February 22, 2020

February 21, 2020

Subscribe to Latest Legal News and Analysis

February 20, 2020

Subscribe to Latest Legal News and Analysis

The Case that Sparked the CCPA Gets an FTC Final Order

Recently, the U.S. Federal Trade Commission issued an important opinion, concluding that Cambridge Analytica, LLC, the data analytics and consulting company, engaged in “deceptive practices to harvest personal information” of tens of millions social media users, by way of using their data from a company developed app, GSRapp, for voter profiling purposes without the users’ knowledge or consent. In addition, the FTC found that Cambridge Analytica engaged in deceptive practices connected to their EU-US Privacy Shield (“Privacy Shield”) framework participation.

In particular the FTC opinion highlighted that Cambridge Analytica and its then CEO and GSRapp app developer deceived consumers, by falsely telling app users that it would not collect users’ names or other identifiable information, but then collected User IDs which allowed Cambridge Analytica access to users’ social media profiles containing identifiable information.

Regarding Cambridge Analytica’s deceptive Privacy Shield practices, the FTC concluded that Cambridge Analytica continued to claim participation in the Privacy Shield framework, after allowing its certification to pass. Moreover, the company failed to adhere to the Privacy Shield requirement that after ceasing participation in the framework, a company must affirm to the Department of Commerce that the company will continue to apply Privacy Shield protections to personal information that was collected during the time period the company participated in the framework.

The FTC’s Final Order prohibits Cambridge Analytica from making false representations regarding the extent to which it protects the privacy and confidentiality of personal information, and its participation in the Privacy Shield framework as well as other other similar regulatory or standard-setting organizations. Further, the company must continue to apply Privacy Shield framework protection to all personal information collected during the time period the company participated in the program, or alternatively delete or return the information. Finally, Cambridge Analytica must delete all personal information collected by the GSRapp.

The FTC’s opinion and order against Cambridge Analytica is particularly of relevance, as the newly effective California Consumer Privacy Act was a direct response to Cambridge Analytica’s deceptive practices towards user personal information, as well as other similar incidents of late. The CCPA creates extensive obligations for companies that handle consumer personal information, and provides consumers with enhanced control over their data, with the aim of preventing deceptive activity such as that of Cambridge Analytica. Key relevant CCPA provisions include:

Notice Obligations

  • A business that collects a consumer’s personal information must inform consumers, at or before the point of collection, as to the categories of personal information to be collected and the purposes for which the categories of personal information will be used. This does not include specific pieces of personal information.

  • A business must disclose certain information in an online privacy policy or on an internet website, as applicable. This information includes, without limitation, an explanation of the rights consumers have under the CCPA and certain information about the categories of personal information it collected, disclosed, or sold, as applicable. These disclosures must be updated every 12 months.

Consumer Rights

  • A consumer’s right to request information regarding the categories of personal information collected on them, the sources of that information (such as from an online survey or user profile as in the case of Cambridge Analytica), the categories of personal information used for business purposes or sold to third parties, and the “specific pieces” of information collected.

  • A consumer’s right to request that a business deletes personal information collected about them.

The CCPA is here (effective since January 1) and the development of a meaningful data protection program has never been more important.

Jackson Lewis P.C. © 2020

TRENDING LEGAL ANALYSIS


About this Author

Jason C. Gavejian, Employment Attorney, Jackson Lewis, Principal, Restrictive Covenants Lawyer
Principal

Jason C. Gavejian is a Principal in the Morristown, New Jersey, office of Jackson Lewis P.C. and a Certified Information Privacy Professional (CIPP/US) with the International Association of Privacy Professionals.

Mr. Gavejian represents management exclusively in all aspects of employment litigation, including restrictive covenants, class-actions, harassment, retaliation, discrimination and wage and hour claims in both federal and state courts. Additionally, Mr. Gavejian regularly appears before administrative agencies,...

(973) 538-6890
Principal

Joseph J. Lazzarotti is a Principal in the Morristown, New Jersey, office of Jackson Lewis P.C. He founded and currently helps to co-lead the firm's Privacy, e-Communication and Data Security Practice, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals.

In short, his practice focuses on the matrix of laws governing the privacy, security and management of data, as well as the impact and regulation of social media. He also counsels companies on compliance, fiduciary, taxation, and administrative matters with respect to health and welfare plans, and is a member of the firm's Health Care Reform Team.

973- 538-6890
Attorney

Maya Atrakchi is the Knowledge Management (“KM”) Attorney for Jackson Lewis P.C.’s Privacy, e-Communication and Data Security and International Employment Issues Practice Groups, and is based in the New York City, New York, office of Jackson Lewis P.C.

212-545-4000