The Federal Trade Commission issued an Opinion finding that the data analytics and consulting company Cambridge Analytica, LLC "engaged in deceptive practices to harvest personal information from tens of millions of Facebook users for voter profiling and targeting."
The Opinion also found that Cambridge Analytica engaged in "deceptive practices relating to its participation in the EU-U.S. Privacy Shield framework."
An administrative complaint issued in July alleged that Cambridge Analytica and its then-CEO Alexander Nix and app developer Aleksandr Kogan deceived consumers. Nix and Kogan agreed to settle the FTC’s allegations. Cambridge Analytica, which filed for bankruptcy in 2018, did not respond to the complaint, or to a motion submitted for summary judgment of the allegations.
The administrative complaint alleged that Kogan worked with Nix and Cambridge Analytica to enable Kogan’s GSRApp to collect Facebook data from app users and their Facebook friends. The complaint alleged that app users were falsely told the app would not collect users’ names or other identifiable information. The GSRApp, however, collected users’ Facebook User ID, which connects individuals to their Facebook profiles.
The complaint also alleged that Cambridge Analytica claimed it participated in the EU-U.S. Privacy Shield—which allows companies to transfer consumer data legally from European Union countries to the United States—after allowing its certification to lapse. In addition, the complaint alleged the company failed to adhere to the Privacy Shield requirement that companies that cease participation in the Privacy Shield affirm to the Department of Commerce, which maintains the list of Privacy Shield participants, that they will continue to apply the Privacy Shield protections to personal information collected while participating in the program.
In its Opinion, the Commission found that Cambridge Analytica "violated the FTC Act through the deceptive conduct alleged in the complaint." The Final Order prohibits Cambridge Analytica from making misrepresentations about the extent to which it protects the privacy and confidentiality of personal information, as well as its participation in the EU-U.S. Privacy Shield framework and other similar regulatory or standard-setting organizations. In addition, the company is required to continue to apply Privacy Shield protections to personal information it collected while participating in the program (or to provide other protections authorized by law), or return or delete the information. It also must delete the personal information that it collected through the GSRApp.
The impact of the agency order is not immediately clear as the consulting firm is no longer in business.
The order comes after Facebook agreed in July to pay a record-breaking $5 billion fine to the FTC, in order to resolve a government probe into its privacy practices.