Keypoint:  The fallout from the 2018 Cambridge Analytica incident continues with the FTC’s issuance of this unanimous opinion and order.

On December 6, the Federal Trade Commission (“FTC”) issued a unanimous opinion (the “Opinion”) finding that political consulting firm Cambridge Analytica, LLC (“Cambridge Analytica”) violated Section 5 of the Federal Trade Commission Act (“FTC Act”) (15 U.S.C. § 45) by engaging in deceptive practices to harvest personal information from tens of millions of Facebook users through a Facebook application called the “GSRApp.”

According to the opinion, the GSRApp allowed Cambridge Analytica to obtain personal information from approximately 250,000–270,000 Facebook users who directly interacted with the app (“App Users”), as well as from an additional 50–65 million “friends” of those App Users.

To obtain App Users’ consent, Cambridge Analytica falsely represented that the GSRApp did not collect any personally identifiable information. However, Cambridge Analytica proceeded to use the personally identifiable information collected for “voter profiling and targeted advertising purposes.”

The FTC also found that Cambridge Analytica violated the EU-U.S. Privacy Shield (the “Privacy Shield”) – a pact between the European Union and United States allowing companies to legally transfer data from the EU to the U.S. – by falsely claiming that it was a participant in the Privacy Shield despite allowing its certification to lapse.

Moreover, Cambridge Analytica failed to affirm that it would continue to apply Privacy Shield benefits to all personal information received while participating in the Privacy Shield program for as long as it retains such information.

Ultimately, the FTC concluded that Cambridge Analytica engaged in false and material, and hence deceptive, practices to harvest personal information by: (1) representing to App Users that it would not collect their identifiable information on the GSRApp; (2) representing that it remained a participant in the Privacy Shield after its certification had lapsed; and (3) representing that it was in compliance with Privacy Shield principles despite its failure to affirm such compliance.

The Order requires Cambridge Analytics to cease its deceptive acts and practices in compliance with the following:

  • First, Cambridge Analytics is prohibited from participating in the Privacy Shield and from making misrepresentations about the extent to which it protects the privacy and confidentiality of personal information.
  • Second, Cambridge Analytica must continue to apply Privacy Shield protections to all personal information collected while participating in the program or return or delete the information.
  • Finally, Cambridge Analytica is required to delete all personal information that it collected through the GSRApp.