IP Spotlight September 15

REFERRALS TO I NSURANCE BROKERS HealthEngine made commissions from referring its users to a network of private health insurance brokers. As part of earning its commission, it would send brokers personal (but non- clinical) information (including name, date of birth, contact details, and type of health practice visited) to allow their brokers to make direct contact with the user. The process was voluntary, in the sense that personal information was only provided to brokers where a user ticked a box agreeing to be contacted about health insurance. That said, HealthEngine’s explanation on its website did not make it adequately clear that: – – a third party insurance broker (rather than HealthEngine) would provide the relevant services to users – – the user’s personal information would be sent to a third party insurance broker. OUTCOME HealthEngine cooperated with the ACCC’s investigation and admitted certain contraventions of the Australian Consumer Law. The parties reached agreement as to the orders they considered the court should make and, after considering the parties’ joint submissions, the court made the orders proposed by the parties. The financial penalties took into account the period over which the conduct occurred, whether financial loss was suffered by consumers, HealthEngine’s financial gain resulting from the conduct, whether HealthEngine had intended to mislead consumers, and its recent revenue figures. HealthEngine’s largest penalty related to the insurance broker referrals. This conduct attracted a penalty of $1.4 million, suggesting that the ACCC is seeking to deter other businesses who are less than transparent about how they handle their users’ personal information. The penalty for manipulating user reviews was agreed at $1.2 million and the penalty for publishing misleading health practice ratings was $300,000.

HOW WE CAN HELP We routinely advise businesses that operate online platforms on their compliance obligations under the Australian Consumer Law. If you have any questions specific to your business and its activities, please don’t hesitate to give one of our team a call.

In addition to these heavy financial penalties, HealthEngine also agreed (and was ordered) to:

– – arrange for an annual independent review of its compliance program to be undertaken for 3 years – – contact users whose personal information was provided to insurance brokers to explain the situation and provide them an opportunity to request the relevant broker delete their information. The Court also ordered HealthEngine to contribute $50,000 towards the ACCC’s costs (in addition to absorbing its own costs). LESSONS In some ways, the compliance risks for online platforms are greater than traditional “brick and mortar” businesses. The way you conduct your business is out there for everyone to see, including the ACCC. – – be clear and transparent in their explanations and policies (including privacy policies) about how their customers’ personal information will be collected and handled, and to whom it will be disclosed – – avoid implementing practices and building algorithms and other mechanisms (such as the ratings system used by HealthEngine) that distort the truth or only tell part of the story – – be honest and open in their dealings with customers generally. This recent case highlights the importance for business who provide online platforms to:

ADRIAN HUBER Special Counsel

ALEX CHUBB Special Counsel

6 | wrays.com.au

wrays.com.au | 7