Artboard 1Icon/UI/CalendarIcons/Ionic/Social/social-pinterestIcon/UI/Video-outline

Meta slapped with $20M penalty for misleading consumers about use of personal activity data

11 October 2023

2 min read

#Data & Privacy, #Competition & Consumer Law

Published by:

Isabella Beale

Meta slapped with $20M penalty for misleading consumers about use of personal activity data

In July 2023, the Australian Consumer and Competition Commission (ACCC) won its lengthy court battle against Facebook Israel and Onavo Protect, two subsidiaries of the social media giant, Meta.

The subsidiaries were found to have breached the Australian Consumer Law (ACL) having deceived consumers by making false and misleading representations about Onavo Protect – an app advertised as a virtual private network (VPN). The app was downloaded by more than 270,000 Australians and claimed to “Keep You and Your Data Safe.”

From 2016 to 2018, Facebook Israel and Onavo collected the personal activity data of their users and disclosed it to Meta for commercial exploitation. The data was distributed to Meta in aggregated and anonymised form and included browsing history and app activity. 

The judgement found that the companies’ failure to notify Australians about the commercial use of their data deprived consumers “of the opportunity to make an informed choice about the collection and use of their data.”

ACCC Chair Gina Cass-Gottlieb further expressed concern that consumers “seeking to protect their privacy through a [VPN] were not told clearly that in downloading and using the app they were actually facilitating the use of their data for Meta’s commercial benefit” (see full statement here).

The court also accepted the ACCC’s submissions that it was significant that users of Onavo Protect were only asked to accept the Terms of Service after downloading the app. The Terms of Service were 12 pages long, had no summary and did not disclose that users’ data would be provided to Meta. Instead, users were required to follow a separate link to the Privacy Policy to understand how their data would be used. Whilst we would not consider this separation of Terms of Service and Privacy Policy unusual, in combination with other factors, the court considered that the conditions in the Terms of Service and Privacy Policy were not sufficient to modify the contravening conduct.

A warning for businesses who collect consumer data

The outcome of the ACCC’s case against Meta is an important reminder to businesses harvesting consumers’ data for commercial purposes to ensure that the claims they are making about the use of the data are true in every sense.

In this case, the data was aggregated and anonymised, so the data shared with Meta was arguably not personal information according to Australian privacy laws. However, the regulator clearly took issue with the app’s claims that the user’s data would only be used to provide the Onavo Protect VPN.

Key takeaways

Businesses should take care with claims around the collection and use of consumer data so they do not mispresent the purposes of collection, use and disclosure. Claims around privacy can easily turn into misleading and deceptive claims under the ACL.

If you have any questions about this article, please get in touch with a member of our team below.

The information in this article is of a general nature and is not intended to address the circumstances of any particular individual or entity. Although we endeavour to provide accurate and timely information, we do not guarantee that the information in this article is accurate at the date it is received or that it will continue to be accurate in the future.

Published by:

Isabella Beale

Share this