Why your Privacy Policy won’t Save You: ACCC Fines Facebook and Onavo $20 Million for Misleading Data Practices

The Federal Court has (again) confirmed that simply describing data practices in a privacy policy will not absolve an organisation from breaches of the law. In Australian Competition and Consumer Commission (ACCC) v Meta Platforms Inc [2023] FCA 842, the Federal Court accepted a settlement between the ACCC and Meta, which included payment by two of Meta’s subsidiaries, Onavo Inc (Onavo) and Facebook Israel Limited (Facebook Israel), of $20 million. This decision follows two earlier decisions of the Federal Court, where the ACCC was successful in fining organisations for contraventions of the Australian Consumer Law relating to data practices: in 2021, the Federal Court found Google misled certain consumers about collection of personal location data through its Android devices; and in 2020, the Federal Court ordered HealthEngine pay $2.9 million for inadequate disclosure to patients about sharing data with third parties.

These decisions of the Federal Court, and the success and on-going focus of the ACCC on the data practices of digital platforms, puts organisations on notice that privacy policies, and published terms and statements about privacy settings and data practices, is not simply the remit of the privacy regulator: organisations that mislead consumers as to their data handling practices risk action by the ACCC and considerable penalties under the Australian Consumer Law.


The Federal Court considered the claim by the ACCC that Onavo and Facebook Israel mislead consumers about how their data would be handled.

Onavo and Facebook Israel offered and advertised the software application “Onavo Protect”, available on the Google Play Store and the Apple App Store in Australia (the Listings). The application was installed by Australian users on 271, 220 separate occasions.

Onavo Protect was advertised to protect user information and keep data safe. The Listings contained a number of statements made by Onavo and Facebook Israel including: “Protect Your Personal Information For Free”, “Onavo Protect helps keep you and your data safe online” and “Use a secure VPN network for your personal info”.

However, the ACCC alleged (and Onavo and Facebook Israel ultimately admitted):

  • Onavo and Facebook Israel were using Onavo Protect to collect an extensive variety of user mobile data, including the users device information, online activity of the user (including what websites and applications were accessed by the user and for how long), location-related information and the user’s data usage.
  • The data collected through Onavo Protect was provided to their parent company Meta Platforms Inc (Meta) in an anonymous and aggregated form and Meta could also combine it with an Australian user’s Facebook account.
  • The data was ultimately used as a “business intelligence tool” (it provided Meta with a sample of users about whom they were able to know “nearly everything they are doing on their mobile device”) for a number of commercial purposes, including marketing and advertising, developing commercial strategies and improving product and services.1

Onavo and Facebook Israel’s misleading conduct

The ACCC, Onavo and Facebook Israel settled the proceedings and jointly submitted that the Federal Court impose a pecuniary penalty against Onavo and Facebook Israel in the amount of $20 million.

Onavo and Facebook Israel admitted that the statements they made while advertising Onavo Protect breached both section 18 (misleading or deceptive conduct) and section 33 (misleading the public as to the nature etc of goods) of the Australian Consumer Law (found in Schedule 2 to the Competition and Consumer Act 2010 (Cth)). They further admitted that adequate disclosures about how Australian user data would be used outside of Onavo Protect’s primary purpose were not made.

The relevant disclosures about how the data would otherwise be used was contained in Onovo Protect’s Terms of Service and Privacy Policy, which were available via links on a website that promoted the app. However, the parties agreed that this was not sufficiently prominent or proximate to the Listings and relevant statements made.

Justice Abraham was satisfied that the agreed penalty of $20 million was sufficient in the circumstances. His Honour was satisfied the penalty would act as a deterrence and it would not be regarded as an ‘acceptable cost of doing business’.

Key observations Abraham J made when coming to his conclusion included:

  • that the nature and circumstances of the contraventions are “undoubtedly serious” due to:
    • the fact the Listings conveyed Onavo Protect user’s data would be used for the primary purpose of the services and failed to mention the other purposes the data was collected for;
    • the context in which the data was collected, that is where a user expected the app would “protect [their] personal information” and “keep [their] data safe”, as the Listing promoted;
    • the conduct occurred in the context of Onavo and Facebook Israel advertising and promoting Onavo Protect and encouraging Australian users to download it; and
    • the extensive nature of the Australian user data collected and used by Meta for commercial application;
  • acceptance of ACCC submissions that the Terms of Service were 12 pages long, with no summary and did not disclose that user data would be provided to Meta.  It was not until after users were induced to download the app that they were asked to accept the Terms of Service, which referred the user to their privacy policy to understand how their data would be used;
  • that users who were likely to download Onavo Protect were concerned about their privacy, suffered harm in the form of the inability to make fully informed decisions about their data; and
  • that Onavo and Facebook Israel made admissions to contravening the Australian Consumer Law, agreed to make joint submissions on a penalty and previously cooperated and engaged with the ACCC investigation and subsequent litigation.

It was also ordered that Onavo and Facebook Israel pay a contribution of $400,000 to the ACCC’s costs of and incidental to the proceeding.

Organisations on notice

This decision by the Federal Court, along with the earlier decisions in the proceedings brought by the ACCC against Google and HealthEngine, puts organisations on notice that the ACCC views consumer data practices as a consumer law issue and an enforcement priority. This should not come as a surprise: the ACCC made clear its position in its final report of its Digital Platforms Inquiry in 2019 about the intersection between privacy, competition and consumer protection, which was re-iterated in its submission in response to the current Privacy Act Review:

“…robust data collection and privacy laws can enhance consumer protection by ensuring consumers receive accurate, intelligible information about entities’ data practices. This, in turn, can increase the transparency of digital platforms’ data practices, which can then help consumers make informed choices about which digital platform services to use, thus promoting effective competition on these issues.”

And the ACCC is not the only Australian regulator with “fair” data practices on its radar. The Office of the Australian Information Commissioner (OAIC) strongly supports the Government’s proposed reform to the Privacy Act to add an overarching principle of “fair and reasonable” handling of personal information. A practical implication of introducing this overarching principle is that organisations could not simply rely on notifying consumers about a data handling practice in their privacy policy, or obtaining consent, where such practice is not otherwise “fair and reasonable”. The ACCC has stated it supports the introduction of this principle, subject to clear and definitive guidance and the introduction of a number of other key proposals to strengthen the Privacy Act.

Even without these reforms to the Privacy Act, organisations that mislead consumers as to their data handling practices risk action by the ACCC and considerable penalties under the Australian Consumer Law. Organisations, particularly those selling and promoting applications and other digital services to consumers, should closely review their terms of use, privacy policies and collection notices, privacy settings, published statements and other promotional material to ensure they transparently and accurately reflects how consumers’ data will be handled. They should also look at how and when information about data practices is made available to the consumer, as well as any data sharing arrangements with third parties.

For more information, please contact Sophie Bradshaw

1Australian Competition and Consumer Commission v Meta Platforms Inc [2023] FCA 842 [9].