The Federal Trade Commission has announced the filing of an administrative complaint against data analytics company Cambridge Analytica, and filed settlements for public comment with Cambridge Analytica’s former chief executive and an app developer who worked with the company, alleging they employed deceptive tactics to harvest personal information from tens of millions of Facebook users for voter profiling and targeting.

As part of a proposed settlement with the FTC, the former CEO and an app developer have agreed to administrative orders.  Cambridge Analytica has filed for bankruptcy and has not settled the FTC’s allegations.

FTC CID attorneys allege that Cambridge Analytica and the two individuals deceived consumers by falsely claiming they did not collect any personally identifiable information from Facebook users who were asked to answer survey questions and share some of their Facebook profile data.  FTC attorneys separately announced that Facebook will pay a record-breaking $5 billion penalty and submit to new restrictions that will hold the company accountable for the decisions it makes about its users’ privacy as part of a settlement resolving allegations that the company violated a 2012 FTC privacy order.

One of the defendants is the developer of a Facebook application called the GSRApp - sometimes referred to as the “thisisyourdigitallife” app.  The GSRApp asked its users to answer personality and other questions, and collected information such as the “likes” of public Facebook pages by the app’s users and by the “friends” in their social network.

During the summer of 2014, the FTC alleges that the app developer, together with Cambridge Analytica and the company’s former CEO, developed, used and analyzed data obtained from the GSRApp.  The information was used to train an algorithm that then generated personality scores for the app users and their Facebook friends.  Cambridge Analytica, the former CEO and the app developer then allegedly matched these personality scores with U.S. voter records.  The company allegedly used these matched personality scores for its voter profiling and targeted advertising services.

According to the FTC, the app developer was able to re-purpose an existing app he had on the Facebook platform, which allowed the app to harvest Facebook data from app users and their Facebook friends.

In April 2014, Facebook announced it would no longer allow app developers to access data from an app user’s Facebook friends.  Facebook, however, allowed developers with existing apps on the Facebook platform to access this data for another year.

The FTC alleges that the GSRApp was able to take advantage of this access to collect Facebook profile data from 250,000 to 270,000 users of the GSRApp located in the United States, as well as 50 million to 65 million of those users’ Facebook friends, including at least 30 million identifiable U.S. consumers.

The app users were paid a nominal fee to take the GSRApp survey.

Almost half of the app users, however, originally refused to provide their Facebook profile information. According to FTC attorneys, to address this issue, the GSRApp began telling app users that it would not “download your name or any other identifiable information - we are interested in your demographics and likes.”

The FTC alleges, however, that this was false, and that the GSRApp in fact collected users’ Facebook User ID, which connects individuals to their Facebook profiles, as well as other personal information such as their gender, birthdate, location, and their Facebook friends list.

The FTC also alleges that Cambridge Analytica falsely claimed until at least November 2018 that it was a participant in the EU-U.S. Privacy Shield framework, even though the company allowed its certification to lapse in May 2018.  The FTC also alleges that the company failed to adhere to the Privacy Shield requirement that companies that cease participation in the Privacy Shield affirm to the Department of Commerce, which maintains the list of Privacy Shield participants, that they will continue to apply the Privacy Shield protections to personal information collected while participating in the program.

As part of the proposed settlement with the FTC, the former CEO and the app developer are prohibited from making false or deceptive statements regarding the extent to which they collect, use, share or sell personal information, as well as the purposes for which they collect, use, share or sell such information. In addition, they are required to delete or destroy any personal information collected from consumers via the GSRApp and any related work product that originated from the data.

The FTC will publish a description of the consent agreement packages in the Federal Register shortly.  The agency has acknowledged the cooperation of the United Kingdom’s Information Commissioner’s Office.   To facilitate international cooperation in this case, the FTC relied on key provisions of the U.S. SAFE WEB Act, which allows the FTC to share information with foreign counterparts to combat deceptive and unfair practices.