Google’s systematic collection of Android users’ location data has cost it $60 million, after a Federal Court order penalised the company for misleading the owners of 1.3 million Australian accounts about how to prevent their phones from tracking their locations.

The fine is the latest phase in a long-running ACCC enforcement action – the first to arise from the ongoing Digital Platforms Inquiry – alleging that between January 2017 and December 2018, screens in Google’s Android mobile operating system told users they could stop the phone collecting location data by switching off the ‘Location History’ setting.

Location History tracks a user’s movements and routes taken in the past, and its data can be viewed in the Google Maps Timeline at any time.

Users were not informed that they also needed to turn off another setting – entitled Web & App Activity (WAA) – that is turned on by default and putatively used by Google to personalise activity like web searches, map guidance, and browsing activity.

During the time in question, an April 2021 court decision had concluded, the Android operating system represented to some users that Location History was the only setting that controlled Google’s use of personally identifiable data about their location.

However, turning off Location History did not turn off WAA – leaving the location data of up to 1.3 million accounts available to Google for targeted advertising to consumers.

“This is a serious matter,” Federal Court Justice Tom Thawley wrote in the order, in which he noted that “some Australian users who navigated the screens… would not have been aware of Google’s retention and use of their personal location data when the Location History setting was turned ‘off’ and the WAA setting was turned ‘on’.”

“The position of the consumers is highly significant [and] location data is sensitive and important to at least some Australian users,” he continued.

“Those users were misled and some of them are likely to have made different choices about the collection, storage and use of their location data had the representations not been made.”

In calculating the penalty, the Court evaluated three different contravention scenarios as Google progressively redesigned the screens controlling Location History and WAA.

Each time an Android user viewed one of the misleading screens, Google was deemed to have contravened the Australian Consumer Law (ACL) another time – theoretically attracting a fine of $1.1 million or $10 million.

“The number of contraventions is a function of the number of times the screens were observed by consumers,” Thawley wrote, noting that “each category of contravention involved the repeated publication of the same material, [and] the contraventions in each of the three categories arose by reason of the underlying design of the relevant screens.”

The order also binds Google to undertake regular staff training about the ACL’s protections against false, misleading or deceptive conduct – and to report annually to demonstrate its continued compliance.

A warning shot across Big Tech’s bow

ACCC chair Gina Cass-Gottlieb flagged the fine as a victory for the campaign to rein in the activities of Big Tech companies such as Facebook and Google – which, one recent analysis found, collects more personal information about its users than its rivals.

The “significant penalty”, she said as the fine was announced, “sends a strong message to digital platforms and other businesses, large and small, that they must not mislead consumers about how their data is being collected and used.”

“Personal location is sensitive and important to some users,” she continued, warning that “companies need to be transparent about the types of data they are collecting, and how the data is collected and may be used, so that consumers can make informed decisions about who they share that data with.”

Earlier this year, agencies including the ACCC, Australian Communications and Media Authority (ACMA), eSafety Commissioner and Office of the Australian Information Commissioner (OAIC) banded together to form the new Digital Platform Regulators Forum (DP-REG).

After years of working through a ‘dog’s breakfast’ of regulations, the formation of the DP-REG portends an era of more focused regulation that has already seen social-media giants forced to negotiate revenue-sharing agreements with news publishers – a conflict that saw Facebook intentionally ban Australian news sites – and slammed over their domination of online advertising markets.

Regulators around the world have become increasingly assertive in addressing perceived unfair or misleading practices by tech giants, with the EU’s Digital Services Act boosting consumer powers and the US government recently moving to blacklist TikTok and proactively ban Facebook parent company Meta from buying its way into a metaverse monopoly.