Three lessons learned from the HealthEngine Case
The ACCC recently chalked up another victory as part of a recent spate of enforcement efforts targeted at online businesses in the wake of its Digital Platform Inquiry which concluded last year.
The overarching lesson here is quite simple. If you are not transparent in your dealings with consumers (and this includes telling them some of the facts but not all of them), whether intentionally or not, then you may be engaging in misleading or deceptive conduct in breach of the Australian Consumer Law.
In this recent case, HealthEngine’s misleading conduct and business practices cost it $2.9 million in penalties. As the ACCC’s chairman, Rod Sims put it:
These penalties and other orders should serve as an important reminder to all businesses that if they are not upfront with how they will use consumers’ data, they risk breaching the Australian Consumer Law.
Background
HealthEngine operates a website that allows users to search and book medical and health-related appointments with health practices that choose to participate.
The ACCC began investigating complaints regarding HealthEngine’s practices on its website in July 2018, and matters came to a head in August 2019 when it launched Federal Court proceedings based broadly on the following allegations:
- HealthEngine had manipulated the user reviews it published in several ways
- it had mispresented to consumers why it did not publish a rating for some health practices
- it misled consumers into thinking that their personal information would stay with HealthEngine, but in fact, consumers’ non-clinical information was being sent to insurance brokers.
HealthEngine admitted certain contraventions of the Australian Consumer Law and cooperated with the ACCC investigation.
So What did HealthEngine Do Wrong?
The relevant conduct relates to HealthEngine’s activities between April 2014 and June 2018.
HealthEngine’s impugned conduct relates to three different aspects of its website; user reviews, practice ratings and referrals to insurance brokers.
User Reviews
HealthEngine sent a follow-up survey to users who had booked appointments through the platform, to determine whether they would recommend the relevant health practice to others.
In processing these user reviews, HealthEngine:
- did not publish negative reviews it received (including disregarding reviews where the user indicated that they would not recommend the health practice to others)
- effectively “sanitised” other reviews by editing the feedback to remove negative comments, changing the meaning of others and/or embellishing them
- sent users who had submitted a review an email with a link to their published review and a note explaining that it may have been modified, with no further explanation.
The ACCC’s obvious concern here was that this practice created an inaccurate impression of consumers’ experiences at the various health practices on HealthEngine, and that other consumers may have relied on these manipulated reviews when making their own appointments through the platform.
Health Practice Ratings
HealthEngine also used the information from the survey above to calculate and publish ratings for health practices.
If 80% or more of users answered that they would recommend the practice to others, then HealthEngine published a rating for that practice. For practices that did not reach the 80% threshold, HealthEngine either indicated that there was no rating or that there was insufficient data to calculate one.
Clearly HealthEngine had the data to publish a rating but chose not to do so where the 80% threshold had not been met. The ACCC’s concern here was that, again, the conduct was likely to create a more positive impression of the health practices on HealthEngine’s website.
Referrals to Insurance Brokers
HealthEngine made commissions from referring its users to a network of private health insurance brokers. As part of earning its commission, it would send brokers personal (but nonclinical) information (including name, date of birth, contact details, and type of health practice visited) to allow their brokers to make direct contact with the user.
The process was voluntary, in the sense that personal information was only provided to brokers where a user ticked a box agreeing to be contacted about health insurance. That said, HealthEngine’s explanation on its website did not make it adequately clear that:
- a third party insurance broker (rather than HealthEngine) would provide the relevant services to users
- the user’s personal information would be sent to a third party insurance broker.
Outcome
HealthEngine cooperated with the ACCC’s investigation and admitted certain contraventions of the Australian Consumer Law. The parties reached agreement as to the orders they considered the court should make and, after considering the parties’ joint submissions, the court made the orders proposed by the parties.
The financial penalties took into account the period over which the conduct occurred, whether financial loss was suffered by consumers, HealthEngine’s financial gain resulting from the conduct, whether HealthEngine had intended to mislead consumers, and its recent revenue figures.
HealthEngine’s largest penalty related to the insurance broker referrals. This conduct attracted a penalty of $1.4 million, suggesting that the ACCC is seeking to deter other businesses who are less than transparent about how they handle their users’ personal information.
The penalty for manipulating user reviews was agreed at $1.2 million and the penalty for publishing misleading health practice ratings was $300,000.
In addition to these heavy financial penalties, HealthEngine also agreed (and was ordered) to:
- arrange for an annual independent review of its compliance program to be undertaken for 3 years
- contact users whose personal information was provided to insurance brokers to explain the situation and provide them an opportunity to request the relevant broker delete their information.
The Court also ordered HealthEngine to contribute $50,000 towards the ACCC’s costs (in addition to absorbing its own costs).
Lessons
In some ways, the compliance risks for online platforms are greater than traditional “brick and mortar” businesses. The way you conduct your business is out there for everyone to see, including the ACCC.
This recent case highlights the importance for business who provide online platforms to:
- be clear and transparent in their explanations and policies (including privacy policies) about how their customers’ personal information will be collected and handled, and to whom it will be disclosed
- avoid implementing practices and building algorithms and other mechanisms (such as the ratings system used by HealthEngine) that distort the truth or only tell part of the story
- be honest and open in their dealings with customers generally.
How We Can Help
We routinely advise businesses that operate online platforms on their compliance obligations under the Australian Consumer Law. If you have any questions specific to your business and its activities, please don’t hesitate to give one of our team a call.