company fault that is the question. And a companyโs culpability is not just determined by what some executive or senior employee knew or didnโt know about its processes. Googleโs corporate mindset is manifested or revealed in the systems it designs and puts in place.
Google designed the information system that faced consumers trying to manage their privacy settings. This kind of system design is sometimes referred to as โchoice architectureโ.
Here the choices offered to consumers steered them away from opting out of Google collecting, retaining and using personal location data.
The โOther Optionsโ (for privacy) information failed to refer to the fact that location tracking was carried out via other processes beyond the one labelled โLocation Historyโ. Plus, the default option for โWeb & App Activityโ (which included location tracking) was set as โonโ.
This privacy eroding system arose via the design of the โchoice architectureโ. It therefore warrants a serious penalty.
Private Media, the parent company of SmartCompany, is a current participant of the Google Showcase program. Content from SmartCompany and other Private Media brands will be featured on Showcase as part of a commercial partnership.
This article is republished from The Conversation under a Creative Commons license. Read the original article.
