Determining that the company sought to harvest personal information from millions of Facebook users for voter profiling and targeting, the Commission ordered the company to stop the alleged misrepresentations and to protect, return, or delete certain personal information.
In unanimously deciding to issue an opinion and administrative order against Cambridge Analytica, LLC, a data analytics and consulting company, the FTC found that the company violated Section 5 of the FTC Act by engaging in "deceptive practices to harvest personal information from tens of millions of Facebook users for voter profiling and targeting." Moreover, the Commission determined that Cambridge Analytica "engaged in deceptive practices relating to its participation in the EU-U.S. Privacy Shield framework." Accordingly, the Commission’s order prohibits Cambridge Analytica from making misrepresentations about the extent to which it protects personal, private, or confidential information, and about the extent of its participation in the EU-U.S. Privacy Shield framework or other "regulatory or standard-setting organizations." Further, the company, which is currently in bankruptcy proceedings, must continue to apply for Privacy Shield protections concerning personal information it collected or must return or delete the information. Similarly, Cambridge Analytica must "delete the personal information that it collected through the GSRApp," an app that the FTC determined was used by the company to collect users’ "Facebook User ID, which connects individuals to their Facebook profiles" (In the Matter of Cambridge Analytica, LLC,FTC Dkt. No. 9383).
In its July 2019 administrative complaint, the FTC staff alleged that Cambridge Analytica and its then-CEO Alexander Nix and app developer Aleksandr Kogan deceived consumers. In contrast to Nix and Kogan who agreed to settle the Commission’s allegations, Cambridge Analytica did not respond to the complaint, nor did it respond to Complaint Counsel’s request for a summary decision on the allegations. The company filed for bankruptcy in 2018.
According to the FTC complaint: (i) Kogan worked with Nix and Cambridge Analytica to enable Kogan’s GSRApp to collect Facebook data from app users and their Facebook friends: (ii) app users were falsely told that the app would not collect users’ names or other identifiable information; (iii) the GSRApp, however, did collect the users’ Facebook User ID, which connects individuals to their Facebook profiles; (iv) Cambridge Analytica claimed that it participated in the EU-U.S. Privacy Shield, a framework that "allows companies to transfer consumer data legally from European Union countries to the United States," even though the company had allowed its EU-U.S. Privacy Shield certification to lapse; and (v) Cambridge Analytica otherwise failed to adhere to Department of Commerce requirements regarding the protection of personal information.
Commission opinion. In its just-released opinion, the FTC noted that because Cambridge Analytica failed to file an answer to the administrative complaint or to oppose Complaint Counsel’s Motion for Summary Decision, "there is no genuine issue of material fact in this case." The Commission ultimately concluded that Cambridge Analytica violated Section 5 of the FTC Act (15 U.S.C. § 45) by "means of its false and deceptive representations to Facebook users who authorized the GSRApp, and by false and deceptive statements on its website regarding its participation in Privacy Shield and its adherence to Privacy Shield program principles."
More specifically, granting the Complaint Counsel’s Motion for Summary Decision on several counts, the FTC determined that Cambridge Analytica’s: (i) "representation to App Users who authorized the GSRApp that it would not collect their identifiable information was a false and material, and hence deceptive, claim"; (ii) "express representation that it remained a participant in the Privacy Shield framework after its certification had lapsed was false and material, and hence deceptive"; and (iii) "representation that it was in compliance with Privacy Shield principles was false and material, and hence deceptive."
Order. The Commission issued an administrative order, effective for 20 years, which:
- prohibits Cambridge Analytica and its agents from misrepresenting the extent to which they protect "the privacy and confidentiality of any Covered Information," including the extent to which (and the purposes for which) they "collect, use, share, or sell any Covered Information";
- prohibits Cambridge Analytica and its agents from misrepresenting the extent to which it participates in the EU-U.S. Privacy Shield framework, the Swiss-U.S. Privacy Shield framework, the APEC Cross-Border Privacy Rules, or any other privacy or security program sponsored by a government, self-regulatory, or standard-setting organization;
- requires Cambridge Analytica and its agents to meet and satisfy continuing obligations under the EU-U.S. Privacy Shield framework and otherwise must protect, retain, return, or delete certain personal information as specified in the order;
- requires Cambridge Analytica and its agents to delete the specified personal information that the company collected through the GSRApp; and
- requires Cambridge Analytica and its agents to make available to the FTC various corporate documents, records, and data.
Attorneys: Linda Holleran Kopp, Federal Trade Commission. Salvatore LaMonica (LaMonica Herbst & Maniscalco, LLP) for Cambridge Analytica, LLC.
Companies: Cambridge Analytica, LLC; Facebook
MainStory: TopStory ConsumerProtection FederalTradeCommissionNews Privacy CyberPrivacyFeed Enforcement
Interested in submitting an article?
Submit your information to us today!Learn More
Antitrust Law Daily: Breaking legal news at your fingertips
Sign up today for your free trial to this daily reporting service created by attorneys, for attorneys. Stay up to date on antitrust legal matters with same-day coverage of breaking news, court decisions, legislation, and regulatory activity with easy access through email or mobile app.