Synopsis: On December 6, 2019, the Federal Trade Commission issued a unanimous ruling against political data firm Cambridge Analytica for violating Section 5 of the FTC Act by misrepresenting that it would not download personally identifiable information when it in fact harvested this information from over 50 million Facebook users. Specifically, Cambridge Analytica represented that it would not download Facebook users’ name or any other identifiable information. To the contrary, its app collected a bevy of personally identifiable information, notably including Facebook User IDs, in creating voter profiles and targeted advertising leading up to the 2016 US Presidential election. The FTC also found that Cambridge Analytica made false or misleading representations that it still participated in the EU-US Privacy Shield Framework, an agreement designed to protect personal data transferred from the EU to the United States. The FTC imposed a 20-year injunction which, among other things, required that Cambridge Analytica delete or destroy the Facebook data it deceptively obtained and any information or work product, including any resultant algorithms or equations. While Cambridge Analytica is now in bankruptcy, this injunction also restrains its successors, assigns, officers, agents, employees, and attorneys, and all other persons in active concert or participation with any of them, from disclosing, using, selling or receiving any benefit from the information collected about the individual consumers. The FTC further ordered, among other things, that none of these affiliates of Cambridge Analytica shall possess or control personal information from an EU resident without complying with the EU-US Privacy Shield framework principles.

Background

Cambridge Analytica obtained Facebook data in 2014, which it used to develop methods that allegedly could identify personality traits of American voters and influence their behavior through targeted advertising. Cambridge Analytica obtained this data by paying Facebook users small sums to take a survey and download an app, which harvested private information from their profiles and their Facebook friends’ profiles. An outside researcher then used the survey responses and public Facebook page “likes” harvested from users and their friends to populate and train an algorithm that predicted users’ personality traits.

To gain access to the users’ data, Cambridge Analytica misrepresented to users the collection of data as follows: “In this part, we would like to download some of your Facebook data using our Facebook app. We want you to know that we will NOT download your name or any other identifiable information—we are interested in your demographics and likes.” Cambridge Analytica only included this representation after finding that half of the survey participants initially refused to grant the app permission to collect their profile data. Contrary to this representation, the app collected the Facebook User ID of these users, which is a unique identifier that connects individuals to their profiles. The app also harvested additional profile data, such as users’ gender, birthdate, location, friends list, and Facebook page “likes.” Cambridge Analytica ultimately harvested profile data from approximately 250,000 to 270,000 app users located in the United States and approximately 50 to 65 million friends of these users, without the users’ knowledge or informed consent.

In the wake of this scandal, the FTC imposed a $5 billion penalty on Facebook on July 24, 2019, and required it to, among other things, submit to new compliance restrictions and greater accountability at the board of directors level by establishing an independent privacy committee. That same day, the FTC filed a Complaint against Cambridge Analytica and simultaneously filed proposed settlements with its former chief executive Alexander Nix and app developer Aleksandr Kogan, which have since then been approved. Those settlements included restricting how Nix and Kogan conduct business in the future and requiring them to delete or destroy any personal information they collected. Cambridge Analytica filed for bankruptcy prior to the issuance of the Complaint. The Complaint alleged that Cambridge Analytica, Nix and Kogan deceived consumers by falsely claiming they did not collect personally identifiable information from Facebook users and by falsely claiming the Company still participated in the EU-US Privacy Shield Framework and that it adhered to Privacy Shield principles.

Takeaways

The FTC Act’s prohibition on deceptive acts or practices includes misrepresentations with respect to how companies handle consumers’ personal information. The FTC in its Opinion explained that an act or practice will be found to be deceptive if “(1) there is a representation, omission or practice, (2) that is likely to mislead consumers acting reasonably under the circumstances, and (3) the representation, omission, or practice is material.” Through a three-step inquiry, the FTC determines “(1) what claims are conveyed [to consumers]; (2) whether those claims are false, misleading or unsubstantiated; and (3) whether the claims are material.” Claims are considered material if they involve “information that is important to consumers and, hence, likely to affect their choice of, or conduct regarding a product.” Express claims, including both explicit statements made in a claim and necessary implications derived from the statements, are presumptively material.

Here, the FTC pointed to the express claims that personally identifiable information would not be downloaded and the EU-US Privacy Shield framework principles would be followed. The FTC also pointed to other evidence of materiality, including that Cambridge Analytica only included the statement regarding not downloading identifiable information in its request to collect data from survey participants after half of the participants had refused to grant access to data absent that assurance. The FTC, therefore, inferred that the assurance provided by that statement likely affected the choices and changed the decisions of a substantial number of users.

With respect to the Privacy Shield misrepresentation, this case is one of several that the FTC has brought or settled in recent months against companies for deceiving consumers over their participation in the Privacy Shield. This case is yet another reminder that companies must ensure that any representations they make to consumers about participation in the Privacy Shield or any other privacy regimen are accurate and up-to-date.

The FTC took a broad view of what is personally identifiable information in finding that Cambridge Analytica’s statement that it would not download names or other identifiable information was false and misleading. In addition to users’ Facebook ID, the FTC viewed the covered information to include any persistent identifier, such as a customer’s number held in a “cookie,” a mobile device ID, or processor serial number or information collected from data fields through Facebook about users’ “likes,” “hometowns,” “birthdates,” “photos,” “gender,” “educational information,” “religious or political views,” or “marital” or other “relationship” status and any data regarding a consumer’s activities online (e.g., searches conducted, web pages visited, or content viewed).

While the Opinion itself focused principally on the express deceptive claim that Cambridge Analytica would not download users’ names or other identifiable information, it also noted that Cambridge Analytica then went on to use the data it surreptitiously collected. Perhaps because the non-use of that data would flow as a necessary implication of the claim that no users’ identifiable information would be downloaded, the FTC did not address the undisclosed use of the data as a separate deceptive act, even though the use of that data in voter targeting is what seemed to have stoked public ire when news of the scandal broke in 2018.

For a copy of the Opinion, click here. For a copy of the Final Order, click here.