Many of us are familiar with the terms of service agreements appended to the software we use, but do you really read them? Or is it easier to just click through and use the app?
Lots of us are also interested in using virtual private networks (VPNs) to protect our browsing and search histories, and those people perhaps have a heightened sensitivity over how their personal data is used.
More than 270,000 Australians downloaded Facebook parent Meta’s “Onavo Protect VPN”, which was promoted as “Keep[ing] you and your data safe”. But these representations did not match up with the terms of service and how the data was actually used, and shows how these representations can come back and bite the companies issuing them.
Court ruling: False and misleading conduct
In July this year, the Australian Consumer and Competition Commission (ACCC) won its lengthy court battle against Facebook Israel and Onavo Protect, subsidiaries of Meta. Meta was slapped with a $20 million fine as a result of the court’s ruling.
At the heart of the case was the terms of service agreement – which ran to 12 pages, had no summary and required users to click a separate link to understand how their data would be used. Overall, it did not adequately disclose that Onavo and Facebook collected users’ browsing data through the VPN and disclosed it to Meta for commercial exploitation.
The judgement found the companies’ failure to notify Australians about the commercial use of their personal data deprived consumers “of the opportunity to make an informed choice about the collection and use of their data.”
The data, which along with browsing history also included app usage, was distributed to Meta in aggregated and anonymised form. It’s arguable that the data was not personal information because of this aggregation and anonymisation. However, the regulator took issue with the claims made about the app and the collected data, which its maker said would only be used to provide the Onavo Protect VPN and nothing more.
ACCC Chair Gina Cass-Gottlieb expressed concern that consumers “seeking to protect their privacy through a [VPN] were not told clearly that in downloading and using the app they were actually facilitating the use of their data for Meta’s commercial benefit.”
Takeaways for businesses who collect personal information
Data harvesting is widespread. Many companies ask for personal information, but some keep it beyond its useful life, leaving themselves open to data breaches. The Medibank and Optus hacks, which affected millions of Australians, demonstrate what happens when companies hold onto personal information that’s outlived its usefulness.
Also, importantly, businesses asking for and storing consumer’s personal information for commercial purposes must, as the Meta case makes clear, ensure the claims they make about the use of that data are true in every sense. They otherwise face substantial penalties for engaging in misleading conduct, particularly in their headline claims about the product.
This also means providing a user agreement and summary that’s easy to understand and explicitly outlines how and why data is used, what type of data is collected and where it will be stored, along with clauses for aging out old data, is vital. As the Meta case shows, companies should not rely on redirecting consumers to another website to inform them of how their data is being used.
Finally, organisations must take care around the collection and use of personal data. Making sure they do not misrepresent the purposes of collection, use and disclosure is critical, as claims around privacy can easily turn into misleading and deceptive claims under Australian Consumer Law.
The information in this article is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate in the future.
Emily Booth, Special Counsel, Holding Redlich