Unlike in a number of countries, including Australia, New Zealand is yet to see any case law and regulatory action from the Commerce Commission that provides guidance on when "informing" consumers about changes to privacy policies is misleading.
This can be a challenging question for many New Zealand businesses. For example, what level of detail is required when telling consumers about a changed privacy policy? What changes need to be notified? How do you tell them? There is the inevitable tension between not wishing to bombard consumers with lengthy emails about updated privacy policies versus ensuring consumers are aware of, and agree to, the changes. And there's also the need to comply with the different requirements under the Privacy Act 2020 and the Fair Trading Act 1986.
The Federal Court of Australia (Court) has released its decision following the Australian Competition and Consumer Commission's (ACCC) unsuccessful case against Google LLC (Google). The ACCC alleged that Google had contravened the Australian Consumer Law by engaging in misleading or deceptive conduct by failing to adequately inform Australian account holders about their privacy settings when it published an on-screen notification to account holders, and changed its Privacy Policy to expand the scope of its use and collection of personal information.
This decision provides guidance for New Zealand businesses when amending privacy policies and notifying individuals given the similarities between Australia's and New Zealand's consumer and privacy laws.
What was the case about?
From June 2016 to December 2018, Google sought the permission of its account holders to make changes to the settings in their Google Accounts which, if agreed to, enabled and authorised Google to:
-
combine account holders' personal information with their browsing activity on third party websites and apps;
-
allow that combined information to be used to create or generate targeted advertising for third party websites and apps which partnered with Google (as well as Google's various websites and apps); and
-
deliver targeted advertising to account holders on any device which they were signed into their Google account on.
In order to obtain consent to make these changes, Google displayed a notification to account holders on their desktop and mobile devices (Notification). The Notification introduced these changes as optional features to give users more control over Google's collection and use of their data. In particular, the main page of the Notification:
-
stated that new features would be available to the account holder, such as more information being available on their Google account for their review and control;
-
that the available information might include browsing data from third party websites and apps which partner which Google;
-
that Google would use this information to generate more relevant advertisements across all of the user's signed-in devices;
-
that, as before the changes, Google would not sell users' personal information, and users retained control over the information that Google could collect from them; and
-
prompted account holders to either consent to the changes by clicking an "I agree" button at the bottom of the main page, or clicking "More Options" or "Learn More" buttons if account holders wanted more information or wished to reject the changes.
The ACCC alleged that Google had misled account holders by omission in respect of the Notification, including by not informing its account holders that it had made a change to its Privacy Policy. The Court rejected both allegations, finding that Google had not engaged in misleading or deceptive conduct and that the changes to its Privacy Policy were made with account holders' consent.
How did the Court approach the interpretation of misleading and deceptive conduct?
The Court first considered whether Google had engaged in conduct that was misleading or deceptive by omitting information from the Notification.
Both parties called expert evidence on the structure and content of the Notification, and its effect on users. The ACCC's expert evidence was heavily based on the application of behavioural science principles to account holders' interaction with and understanding of the Notification. For example, the ACCC's expert stated that account holders would likely:
-
not have noticed and/or clicked the link on the first page of the Notification which provided further information;
-
have had "limited time" and "limited willingness" to read the Notification fully, and that "many (if not most) users only read the headings"; and
-
have been biased towards agreeing to the proposed change in the Notification.
The ACCC's expert advanced that, through the structure and content of the Notification, Google manipulated and misled account holders into accepting changes that they did not understand and concealed the fact that those changes affected their privacy.
The Court was highly critical of this analysis, describing the ACCC's expert's conclusions as "hypotheses, conjecture, or predictions" formulated "without reference to data". On this point, the Court specifically noted that the ACCC provided no evidence of consumers being misled (despite there being clear case law that such evidence is not strictly required – which has long been established in New Zealand under the Fair Trading Act).
Interestingly, the Court found that that both parties' expert evidence was of "limited assistance" overall, with Yates J commenting that he was able to read and form his own views regarding the Notification. Yates J noted that the ACCC's expert evidence would have been more helpful and persuasive if it had been supported by empirical analysis.
This treatment of the expert evidence suggests at least some courts are likely to take an uncomplicated approach to the interpretation of alleged misleading or deceptive representations. His Honour focused on the plain language and its meaning as understood by consumers as opposed to the abstract arguments about what consumers may have subjectively understood.
In considering the Notification on these terms, Yates J found that it did not constitute misleading or deceptive conduct by omission, holding that:
-
if the first page of the Notification was misleading or deceptive due to the omission of information by Google, Google's conduct would have been misleading or deceptive regardless of whether account holders could read other pages of the Notification which would correct misconceptions created on the first page – this is an important reminder for businesses who seek to qualify or correct information on separate webpages; and
-
the conduct must be evaluated on the basis that account holders did in fact read the first page of the Notification. The Court noted that users who did not take the time to read that page would not have been acting reasonably in their own interests.
Implications for New Zealand businesses in the privacy space
Alongside the changes outlined in the Notification to Google's collection and use of account holders' browsing data, Google also amended the wording of its Privacy Policy to reflect these changes. Namely, that some account holders' personal information would now be combined with browsing activity from third party webpages and apps.
The ACCC argued, in making these amendments, Google had reduced the rights of its account holders without their explicit consent. However, as the Court had found that the Notification had not been misleading or deceptive, it was satisfied that Google had both sought and obtained the consent from account holders to implement the changes to the Privacy Policy. Further, the Court found that the changes to the Privacy Policy did not reduce account holders' rights, rather the amendment reflected that some account holders would have consented to the changes set out in the Notification.
The Court's analysis of the Notification and Google's conduct provides helpful guidance for what is required from businesses when obtaining consent from individuals in relation to the collection and use of personal information. Given the Notification was not misleading or deceptive, Google would have had reasonable grounds to believe that it had gained consent from its account holders to change the way those account holders' personal information was collected and used.