Cambridge Analytica LLC was a U.S. consulting firm and marketing agency that became known for its involvement in the Facebook-Cambridge Analytica scandal relating to the 2016 U.S. elections. Although the company became insolvent and closed its U.S. operations in 2018, its impact on data collection and privacy issues continues. On December 6, 2019, the Federal Trade Commission (FTC), an independent U.S. agency whose role is to protect consumers and competition across broad sectors of the economy, issued an order finding Cambridge Analytica violated Section 5 of the FTC Act, 15 U.S.C. § 45 by making (a) false and deceptive representations to Facebook users to collect their personal data; and (b) false and deceptive statements regarding its participation in the European Union-United States Privacy Shield framework (Privacy Shield). The FTC Opinion is noteworthy because it applies Section 5 to harvesting personal information on social media and the Privacy Shield.
In March 2019, the FTC launched an investigation concerning Cambridge Analytica’s representations to tens of millions of Facebook users that their user names and other identifiable information were not being collected while, in reality, that information was being harvested for voter-profiling and targeted advertising. Cambridge Analytica harvested data without the users’ consent through GSRApp, an application developed by Alekdandr Kogan, an America data scientist and research associate at the University of Cambridge. The FTC filed an administrative complaint against Cambridge Analytica on July 24, 2019. Facebook ultimately settled a related case, and agreed to pay a $5 billion penalty, which is the largest penalty ever imposed by the FTC for a violation of consumers’ privacy.
The Cambridge Analytica saga started in late 2013 when researchers at the Psychometrics Center of the University of Cambridge developed an algorithm that could predict an individual’s personality traits based on “likes” of public Facebook pages. For instance, when a person “liked” Facebook pages related to How to Lose a Guy in 10 Days, George W. Bush, and hip-hop, the algorithm used that specific combination of data points to predict certain personality traits, such as a conservative and conventional personality. The researchers asserted that their algorithm could predict an individual’s personality traits better than the person’s co-workers, friends, or family. Cambridge Analytica offered voter-profiling, micro-targeting, and other marketing services to U.S. political campaigns and other clients.
Cambridge Analytica collected (1) profile data from 250,000 to 270,000 Facebook users in the U.S.; and (2) “likes” and personal information from up to 65 million “friends” of those Facebook users (30 million of which were identifiable U.S. consumers). Cambridge Analytica ultimately used that data to perform targeted advertising related to the 2016 U.S. elections.
The FTC’s Opinion and Order
Section 5 of the FTC Act gives the FTC the power to prohibit, inter alia, “unfair or deceptive acts or practices in or affecting commerce.” While Section 5 does not per se provide the FTC authority to protect consumers’ privacy, Section 5 has been construed to allow the FTC to safeguard consumers whose privacy has been invaded through deceptive acts.
The FTC’s three-step inquiry to determine whether Cambridge Analytica’s representations were deceptive and violated Section 5 consisted of assessing (1) what claims were conveyed; (2) whether those claims were false, misleading or unsubstantiated; and (3) whether the claims were material. The FTC looked into Cambridge Analytica’s representations to Facebook users, such as “We want you to know that we will NOT download your name or any other identifiable information – we are interested in your demographics and likes,” and found them to be false. The FTC then found that Cambridge Analytica’s false representations to Facebook users that the company would not download names or other identifiable information were material because they “involve[d] information that is important to consumers and, hence, likely to affect their choice of, or conduct regarding, a product.” The FTC thus found that Cambridge Analytica violated Section 5.
To remedy Cambridge Analytica’s violation, the FTC (i) prohibited Cambridge Analytica from making misrepresentations regarding how it collects, uses, shares, or sells consumer information; (ii) ordered Cambridge Analytica to delete the Facebook data it obtained, along with all associated work product; and (iii) permanently enjoined Cambridge Analytica from disclosing, using, selling, or receiving any benefit from the information it collected.
The FTC also found Cambridge Analytica liable for deceptive acts and practices related to its participation in the Privacy Shield. The Privacy Shield is an agreement between the European Commission (EC) and the U.S. Department of Commerce that protects personal data transferred from the European Union to the United States and allows companies on both sides of the Atlantic to comply with the requirements of the 1995 European Union Directive on Data Protection. Every company participating in the Privacy Shield must self-certify to the Department of Commerce that it is in compliance with the Privacy Shield principles and requirements in line with the 1995 EU Directive standards, and companies must annually re-certify that they remain in compliance with those principles.
To date, the FTC has filed enforcement actions against 21 companies, including Cambridge Analytica, for failing to adhere to the requirements of the Privacy Shield. In the case of Cambridge Analytica, the FTC found that the company had represented to the public that it was participating in the Privacy Shield program and adhering to its principles, but it had failed to renew its certification after it had expired. As a result, the FTC prohibited the company from (i) making misrepresentations regarding the extent to which Cambridge Analytica participates in any privacy or security program sponsored by a government, self-regulatory, or standard-setting organization; and (ii) possessing or controlling personal information from European Union residents that Cambridge Analytica received while participating in the Privacy Shield. The FTC also ordered the company to comply with its continuing obligations under the Privacy Shield by, among other things, applying Privacy Shield protections to the personal information it received, protecting such information by means authorized under EU law, or returning or deleting such personal information.
Cambridge Analytica is just one of many companies targeted by the FTC for non-compliance with the Privacy Shield. The FTC recently reached settlements with companies such as Click Labs Inc. and Incentive Service Inc. which falsely claimed to participate in the Privacy Shield, and Global Data Vault LLC and TDARX, Inc. which failed to renew their certifications for the program.
Companies should carefully read and update their privacy policies to make sure they honor their representations to consumers about how they collect, use, share, and sell consumer data. Furthermore, with regard to the Privacy Shield or similar programs, companies representing that they participate in such programs must make sure that they are properly registered and follow all program requirements. In the event a company decides to withdraw from the Privacy Shield, it should contemporaneously remove references to the program from its website, and set up mechanisms to appropriately protect, securely return, or delete information collected while participating in the program.