The Federal Trade Commission filed an administrative complaint against data analytics company Cambridge Analytica, and filed settlements for public comment with Cambridge Analytica’s former chief executive and an app developer who worked with the company, alleging they used deceptive tactics to harvest personal information from tens of millions of Facebook users for voter profiling and targeting.
As part of a proposed settlement with the FTC, two of the defendants—app developer Aleksandr Kogan and former Cambridge Analytica CEO Alexander Nix—have agreed to administrative orders restricting how they conduct any business in the future, and requiring them to delete or destroy any personal information they collected. Cambridge Analytica has filed for bankruptcy and has not settled the FTC’s allegations.
The FTC alleges that Cambridge Analytica, Nix, and Kogan cheated consumers by falsely claiming they did not collect any personally identifiable information from Facebook users who were asked to answer survey questions and share some of their Facebook profile data. The FTC separately announced that Facebook will pay a record-breaking $5 billion penalty and submit to new restrictions that will hold the company accountable for the decisions it makes about its users’ privacy as part of a settlement resolving allegations that the company violated a 2012 FTC privacy order.
Kogan is the developer of a Facebook application called the GSRApp—sometimes referred to as the “thisisyourdigitallife” app. The GSRApp asked its users to answer personality and other questions, and collected information such as the “likes” of public Facebook pages by the app’s users and by the “friends” in their social network. During the summer of 2014, the FTC alleges, Kogan, together with Cambridge Analytica and Nix, developed, used, and analyzed data obtained from the GSRApp. The information was used to train an algorithm that then generated personality scores for the app users and their Facebook friends. Cambridge Analytica, Kogan, and Nix then matched these personality scores with U.S. voter records. The corporation used these matched personality scores for its voter profiling and targeted advertising services
For this project, Kogan was able to re-purpose an existing app he had on the Facebook platform, which allowed the app to harvest Facebook data from app users and their Facebook friends. In April 2014, Facebook declared it would no longer agree app developers to access data from an app user’s Facebook friends. Facebook, however, allowed developers with existing apps on the Facebook platform to access this data for another year.
The FTC alleges that the GSRApp was able to take advantage of this access to collect Facebook profile data from 250,000 to 270,000 users of the GSRApp located in the United States, as well as 50 million to 65 million of those users’ Facebook friends, including at least 30 million identifiable U.S. consumers.
The app users were paid a nominal fee to take the GSRApp survey. Almost half of the app users, however, originally refused to afford their Facebook profile information. To address this issue, the GSRApp began telling app users that it would not “download your name or any other identifiable information—we are interested in your demographics and likes.”
The Commission alleges, however, that this was false, and that the GSRApp in fact collected users’ Facebook User ID, which connects individuals to their Facebook profiles, as well as other personal information such as their gender, birthdate, location, and their Facebook friends list.
In addition, the FTC alleges that Cambridge Analytica falsely claimed until at least November 2018 that it was a participant in the EU-U.S. Privacy Shield framework, even though the company allowed its certification to lapse in May 2018. The Privacy Shield establishes a process to allow companies to transfer consumer data from European Union countries to the United States in compliance with EU law. The FTC also declares that the company failed to adhere to the Privacy Shield requirement that companies that cease participation in the Privacy Shield affirm to the Department of Commerce, which maintains the list of Privacy Shield participants that they will continue to apply the Privacy Shield protections to personal information collected while participating in the program.
As part of the proposed settlement with the FTC, Kogan and Nix are prohibited from making false or deceptive statements regarding the extent to which they collect, use, share, or sell personal information, as well as the purposes for which they collect, use, share, or sell such information. In addition, they are required to delete or destroy any personal information collected from consumers via the GSRApp and any related work product that originated from the data.
The Commission vote to issue the proposed administrative complaint against Cambridge Analytica, and to accept the proposed consent agreements with Kogan and Nix, was 5-0. The FTC will publish a description of the consent agreement packages in the Federal Register soon. The agreements will be submit to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent orders final. Once processed, comments will be posted on Regulations.gov.