HealthEngine judgment: ACCC continues focus on privacy and collection and use of personal data
On 20 August 2020, the Federal Court ordered that online health booking platform HealthEngine Pty Ltd pay $2.9 million in penalties for contraventions of the Australian Consumer Law (ACL), including for inadequate disclosures to patients about the disclosure of their non-clinical data to third parties. You can read the decision here: ACCC v HealthEngine Pty Ltd [2020] FCA 1203.
The judgment comes less than a month after the Australian Competition and Consumer Commission (ACCC) commenced proceedings against Google LLC in the Federal Court for alleged contraventions of the Australian Consumer Law (ACL) relating to a 2016 change in Google's collection and use of users' personal data, for which the ACCC says Google failed to gain users' explicit informed consent.
The two cases demonstrate that the ACCC remains committed to following-through on its 2020 compliance and enforcement priorities, which include competition and consumer issues relating to digital platforms.
Businesses should expect this to continue and expand as the ACCC increasingly focuses on issues arising from e-commerce and other aspects of the digital economy where consumer reliance has increased as a result of COVID-19.
HealthEngine judgment
Background
The ACCC began investigating HealthEngine in June 2018 and launched proceedings in August 2019, less than a month after it published the final report of its Digital Platforms Inquiry. The ACCC's concise statement alleged that HealthEngine engaged in misleading and deceptive conduct relating to the sharing of consumer information with insurance brokers and the publishing of patient reviews and ratings in connection with its online directory and booking system to allow patents to book health consultations.
In announcing the proceedings, ACCC chair Rod Sims said: "Issues of transparency and adequate disclosure when digital platforms collect and use consumer data is one of the top priorities at the ACCC."
HealthEngine's misleading or deceptive conduct
HealthEngine settled the proceedings with the ACCC, which included making admissions that it engaged in various forms of false or misleading conduct in contravention of sections 18, 29 and 34 of the ACL.
HealthEngine was found to have breached sections 18, 29(1)(b) and 29(1)(e) of the ACL by:
- implementing a practice of not publishing negative patient reviews, editing patient feedback before it was published, and failing to disclosed to consumers that it engaged in these practices (Ratings Conduct); and
- where more than 20% of participating patients said they would not recommend a health practice to others, publishing a notation on the directory entry for that health practice saying it had no rating because of insufficient data rather than a rating (Review Conduct).
In addition, between April 2014 and June 2018HealthEngine admitted that it engaged in misleading or deceptive conduct in relation to patient referrals.
During that period, HealthEngine had arrangements with nine different private health insurance brokers and was paid fees when referring patients to them. As part of its online booking process, HealthEngine asked patients whether they had private health insurance, and whether they wished to receive a call about health insurance comparison services or to assess their private health insurance needs. If a patient answered "yes" and subsequently made a booking, HealthEngine provided the patient’s non-clinical personal information (name, phone number, email, DOB, private health insurance details) to one of the nine insurance brokers.
By this conduct, the Court held that HealthEngine "used language which did not make it adequately clear that a third party (rather than HealthEngine) would provide the relevant services to Patients. Further, HealthEngine did not make it adequately clear that, if the Patient answered “yes”, the Patient’s non-clinical personal information would be sent to one of the Insurance Brokers." Accordingly, it found that Health Engine had engaged in misleading conduct about the services being provided in contravention of s 18 and s 34 of the ACL.
ACCC's fresh claim against Google
The ACCC commenced proceedings against Google on 27 July 2020, and comes following the separate case against Google which is due to be heard in November 2020 in connection with the collection, retention and use of users' location data on Android phones and tablets. You can read the ACCC's concise statement here.
The ACCC's case: Google failed to get users' informed consent for expanded scope of data collection and use
The ACCC's case focuses on Google's move in 2016 to expand the scope of personal information that it could collect and combine about users' internet activity, for use by Google, including for targeted advertising
The ACCC alleges that following this change Google could combine personal information from use of Google's services (such as Gmail and YouTube) with information about those individuals’ activities on non-Google sites and apps that use Google technology, formerly DoubleClick technology, to display ads to users on a targeted basis. Previously, data about users’ non-Google online activity had been kept separately from users’ Google accounts and so was not linked to an individual user. The change meant Google could offer advertisers much more detailed information about users' online activity, and advertisers could in turn create highly targeted advertising based on users' Google and non-Google use of the internet.
The allegedly misleading conduct
The ACCC alleges Google misled consumers when it failed to properly or adequately inform consumers, and did not gain their explicit informed consent, for the change in its advertising business model, which was accompanied by a parallel change to its privacy policy.
Prior to June 2016, Google's privacy policy told account holders, "We will not combine DoubleClick cookie information with personally identifiable information unless we have your opt-in consent” (the DoubleClick Statement). Its privacy statement also told account holders “[w]e will not reduce your rights under this Privacy Policy without your explicit consent” (Explicit Consent Statement).
From 28 June 2016, Google account holders were prompted to click “I agree” to a pop-up notification from Google which stated:
- “Some new features of your Google account: We've introduced some optional features, giving you more control over the data Google collects and how it's used, while allowing Google to show you more relevant ads”;
- “More information will be available in your Google Account making it easier for you to review and control”; and
- “Google will use this information to make ads across the web more relevant for you.
A simultaneous change to Google's privacy policy replaced the DoubleClick statement with, "Depending on your account settings, your activity on other sites and apps may be associated with your personal information in order to improve Google's services and the ads delivered by Google".
The ACCC alleges that Google contravened the ACL in two ways:
- First, by its notification to users about the change in data collection practices, Google engaged in misleading or deceptive by failing to inform, or adequately inform, account holders that Google had made the June 2016 update to its privacy policy, and that Google was seeking account holders' consent for the additional matters set out above. The ACCC alleges that users could not have properly understood the changes Google was making nor how their data would be used, and so did not and could not provide informed consent.
- Second, by making the Explicit Consent Statement, Google represented that it could not or would not reduce an Account Holder’s rights under Google’s Privacy Policy, without obtaining that Account Holder’s explicit consent. The ACCC alleges this was a false or misleading representation, because without users' explicit consent, Google reduced users' rights under the privacy policy by deleting the DoubleClick Representation, making the change to its privacy policy, and authorising Google to undertake the additional matters set out above.
According to ACCC Chairman Rod Sims, "many consumers, if given an informed choice, may have refused Google permission to combine and use such a wide array of their personal information for Google’s own financial benefit".
Intersection of consumer and privacy law
As we have previously observed, the HealthEngine judgment and the ACCC's latest case against Google yet again demonstrate how the ACCC views the intersection of privacy and consumer law in Australia. Companies, and particularly those that collect and use consumers' data, should be on notice that their privacy practices, in particular the adequacy of disclosures to procure consent, can land them in hot water with the ACCC.
While the ACCC waits for the Government's suite of promised changes in response to the recommendations of the Digital Platforms Inquiry, including a potential prohibition against "unfair business practices" which is being explored through Consumer Affairs Australia and New Zealand, the ACCC is continuing to use its existing consumer law toolkit to police companies' data collection practices.
These two proceedings demonstrate that the ACCC does not see itself in any way limited from bringing cases which arise in relation to privacy issues where the responsible regulator is the Office of the Australian Information Commissioner (OAIC). It also shows how privacy and the ACL overlap in the word of e-commerce and the digital economy.
Review your privacy policies now in light of ACL compliance
All businesses that collect and use customers' personal data need to make sure they have reviewed their privacy policies, customer disclosures and data collection practices through the lens of the ACL. Relevantly, companies should make sure:
- clear, easily understood and specific disclosures are made to consumers about the collection and use of data, particularly in relation to the provision of that data to third parties (it will not be sufficient for disclosures to be buried in detailed terms of a privacy policy or terms of use);
- their privacy policies expressly require users' explicit informed consent be obtained prior to any change in data collection or use;
- the effect of any change is clearly and fully explained to users so that they can properly understand the changes and how their data will be used, and consideration given to whether users should be afforded some transitional period before the change takes effect; and
- they carefully consider the use and scope of phrases such as "we will not reduce your rights under this Privacy Policy without your explicit consent".
If you would like help reviewing your data collection practices, please get in touch.