22 Dec 2021

  • Data Compliance and Privacy
  • Privacy and Compliance

A Selection of 2021 Cases that Marketers Should Know About

Even a global pandemic didn’t stop the ACCC, the OAIC and the ACMA from holding organisations accountable for their business practices. Here ADMA provides a summary of a couple of key cases from each regulator. The cases are all important to the data-driven marketing and advertising industry. So take note – it’s better to learn from the mistakes of others.

The Australian Competition and Consumer Commission (ACCC)

ACCC vs STA Travel  - April 2021

Misleading advertisements promoting a flight change pass

The Australian Competition and Consumer Commission won a court case against STA Travel, with the Federal Court handing down $14m in penalties due to misleading advertisements promoting a flight change pass bought by an average of 64,000 customers across four years.

The ACCC started legal proceedings against the student and youth travel agency in March last year over the way STA Travel marketed its ‘Multiflex Pass’ product. The company admitted that for five years, between March 2014 and August 2019, it made misleading representations in ads for the airfare add-on by claiming customers could change their flights without paying fees or charges.

ACCC vs Employsure  - April 2021

Misleading representations of being or being affiliated with a government agency

The Full Court found that Employsure had breached the Australian Consumer Law by making misleading representations that it was, or was affiliated with, a government agency, overturning the previous judgment that dismissed this claim at first instance.

The Google Ads, published between August 2016 and August 2018, featured headlines such as ‘Fair Work Ombudsman Help – Free 24/7 Employer Advice’ and ‘Fair Work Commission Advice – Free Employer Advice’ and appeared in response to search terms such as ‘fair work ombudsman’.
The Full Court found that Employsure’s Google Ads were misleading in large part because of the use of the government agency names in the largest and most prominent typeface, and because the ads omitted any reference whatsoever to Employsure.

Employsure’s ads were displayed to small businesses who were searching for workplace relations advice from the relevant government agency, the Fair Work Ombudsman. Employsure is a private company which is not affiliated with the government, and provides workplace relations advice to businesses under long-term contracts with on-going fees.

Over 100 complaints were received relating to Employsure, including from small businesses who had contacted Employsure after viewing a Google Ad and thought they were dealing with a government agency.” The finding by the Full Federal Court sends a very strong message to internet advertisers that misleading consumers and small businesses by using combinations of words that are the same or similar to the names of government agencies to attract customers risks enforcement action and significant penalties.

ACCC vs Lorna Jane  - July 2021

False and misleading representations in relation to anti-virus claims
The Federal Court ordered women’s activewear company Lorna Jane Pty Ltd (Lorna Jane), to pay $5 million in penalties for making false and misleading representations to consumers, and engaging in conduct liable to mislead the public, in connection with the promotion and supply of its “LJ Shield Activewear”.

Lorna Jane Pty Ltd admitted that, between 2 and 23 July 2020, it falsely represented to consumers that its LJ Shield Activewear “eliminated”, “stopped the spread” and “protected wearers” against “viruses including COVID-19”. The misleading representations were made on in-store signage, on its website, on Instagram, in emails to consumers and in media releases. The claims made by Lorna Jane about its LJ Shield Activewear included “Cure for the Spread of COVID-19? Lorna Jane Thinks So” and “LJ SHIELD is a groundbreaking technology that makes transferal of all pathogens to your Activewear (and let’s face it, the one we’re all thinking about is Covid-19) impossible by eliminating the virus on contact with the fabric”. “The whole marketing campaign was based upon consumers’ desire for greater protection against the global pandemic.”

Lorna Jane also admitted that it had falsely represented it had a scientific or technological basis for making the ‘anti-virus’ claims about its LJ Shield Activewear, when no such basis existed. Lorna Jane also admitted that director and Chief Creative Officer, Ms Lorna Jane Clarkson, authorised and approved the LJ Shield Activewear promotional material, was involved in crafting the words and developing the imagery used in the marketing campaign, and personally made some of the false statements contained in a media release and an Instagram video.

Before the start of a hearing on liability, Lorna Jane cooperated with the ACCC, making admissions and agreeing to make joint submissions regarding the imposition of penalties totalling $5 million.

The Office of the Australian Information Commissioner (OAIC)

Commissioner initiated investigation into 7-Eleven Stores Pty Ltd (Privacy) - September 2021

Breach of Privacy by collecting sensitive biometric information without proper consent

Australian Information Commissioner and Privacy Commissioner Angelene Falk determined that convenience store group 7-Eleven interfered with customers’ privacy by collecting sensitive biometric information that was not reasonably necessary for its functions and without adequate notice or consent and 7-eleven had not obtained valid consent.

The Commisioner also found that 7-Eleven did not take reasonable steps to notify individuals about the facts and circumstances of collection, or the purpose of collecting their facial images and faceprints through the customer feedback mechanism, in breach of Australian Privacy Principle 5.1.
The investigation found customers’ facial images were used to generate algorithmic representations, or ‘faceprints’, which were compared with other faceprints to exclude responses that may not be genuine. The personal information was also used to give a broad understanding of the demographic profile of customers who completed the survey.

Commissioner initiated investigation into Clearview AI Inc. (Privacy) – October 2021

Breach of Privacy by scraping biometric information from web and disclosing through facial recognition. Joint investigation with UKs ICO

Australian Information Commissioner and Privacy Commissioner found that Clearview AI, Inc. breached Australians’ privacy by scraping their biometric information from the web and disclosing it through a facial recognition tool.

The determination follows a joint investigation by the Office of the Australian Information Commissioner (OAIC) and the UK’s Information Commissioner’s Office (ICO). The investigation focused on the company’s use of data scraped from the internet and the use of biometrics for facial recognition.

The ICO and OAIC worked together on the evidence-gathering stage of the investigation. As both data protection authorities operate under their own country’s legislation, any outcomes are considered separately. Each authority has also been looking separately at their respective police forces’ use of the technology.

The Commissioner found that Clearview AI breached the Australian Privacy Act 1988 by:

  • collecting Australians’ sensitive information without consent
  • collecting personal information by unfair means
  • not taking reasonable steps to notify individuals of the collection of personal information
  • not taking reasonable steps to ensure that personal information it disclosed was accurate, having regard to the purpose of disclosure
  • not taking reasonable steps to implement practices, procedures and systems to ensure compliance with the Australian Privacy Principles.

The determination orders Clearview AI to cease collecting facial images and biometric templates from individuals in Australia, and to destroy existing images and templates collected from Australia.

Commissioner initiated investigation into the Australian Federal Police (Privacy)

The Australian Federal Police (AFP) have failed to comply with its privacy obligations in its use of the controversial Clearview AI facial recognition tool by not properly assessing the risks of using the technology.

The Commissioner released its determination on the AFP’s use of Clearview Ai, finding that it failed to comply with its privacy obligations by not completing a privacy impact assessment (PIA) and that it also breached Australian Privacy Principle (APP) 1.2 by failing to take reasonable steps to implement practices, procedures and systems to track its use of the technology.

Clearview Ai, based in the United States, offers a facial recognition app which allows users to upload a photo of an individual and have it matched with images in the company’s database of at least 3 billion images from around the internet. If a match is found, the tool provides a link to where the matching images are found online.

In October 2021, the OAIC found that Clearview had breached Australian Privacy rules through its automated and indiscriminate ‘collection of sensitive biometric information of Australians on a large scale for profit’.

From 2 November 2019 to 22 January 2020, members of the AFP’s Australian Centre to Counter Child Exploitation (ACCCE) used a free trial of Clearview AI’s app to upload facial images of persons of interest and victims in active cases. However, the OAIC found that the AFP did not complete a privacy impact assessment of using the tool before taking part in the trial, despite being required to do so for all high privacy risk projects. This is in breach of the Australian Government Agencies Privacy Code.

By failing to do a privacy impact assessment “The AFP did not assess the risks to providing personal information to a third party located overseas, assess its security practises, accuracy or safeguards,” the OAIC said in the determination.

The privacy watchdog also found that the AFP failed to take “reasonable steps to implement practises, procedures and systems in relation to its use of Clearview AI”.

There were also gaps in the AFP’s systems to identify, track and accurately record the trial of the facial recognition tool, and in internal systems for identifying the collection and use of personal information and in its mandatory privacy training practices.

Whilst the Australian Information Commissioner ‘recognises that facial recognition and other high privacy impact technologies may provide public benefit where they are accompanied by appropriate safeguards,’ she also acknowledged that “there were a number of red flags about this third party offering that should have prompted a careful privacy assessment. By uploading information about persons of interest and victims, the ACCCE were handling personal information in a way that would have serious consequences for individuals whose information was collected.”

The OAIC has directed the AFP to engage an independent assessor to review and report back on residual deficiencies in its practices, procedures, systems and training in relation to privacy assessments and make any changes necessary. It has also been ordered to ensure relevant AFP personnel have completed an updated privacy training program.

Australian Communications and Media Authority

Over the past 18 months, businesses have paid over $2,100,000 for ACMA-issued infringement notices for breaking spam and telemarketing laws. ACMA has also accepted nine court-enforceable undertakings and issued ten formal warnings to businesses.

Below is an outline of the main infringement that incurred a fine and court-enforceable undertaking

Breach of the SPAM Act

Jan 2021 – Kogan Australia Pty Ltd has agreed to a court-enforceable undertaking and paid a $310,800 infringement notice for breaches of Australian spam laws.

An Australian Communications and Media Authority (ACMA) investigation found Kogan sent more than 42 million marketing emails to consumers from which they could not easily unsubscribe. Instead, Kogan required consumers to take additional steps setting a password and logging into a Kogan account.
The ACMA found Kogan’s conduct breached the Spam Act, which requires commercial electronic messages to contain a functional unsubscribe facility.
The ACMA has accepted a three-year court-enforceable undertaking from Kogan, requiring it to appoint an independent consultant to review its systems, processes and procedures, and to implement any recommendations from the review. The undertaking covers Kogan Australia Pty Ltd and is applicable to all of the company’s trading names, including the Kogan and Dick Smith brands.

The undertaking also requires Kogan to train staff responsible for sending marketing messages and to regularly report back to the ACMA on actions taken in relation to consumer complaints.

Enforcement action for breaches of spam laws can include formal warnings, infringement notices, action in the Federal Court and accepting court-enforceable undertakings. Repeat corporate offenders can face court-imposed penalties of up to $1.11 million a day

ACMA penalises financial services telemarketer for unlawful calls

Breach of Do Not Call

27 October 2021 - Information Support Australia Pty Ltd (trading as Super Information Team) has paid an infringement notice of $102,120 and will be subject to an independent review after the ACMA found it breached telemarketing rules.

An ACMA investigation into complaints about Super Information Team found it was responsible for 880 calls to phone numbers on the Do Not Call Register in October 2020. The calls were made by a third-party call centre and offered recipients a review of their superannuation and to connect them with a financial advisor. Unlawful financial services marketing is an ACMA compliance priority given the potential for harm involved, especially at a time when many Australians have been experiencing financial difficulties due to COVID19 restrictions.

ACMA penalises telecommunications giant for ‘failing to protect the privacy and safety of its customers

Breach of the Telecommunications Act

December 2021 – Telstra Corporation Limited has paid an infringement notice of $2.53 million after the ACMA found large scale breaches of rules intended to protect the privacy and safety of consumers.  

The ACMA investigation found almost 50,000 instances where Telstra failed to correctly upload a customer’s choice of an unlisted - or silent - number to the Integrated Public Number Database (IPND) meaning these numbers could be published in public phone directories or be available through directory services. The ACMA also found that Telstra failed to provide data to, or failed to update, the IPND for its Belong customers on over 65,000 occasions.
The IPND is made up of Australian phone numbers and their owner details, is used by public phone directories, and provides an important resource to support the work of Australia’s emergency services, law enforcement and national security agencies.

Telstra was one of 11 telecommunications provider that breached the same rules in 2019. While Telstra self-reported the latest issues, the repetition of major breaches of the rules led to the hefty fine.

Need more info?