Washington, DC - The Federal Trade Commission filed an administrative complaint against data analytics company Cambridge Analytica, and filed settlements for public comment with Cambridge Analytica’s former chief executive and an app developer who worked with the company, alleging they employed deceptive tactics to harvest personal information from tens of millions of Facebook users for voter profiling and targeting.
As part of a proposed settlement with the FTC, two of the defendants—app developer Aleksandr Kogan and former Cambridge Analytica CEO Alexander Nix—have agreed to administrative orders restricting how they conduct any business in the future, and requiring them to delete or destroy any personal information they collected. Cambridge Analytica has filed for bankruptcy and has not settled the FTC’s allegations.
The FTC alleges that Cambridge Analytica, Nix, and Kogan deceived consumers by falsely claiming they did not collect any personally identifiable information from Facebook users who were asked to answer survey questions and share some of their Facebook profile data. The FTC separately announced that Facebook will pay a record-breaking $5 billion penalty and submit to new restrictions that will hold the company accountable for the decisions it makes about its users’ privacy as part of a settlement resolving allegations that the company violated a 2012 FTC privacy order.
Kogan is the developer of a Facebook application called the GSRApp—sometimes referred to as the “thisisyourdigitallife” app. The GSRApp asked its users to answer personality and other questions, and collected information such as the “likes” of public Facebook pages by the app’s users and by the “friends” in their social network. During the summer of 2014, the FTC alleges, Kogan, together with Cambridge Analytica and Nix, developed, used, and analyzed data obtained from the GSRApp. The information was used to train an algorithm that then generated personality scores for the app users and their Facebook friends. Cambridge Analytica, Kogan, and Nix then matched these personality scores with U.S. voter records. The company used these matched personality scores for its voter profiling and targeted advertising services.
For this project, Kogan was able to re-purpose an existing app he had on the Facebook platform, which allowed the app to harvest Facebook data from app users and their Facebook friends. In April 2014, Facebook announced it would no longer allow app developers to access data from an app user’s Facebook friends. Facebook, however, allowed developers with existing apps on the Facebook platform to access this data for another year. The FTC alleges that the GSRApp was able to take advantage of this access to collect Facebook profile data from 250,000 to 270,000 users of the GSRApp located in the United States, as well as 50 million to 65 million of those users’ Facebook friends, including at least 30 million identifiable U.S. consumers.
The app users were paid a nominal fee to take the GSRApp survey. Almost half of the app users, however, originally refused to provide their Facebook profile information. To address this issue, the GSRApp began telling app users that it would not “download your name or any other identifiable information—we are interested in your demographics and likes.”
The FTC alleges, however, that this was false, and that the GSRApp in fact collected users’ Facebook User ID, which connects individuals to their Facebook profiles, as well as other personal information such as their gender, birthdate, location, and their Facebook friends list.
In addition, the FTC alleges that Cambridge Analytica falsely claimed until at least November 2018 that it was a participant in the EU-U.S. Privacy Shield framework, even though the company allowed its certification to lapse in May 2018. The Privacy Shield establishes a process to allow companies to transfer consumer data from European Union countries to the United States in compliance with EU law. The FTC also alleges that the company failed to adhere to the Privacy Shield requirement that companies that cease participation in the Privacy Shield affirm to the Department of Commerce, which maintains the list of Privacy Shield participants, that they will continue to apply the Privacy Shield protections to personal information collected while participating in the program.
As part of the proposed settlement with the FTC, Kogan and Nix are prohibited from making false or deceptive statements regarding the extent to which they collect, use, share, or sell personal information, as well as the purposes for which they collect, use, share, or sell such information. In addition, they are required to delete or destroy any personal information collected from consumers via the GSRApp and any related work product that originated from the data.
The Commission vote to issue the proposed administrative complaint against Cambridge Analytica, and to accept the proposed consent agreements with Kogan and Nix, was 5-0. The FTC will publish a description of the consent agreement packages in the Federal Register soon. The agreements will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent orders final. Once processed, comments will be posted on Regulations.gov.
The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $42,530.
The FTC acknowledges the cooperation of the United Kingdom’s Information Commissioner’s Office. To facilitate international cooperation in this case, the FTC relied on key provisions of the U.S. SAFE WEB Act, which allows the FTC to share information with foreign counterparts to combat deceptive and unfair practices.