Australasian Science: Australia's authority on science since 1938

The ACCC is suing Google for misleading millions. But calling it out is easier than fixing it

By Katharine Kemp, Senior Lecturer, Faculty of Law, UNSW, and Academic Lead, UNSW Grand Challenge on Trust, UNSW

Shutterstock

Australia’s consumer watchdog is suing Google for allegedly misleading millions of people after it started tracking them on non-Google apps and websites in 2016.

The Australian Competition and Consumer Commission (ACCC) says Google’s pop-up notification about this move didn’t let users make an informed choice about the increased tracking of their activities.

Google uses some of this data in its targeted advertising business. It can also collect sensitive information about us from third-party websites and apps which it may use in its non-advertising businesses.

The ACCC isn’t the first to claim Google hasn’t been straight about how it uses our data, nor is this the first time it has sued Google.

But even if Google gave us the whole story, what can we actually do about growing surveillance?




Read more:
Every step you take: why Google's plan to buy Fitbit has the ACCC's pulse racing


Google tracks your activities beyond Google

While it would take a separate article to list all the ways Google tracks your activities online and offline, the ACCC is concerned about two of the company’s data practices in particular.

First, Google has been collecting data about what you do on websites that may not seem related to Google at all. This is combined with other data collected by Google’s own services including YouTube, Gmail, Google Maps and Chrome.

The reason Google can do this is that third-party websites and apps also use Google’s services, such as ad serving or Google Analytics.

Their agreements with Google allow it to embed its technology into the websites and apps and send your activity information back to Google, without alerting you.

Second, the ACCC is concerned Google has combined its own extensive Google account holder datasets with personal data collected by ad tech company DoubleClick, which Google acquired in 2007.
This is despite Google initially claiming it wouldn’t do this without users opting in.

The data Google collects, and how it’s used

Google’s technologies are embedded in millions of third-party websites (and likely many of the ones you use).

So it’s well placed to collect data about your online activities, including research you might do on intimate topics such as depression, miscarriage, abortion, diabetes, weight loss, heart disease, divorce, erectile dysfunction and so on.

Google can then combine this data with the information it already has about you from its own services, such as where you live, what you buy, where you go and who you associate with.

Google says it doesn’t use users’ health data or other “sensitive” data for its targeted advertising business. But it does not promise it won’t collect such sensitive data, keep it, combine it with data about our other activities or use it for non-advertising business purposes.

For example, Google has made moves to enter various health services markets. And there’s speculation it may start supplying health products and life insurance in future.

Further, unless you have changed the “ad personalisation” settings in your Google account, Google can use data from third-party sites which it does not classify as “sensitive” to target you with ads. This data could include whether you’re searching for baby clothes, travel insurance, retirement living, or a house in a specific suburb.

But even if you have opted out of personalised ads, Google’s privacy policy doesn’t say it will stop collecting and retaining the data itself.


Online search for 'depression'.https://images.theconversation.com/files/349808/original/file-20200728-2... 1200w, https://images.theconversation.com/files/349808/original/file-20200728-2... 1800w, https://images.theconversation.com/files/349808/original/file-20200728-2... 754w, https://images.theconversation.com/files/349808/original/file-20200728-2... 1508w, https://images.theconversation.com/files/349808/original/file-20200728-2... 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">

Google has access to enough information to build highly detailed profiles of users, covering different aspects of their lives.
Shutterstock

What was misleading?

The ACCC claims Google’s 2016 notification about its increased tracking was misleading. The notice led with the benign headline, “Some new features for your Google Account”, followed by:

We’ve introduced some optional features for your account, giving you more control over the data Google collects and how it’s used, while allowing Google to show you more relevant ads.

The statements further down in the notification were arguably unclear about what Google actually planned to change. The ACCC says the notification was misleading because:

Consumers could not have properly understood the changes Google was making nor how their data would be used and so did not – and could not – give informed consent.

It claims Google also misled consumers by stating in its privacy policy that it would not reduce users’ rights under the policy without their explicit consent, but then did exactly that.




Read more:
94% of Australians do not read all privacy policies that apply to them – and that’s rational behaviour


Privacy concerns warrant legal backing

In this case, the ACCC’s issue is that Google didn’t give consumers the real story about its plan to vastly increase personal data collection and use this information for commercial purposes. The ACCC’s action against Google should be a warning to all companies that currently fudge their privacy terms.

But what if Google had been transparent and the pop-up box instead said: “we are going to start collecting your personal data whenever you use third-party websites or apps that use Google technologies”?

Given the millions of websites using Google technologies, is it even possible for consumers to avoid this?

In Germany, the Federal Cartel Office last year found Facebook had abused its dominance by insisting on collecting users’ personal data via embedded technologies on non-Facebook websites and apps.

It argued Facebook’s market power gave it the ability to impose these practices on users, even against their wishes.

Australia does not have an “abuse of dominance law” to address single-firm exploitative conduct, such as raising prices or imposing intrusive privacy terms. Facebook currently collects data about Facebook users – and even non-users – from third-party websites and apps in Australia, without alerting us.


Facebook logo with multiple 'dislike' buttons.https://images.theconversation.com/files/349811/original/file-20200728-2... 1200w, https://images.theconversation.com/files/349811/original/file-20200728-2... 1800w, https://images.theconversation.com/files/349811/original/file-20200728-2... 754w, https://images.theconversation.com/files/349811/original/file-20200728-2... 1508w, https://images.theconversation.com/files/349811/original/file-20200728-2... 2262w" sizes="(min-width: 1466px) 754px, (max-width: 599px) 100vw, (min-width: 600px) 600px, 237px">

Facebook has also come under fire for tracking its users’ activities on non-Facebook websites.
Shutterstock

The ACCC may succeed in proving misleading conduct by Google. And it might obtain a substantial fine against Google – potentially up to 10% of Google’s turnover in Australia.

But to stop tech giants from doing whatever they like with our data, we’ll need to consider a broader law against unfair practices.




Read more:
Australia's privacy watchdog is taking Facebook to court. It's a good start


The Conversation

Katharine Kemp receives funding from The Allens Hub for Technology, Law and Innovation. She is a Member of the Advisory Board of the Future of Finance Initiative in India, the Centre for Law, Markets & Regulation and the Australian Privacy Foundation.


Originally published in The Conversation.