Consumer law breach leads to $20m penalty for Meta

Two subsidiaries of social media giant Meta have each been ordered to pay $10 million for breaching Australian Consumer Law.

In an action brought by the ACCC, Facebook Israel and Onavo Inc were found to have engaged in conduct liable to mislead, according to the Australian Federal Court. The Court declared that the two companies engaged in conduct liable to mislead the public in promotions for the Onavo Protect app, by failing to adequately disclose that users’ data would be used for purposes other than providing Onavo Protect, including Meta’s commercial purposes.

Onavo Protect, a free app providing a virtual private network (VPN) service, was installed more than 270,000 times by Australian users between February 2016 and October 2017.

In Google and Apple App Store listings, Onavo Protect was promoted as a product that would keep users’ data protected and safe, for example with language such as “Use a free, fast and secure VPN to protect personal information” and “Helps Keep You and Your Data Safe”.

In fact, Onavo and Facebook Israel shared the personal activity data from users collected by the app in anonymised and aggregated form with parent company Meta (then known as Facebook Inc) for commercial benefit.

“We took this case knowing that many consumers are concerned about how their data is captured, stored and used by digital platforms. We believe Australian consumers should be able to make an informed choice about what happens to their data based on clear information that is not misleading,” ACCC Chair Gina Cass-Gottlieb said.

Anonymised and aggregated data shared with Meta included data about users’ internet and app activity, such as records of every app they accessed and time they spent using those apps. This was used to support Meta’s market research activities.

In joint submissions to the Court, Facebook Israel and Onavo agreed that the App Store listings conveyed that Onavo Protect users’ data would only be used to provide the Onavo Protect VPN. The listings did not mention that data collected by Onavo Protect about its Australian users’ online activities was also used for other purposes, including as a ‘business intelligence tool’.

“In the case of the Onavo Protect app, we were concerned that consumers seeking to protect their privacy through a virtual private network were not clearly told that in downloading and using this app they were actually facilitating the use of their data for Meta’s commercial benefit,” Cass-Gottlieb said.

Facebook Israel and Onavo were also ordered to pay a contribution to the ACCC’s costs and consented to the declarations and costs order, and made joint submissions with the ACCC in relation to penalties.

Image credit: iStock.com/Kira-Yan