Cambridge Analytica harvested personal information from tens of millions of Facebook users
Megan Herr //December 20, 2019//
Cambridge Analytica harvested personal information from tens of millions of Facebook users
Megan Herr //December 20, 2019//
On Dec. 6, the Federal Trade Commission (FTC) issued a unanimous opinion finding that political consulting firm Cambridge Analytica violated Section 5 of the Federal Trade Commission Act (FTC Act) by engaging in deceptive practices to harvest personal information from tens of millions of Facebook users through a Facebook application called the GSRApp.
According to the opinion, the GSRApp allowed Cambridge Analytica to obtain personal information from approximately 250,000–270,000 Facebook users who directly interacted with the app, as well as from an additional 50 to 65 million “friends” of those app users.
To obtain the app users’ consent, Cambridge Analytica falsely represented that the GSRApp did not collect any personally identifiable information. However, Cambridge Analytica proceeded to use the personally-identifiable information collected for “voter profiling and targeted advertising purposes.”
The FTC also found that Cambridge Analytica violated the EU-U.S. Privacy Shield – a pact between the European Union and United States allowing companies to legally transfer data from the EU to the U.S. – by falsely claiming that it was a participant in the Privacy Shield despite allowing its certification to lapse.
Moreover, Cambridge Analytica failed to affirm that it would continue to apply Privacy Shield benefits to all personal information received while participating in the Privacy Shield program for as long as it retains such information.
Ultimately, the FTC concluded that Cambridge Analytica engaged in false and material, and hence deceptive, practices to harvest personal information by:
The order requires Cambridge Analytics to cease its deceptive acts and practices in compliance with the following:
David M. Stauss is a partner at Husch Blackwell LLP and co-leader of the firm’s privacy and data security practice group. David assists clients in preparing for and responding to data security incidents, including managing multi-state breach notifications. He also counsels clients on complying with existing and emerging privacy and information security laws. He can be reached at [email protected].
Megan E. Herr is an attorney in Husch Blackwell LLP's Denver office and assists clients on emerging data privacy issues. She can be reached at [email protected].