FTC Issues Opinion and Order Against Cambridge Analytica

On Dec. 6, the Federal Trade Commission (FTC) issued a unanimous opinion finding that political consulting firm Cambridge Analytica violated Section 5 of the Federal Trade Commission Act (FTC Act) by engaging in deceptive practices to harvest personal information from tens of millions of Facebook users through a Facebook application called the GSRApp.

According to the opinion, the GSRApp allowed Cambridge Analytica to obtain personal information from approximately 250,000–270,000 Facebook users who directly interacted with the app, as well as from an additional 50 to 65 million “friends” of those app users.

To obtain the app users’ consent, Cambridge Analytica falsely represented that the GSRApp did not collect any personally identifiable information. However, Cambridge Analytica proceeded to use the personally-identifiable information collected for “voter profiling and targeted advertising purposes.”

The FTC also found that Cambridge Analytica violated the EU-U.S. Privacy Shield – a pact between the European Union and United States allowing companies to legally transfer data from the EU to the U.S. – by falsely claiming that it was a participant in the Privacy Shield despite allowing its certification to lapse.

Moreover, Cambridge Analytica failed to affirm that it would continue to apply Privacy Shield benefits to all personal information received while participating in the Privacy Shield program for as long as it retains such information.

Ultimately, the FTC concluded that Cambridge Analytica engaged in false and material, and hence deceptive, practices to harvest personal information by:

• Representing to app users that it would not collect their identifiable information on the GSRApp;
• Representing that it remained a participant in the Privacy Shield after its certification had lapsed; and
• Representing that it complied with Privacy Shield principles despite its failure to affirm such compliance.

The order requires Cambridge Analytics to cease its deceptive acts and practices in compliance with the following:

• First, Cambridge Analytics is prohibited from participating in the Privacy Shield and from making misrepresentations about the extent to which it protects the privacy and confidentiality of personal information.
• Second, Cambridge Analytica must continue to apply Privacy Shield protections to all personal information collected while participating in the program or return or delete the information.
• Finally, Cambridge Analytica is required to delete all personal information that it collected through the GSRApp.

David M. Stauss is a partner at Husch Blackwell LLP and co-leader of the firm’s privacy and data security practice group. David assists clients in preparing for and responding to data security incidents, including managing multi-state breach notifications. He also counsels clients on complying with existing and emerging privacy and information security laws. He can be reached at [email protected].

Megan E. Herr is an attorney in Husch Blackwell LLP's Denver office and assists clients on emerging data privacy issues. She can be reached at [email protected].