Is your privacy policy misleading?

Australian companies that collect customers’ personal information need to be concerned with more than just keeping that information secure.

In March this year, the Consumer Financial Protection Bureau (CFPB) fined US based, online payment platform Dwolla $100,000 for misleading consumers about its data security practices and storage of personal information.  Even though no privacy breaches occurred, Dwolla was ordered, in addition to the fine, to:

  • fix security flaws and stop misleading consumers about its data security practices;
  • train employees in data security policies and procedures, and
  • undertake data security risk assessments and audits.

Dwolla’s deceptive conduct included representations on their website that their data security practices “exceed industry standards” and that “all information is securely encrypted and stored”.

According to the Privacy Act 1988, entities have an obligation to take reasonable steps to protect any personal information collected from customers.  Further, they must have easily accessible privacy policies about the entity’s management of personal information, including how the entity collects and holds that personal information.  Any misrepresentation about those storage and security practices could amount to misleading and deceptive conduct.

Section 18 of the Australian Consumer Law (ACL) prevents a person from engaging in misleading or deceptive conduct in trade or commerce.  This provision has a similar effect to sections 1031(a) and 1036(a)(1) of the US’s Consumer Financial Protection Act of 2010, under which the CFPB was able to investigate Dwolla’s privacy policy.  As with the CFPB, the Australian Competition and Consumer Commission (ACCC) which administers the ACL, does not require a consumer to suffer loss in order to investigate misleading and deceptive conduct.

No direct pecuniary penalties apply to engaging in misleading and deceptive conduct and damages can only be awarded against a person in breach of section 18 if a plaintiff suffers actual loss.  However, in seeking to enforce the ACL, the ACCC can accept an undertaking from a person in breach of section 18 to remedy its misleading and deceptive conduct.  If the person breaches any terms of that undertaking, the ACCC can apply for a court order directing the person to pay an amount, up to the amount of any financial benefit that person has obtained, that is reasonably attributable to the breach.

A more pressing and likely financial consequence however, is that of simply being investigated for misleading and deceptive conduct in relation to data security and privacy practices.  An entity that is:

  • under investigation;
  • ordered to change its privacy policy to make it more transparent; or
  • ordered to improve its security practices,

is an entity that is going to lose business.

A breach in security is no longer necessary for a consumer to lose faith in an entity’s ability to keep their personal information secure.

For further information, please contact:

Kathryn Speed
M: 0408 446 013

Copyright © 2020 Page Seager. Privacy Statement Privacy Policy