In July 2023, the Australian Consumer and Competition Commission (ACCC) won its lengthy court battle against Facebook Israel and Onavo Protect, two subsidiaries of the social media giant, Meta.

The subsidiaries were found to have breached the Australian Consumer Law (ACL) having deceived consumers by making false and misleading representations about Onavo Protect – an app advertised as a virtual private network (VPN). The app was downloaded by more than 270,000 Australians and claimed to "Keep You and Your Data Safe."

From 2016 to 2018, Facebook Israel and Onavo collected the personal activity data of their users and disclosed it to Meta for commercial exploitation. The data was distributed to Meta in aggregated and anonymised form and included browsing history and app activity.

The judgement found that the companies' failure to notify Australians about the commercial use of their data deprived consumers "of the opportunity to make an informed choice about the collection and use of their data."

ACCC Chair Gina Cass-Gottlieb further expressed concern that consumers "seeking to protect their privacy through a [VPN] were not told clearly that in downloading and using the app they were actually facilitating the use of their data for Meta's commercial benefit" (see full statement here).

The court also accepted the ACCC's submissions that it was significant that users of Onavo Protect were only asked to accept the Terms of Service after downloading the app. The Terms of Service were 12 pages long, had no summary and did not disclose that users' data would be provided to Meta. Instead, users were required to follow a separate link to the Privacy Policy to understand how their data would be used. Whilst we would not consider this separation of Terms of Service and Privacy Policy unusual, in combination with other factors, the court considered that the conditions in the Terms of Service and Privacy Policy were not sufficient to modify the contravening conduct.

A warning for businesses who collect consumer data

The outcome of the ACCC's case against Meta is an important reminder to businesses harvesting consumers' data for commercial purposes to ensure that the claims they are making about the use of the data are true in every sense.

In this case, the data was aggregated and anonymised, so the data shared with Meta was arguably not personal information according to Australian privacy laws. However, the regulator clearly took issue with the app's claims that the user's data would only be used to provide the Onavo Protect VPN.

Key takeaways

Businesses should take care with claims around the collection and use of consumer data so they do not mispresent the purposes of collection, use and disclosure. Claims around privacy can easily turn into misleading and deceptive claims under the ACL.

This publication does not deal with every important topic or change in law and is not intended to be relied upon as a substitute for legal or other advice that may be relevant to the reader's specific circumstances. If you have found this publication of interest and would like to know more or wish to obtain legal advice relevant to your circumstances please contact one of the named individuals listed.