Australian Privacy Laws – Can your digital advertising business paper its way to compliance with local data privacy law?
Australian data privacy and consumer protection law is not complicated. Compared to the EU General Data Protection Regulation, the Privacy Act 1988 is a model of clarity and simplicity.
The Basics
- Any regulated entity – most businesses conducting business in Australia, including any business (however big or small) that discloses personal information about otherwise for reward or benefit, must publish a privacy policy which states how, when and why the business collects, handles or discloses personal information about individuals.
- Businesses that collect personal information about an individual must also take reasonable steps to notify they individual about the collection, either at the time of collection or as soon as practicable after collection.
- If personal information is collected other than directly from the individual, prior consent of the individual is usually required.
- Wherever consent of an individual is alleged, a business must be ready to prove that that the individual is fully informed about what they are being asked to consent to, the individual must have a real choice (so the consent is voluntary), the consent must be current and clear, and the individual had capacity to give an informed consent.
When Do The Rules Apply?
These rules apply regardless of whether the relevant business practice is online or offline. A privacy policy may be published on the internet, and a privacy collection notice given online, but a privacy policy and a privacy collection notice must be provided for all of a business’ acts and practices. The Australian Consumer Law (ACL) statute is among the simplest and clearest of national consumer laws.
The most litigated provision in Australian Consumer Law, section 18(1), states that “a person must not, in trade or commerce, engage in conduct that is misleading or deceptive or is likely to mislead or deceive”. Section 29 states that a business must not make misleading or misleading statements that products or services have sponsorship, approval, performance characteristics, accessories, uses or benefits.
Why Do Many Australian Businesses Fail to Comply?
So why do many Australian businesses, including entities in the digital marketing and advertising services supply chain, fail to comply with these laws and end up exposed to multimillion dollar penalties?
Often the answer is simple. A reader might be surprised how many businesses appear to think that their privacy policy need only apply to interactions with individuals on a business’ website. Those businesses are wrong. The law is clear and longstanding. Those businesses are cruising for a regulatory punch that is about to get more bruising. The statutory penalties for contraventions of the Privacy Act are shortly to be substantially increased, and brought into line with the multimillion-dollar penalties for breaches of the ACL provisions as now frequently imposed by Federal Court judges.
There are some cases where online businesses engage in behavioural psychology gaming with online users. Such gaming includes design of choice architectures that make it unlikely that an online user will go to the bother of finding or reading privacy policies or notices buried deep in multiple links or in dense text within a policy or notice. Other games include setting toggles to favour the service provider and counting on most users not bothering to toggle to privacy protective settings.
Sometimes cases involve presentation of query results in a way that make it likely that a consumer will incorrectly assume that the first presented result best suits their query. Federal Court judges that hear online privacy and consumer protection cases now often hear evidence from behavioural economists about how online businesses are using behavioural gaming strategies. In some cases, such as Trivago N.V. v Australian Competition and Consumer Commission [2020] FCAFC 185, judges are finding that businesses are doing so and thereby engaging in misleading practices. The game is starting to be up for businesses engaging in gaming of online behaviour of users.
There are other cases which are more complicated. There is a tension between the requirement that:
- a business ensure that each individual is fully informed about how, when and why a business collects, handles or discloses personal information about that individual, and
- a business does not mislead consumers in descriptions of what the business does, or does not do.
Consumer Communication and Notification
Whenever a privacy policy or privacy notice starts “we take your privacy very seriously’’, a business needs to be very sure that it really does, because the business is setting itself up for a fall.
The more that the requirement under the Privacy Act as to fully informed notice and consent are enforced, the greater the risk that a business states something in a notice that is misleading in context or by omission of a relevant detail, exception or qualification.
Privacy regulation and consumer protection regulation are becoming more closely intertwined, and legal actions by the ACCC a more common feature of regulation of online marketing practices. Even really well organized and lawyered business can find themselves in legal trouble for material omission.
Mr Justice Thawley of the Federal Court recently delivered judgement in Australian Competition and Consumer Commission v Google LLC (No 2) [2021] FCA 367. The evidence included internal Google communications regarding an article entitled “AP Exclusive: Google tracks your movements, like it or not” published by the Associated Press in August 2018. This article criticised the fact that Google retained users’ location information, even after a user had “paused” the Location History setting. The evidence was that after the publication of the AP Article, an urgent meeting was held between various Google employees, where the AP Article was discussed. This meeting later came to be referred to internally within Google as the “Oh Shit” meeting. Subsequently a document was circulated entitled “Making Location History simple”, which referred to works being carried out to “reduce user confusion re: how location is used across our products and services”. The evidence appears to confirm that Google’s descriptions in its privacy policy and notices as to how users could toggle geolocation privacy settings were correct, but incomplete. This incompleteness was at the heart of Mr Justice Thawley’s conclusion that some Google users that elected to toggle their settings might be misled as to the outcome of so toggling their settings.
Many businesses risk falling into a similar trap by either over-promising, or inadvertent omission, in their privacy policies and notices. Often the trap opens because drafting of privacy documents starts at the wrong place: if the drafter does not understand a business’ personal information handling practices, procedures and systems (written or otherwise) for the entity as a whole or for each of the entity’s key functions and activities, there is a significant risk of a policy or notice being misleading by omission. And important and unusual stuff cannot be buried (anymore).
Specific and Prominent Details
There should be specific and prominent detail on the areas of personal information handling that individuals are most concerned about, or may find objectionable.
- Why do you collect date of birth or age or health information?
- How are you going to protect it?
- Do you give or sell information about me to someone else without my knowledge or consent?
- Do you collect information about me from public sources, or from third party list brokers?
- Do you track me when I use your website? If so, what do you use the information for?
- Can I interact with you anonymously or pseudonymously?
Also, a privacy policy and notice must be easy to understand, regardless of whether a business thinks that the only people that chose to read them will be smart or highly literate. The Australian Privacy Commissioner’s guidance is that the drafting should be such that a 14-year-old would understand it, should not use legalistic terminology, jargon, acronyms, in-house terms, and meet external readability standards.
Comprehension Challenge
Data governance of online identifiers, and business process in programmatic and other exchanges of consumer data in the digital advertising sector, are really hard to explain to non-technical grown-ups. Try explaining such practices in terms that a 14-year-old will understand. Many businesses in the digital advertising sector need to undertake this challenge, and do so quickly, noting again that increased penalties for non-compliance with the Privacy Act are just around the corner, and the ACCC sheriff is already in town, well-armed and shooting. A digital advertising business’ privacy lawyer and privacy officer cannot solve this problem on their own.
Best not to have your own ‘Oh Shit’ moment…. .
Peter Leonard
Principal, Data Synergies
IAB Australia’s Privacy Training Program provides a robust understanding of legal requirements for Australian media and marketing companies in handling consumer data. More details and enrolment.