On July 24, the Federal Trade Commission filed an administrative complaint against Cambridge Analytica, alleging that the company deceived consumers by falsely claiming it did not collect any personally identifiable information from Facebook users. The FTC alleges that Cambridge Analytica in fact collected users’ Facebook User ID—which can include users’ real names—as well as other personal information such as their gender, birthdate, location, and their Facebook friends list. Cambridge Analytica then used this information to generate personality scores, which it matched with U.S. voter records to offer voter profiling, microtargeting, and other services to U.S. campaigns and clients.
In 2013, Cambridge Analytica and its then-CEO Alexander Nix developed an interest in research suggesting that a person’s “likes” of public Facebook pages could be used to predict a host of personality traits. They worked with Aleksandr Kogan, the developer of a Facebook application called the GSRApp or the “thisisyourdigitallife” app.
The app paid users a nominal fee to take a personality survey, but nearly half of the app users originally refused to provide their Facebook profile information. To get users to give up their data, the GSRApp began telling users that it would not “download your name or any other identifiable information.” The FTC alleges, however, that this claim was false and that the GSRApp in fact collected users’ personally identifiable information.
The app went even farther, the FTC alleges, by using a Facebook developer tool that allowed the GSRApp to collect personal information about app users’ Facebook “friends”—people who had no interaction with the GSRApp. Facebook announced in April 2014 that it would no longer allow developers to collect profile data from app users’ friends but grandfathered existing apps such as the GSRApp. That decision was addressed in a separate settlement between the FTC and Facebook. In total, according to the FTC’s complaint, Cambridge Analytica surreptitiously collected data from between 250,000 and 270,000 U.S. users and between 50 million and 65 million of those users’ Facebook Friends, including around 30 million identifiable U.S. consumers.
The FTC’s complaint also alleges that Cambridge Analytica falsely claimed that it was a participant in the E.U.-U.S. Privacy Shield framework after its certification lapsed in May 2018. The Privacy Shield regulates the transfer of consumer data from E.U. countries to the U.S. and provides protections to personal information collected by a company participating in the program. Cambridge Analytica allegedly failed to affirm to the Department of Commerce that it would continue to apply the Privacy Shield protections after its certification lapsed, as required by the Privacy Shield law.
Nix and Kogan have entered into a proposed settlement with the FTC in which they are prohibited from making false or deceptive statements regarding the extent to which they collect, use, share, or sell personal information, as well as the purposes for which they collect, use, share, or sell such information. They are also required to delete or destroy any personal information collected via the GSRApp and any related work product that used the data. A description of the consent agreements will soon be published in the Federal Register and will be subject to public comment for 30 days from publication. After that, the FTC will decide whether to make the proposed consent orders final. Cambridge Analytica has filed for bankruptcy and has not settled with the FTC.