FTC announces Cambridge Analytica settlement
On the same day as its July 24 settlement with Facebook, the FTC also announced settlements with Cambridge Analytica (CA) as well as Alexander Nix, the CEO of CA, and Aleksandr Kogan, the individual who designed and operated the relevant mobile application.
Cambridge Analytica allegations and findings
The complaint against CA alleges three counts in violation of the FTC Act:
- that CA misrepresented its activities regarding the collection of personal information from Facebook users
- that CA made a deceptive claim regarding its participation in the US-EU Privacy Shield and
- that CA made a deceptive claim regarding its ongoing obligations pursuant to the Privacy Shield.
The FTC alleged that CA directly harvested data from approximately 260,000 Facebook users, and then harvested data from those users’ friends, so that CA was able to build profiles and predict users’ personality traits for approximately 30 million US residents (and approximately 60 million people worldwide) using an algorithm it had developed. CA then entered into a data sharing agreement with Kogan’s company, SCL Elections. At all times, CA represented that it was a participant in the Privacy Shield, which it joined in May 2017.
The FTC alleged that, contrary to CA’s claims, it did in fact collect personally identifiable information (including Facebook user ID, gender, birthdate, current city, friends list, and “likes” of public Facebook pages) from Facebook users who authorized the app. Additionally, it alleged that CA represented – without basis – that it was a participant in the Privacy Shield until at least November 27, 2018 (in fact, CA had let its Privacy Shield participation lapse after the first year). Finally, the FTC alleged that CA did not adhere to the Privacy Shield principles on an ongoing basis (a requirement of Privacy Shield participation), despite its continual representations to the contrary.
Nix and Kogan allegations and findings
The allegations against Nix and Kogan largely track the allegations against CA – primarily, that they made deceptive claims regarding the information they collected through users’ participation in their app. Specifically, the FTC cited the notice that CA provided to users asking them for authorization to collect data. It read:
In this part, we would like to download some of your Facebook data using our Facebook app. We want you to know that we will NOT download your name or any other identifiable information – we are interested in your demographics and likes.
In fact, the FTC alleged that in collecting the Facebook User ID, CA did in fact collect identifiable information, and as such, made a deceptive statement to those users.
CA, Nix, and Kogan orders
The orders for CA, Nix, and Kogan (collectively, the respondents) all track similarly. All orders are 20 years in duration. There are the following elements in common:
1. Prohibition against misrepresentation of data collection practices
The three settlements first require that the respondents must not misrepresent either the extent to or the purposes for which they collect, use, share, or sell identifiable information.
Most significantly in attempting to address the large-scale deceptive collection of personal data, the settlements require that the respondents provide to the FTC a list of all persons with whom CA shared its information, as well as requiring that the respondents delete this information from its own systems. The respondents must provide a written statement under the penalty of perjury confirming that these actions have been completed, and the FTC and data protection authorities with whom the FTC collaborates may follow up with downstream recipients of the information to request that those entities likewise delete the data.
The CA settlement prohibits CA from making any misrepresentations about its participation in any privacy or security programs. Furthermore, it requires CA to meet its obligations under the Privacy Shield, for as long as it possesses information subject to the Privacy Shield principle.
Perhaps most significantly, the order enjoins CA from “disclosing, using, selling, or receiving any benefit” from information collected as a part of this operation.
Finally, the order requires CA, via its Bankruptcy Trustee, to make available and provide access to nearly all of its records, including all correspondence, finance and tax records, computer equipment, and any other information in CA’s custody and control; and provide notice to the FTC if CA attempts to abandon any corporate books or records.
Nix and Kogan orders
Acknowledgment of order
The respondents must, for five years following the issuance of the order, provide a copy of the order to all directors, officers, and managers, and receive in return a signed copy of receipt.
Sections IV-VI of the Settlement require the respondents to maintain compliance with the order by providing – under penalties of perjury – such data as current or updated contact information, business activities, business organization structure, etc. It also requires the retention of records relating to accounting, personnel in receipt of the order, copies of consumer complaints, advertisements making representations subject to the order, other representations subject to the order, and all subpoenas and other communications with law enforcement.
In these very high-profile cases, the FTC alleged misrepresentations about how CA both collected and protected consumer information. Businesses should evaluate their disclosures to make sure they are accurate and transparent about how they are collecting data, what data specifically they are collecting, and the purposes for which they are collecting it.
Additionally, there has been increased chatter in privacy circles about the FTC sharpening its focus not only on companies, but on individuals as well. These cases are an indication that the FTC may be stepping up its pursuit of individual liability in addition to corporate liability. By doing so, the FTC may hope to increase its deterrence of Section 5 violations.
Learn more by contacting any of the authors or your usual DLA Piper lawyer.
You may also be interested in our related alert, "FTC unfriends Facebook."