Privacy & Information Security Law Blog

On December 6, 2019, the Federal Trade Commission announced its Final Order and Opinion in the matter of Cambridge Analytica, LLC, finding that Cambridge Analytica violated the FTC Act’s Section 5 prohibition against “unfair or deceptive acts or practices” when harvesting personal information through its “GSRApp” Facebook application.

The FTC had alleged, in a July 2019 administrative Complaint, that Cambridge Analytica engaged in three counts of deceptive acts and practices to harvest personal information in connection with political and commercial advertising. The Commission alleged Cambridge Analytica had deceptively claimed that:

• its app did not collect any personally identifiable information from users who authorized the app;
• it was a participant in the EU-U.S. Privacy Shield; and
• it adhered to Privacy Shield principles.

Cambridge Analytica had filed for bankruptcy in May 2018 and failed to file a timely answer to the July 2019 Complaint, thereby waiving its right to appear and contest the allegations under the FTC’s Rules of Practice. As outlined in the FTC’s Opinion, those Rules authorized the Commission to find the facts to be as alleged in the complaint and enter a final decision and order disposing of the proceeding.

The Commission granted the Motion for Summary Decision on all three counts, finding:

• Cambridge Analytica’s representations to app users that it would not download their name or any other identifiable information were false and misleading where the GSRApp collected participating users’ personally identifiable information, including their Facebook user IDs;
• Cambridge Analytica’s continued representation that it was participating in the Privacy Shield from May to November 2018, when it had, in fact, allowed its Privacy Shield certification to lapse, was false and misleading; and
• Cambridge Analytica’s representation that it was compliant with Privacy Shield principles was false and misleading because it had failed to make required affirmations of commitment to apply Privacy Shield principles to the U.S. Department of Commerce.

Under the relevant terms of the Final Order, Cambridge Analytica is prohibited from misrepresenting the extent to which it protects the privacy and confidentiality of covered information and its participation in privacy or security programs. Cambridge Analytica is further required to meet continuing obligations under the Privacy Shield; delete all covered information collected from consumers through the GSRApp and any work product originating therefrom, including equations and algorithms; identify with whom it shared any covered information collected from consumers through the GSRApp and information originating therefrom; protect covered information; and make available to the FTC all correspondence, financial data, and any other documents, computer equipment and electronically stored information that contain information about Cambridge Analytica’s role and assets.

The Commission voted unanimously (5-0) to issue the Opinion and Final Order.