Skip to main content

There are foundational consumer protection principles that bear repeating whenever the opportunity arises. The FTC’s just-announced decision in the Cambridge Analytica case offers just such an opportunity.

You’ll want to read the complaint to get the full picture, but here are some salient facts. In late 2013 or early 2014, Cambridge Analytica – which described itself as a “data-science consultancy and marketing agency” – learned of research suggesting that people’s Facebook profile data could be used to predict their personality traits. Cambridge Analytica wanted that information for voter profiling, microtargeting, and other services it offered to U.S. political campaigns and marketing clients.

How could Cambridge Analytica access that data? That’s where Facebook’s Graph API became relevant. (An API – application programming interface – is a set of protocols and tools for building apps.) Version 1 of Facebook’s Graph API collected vast quantities of profile information from users who directly installed or interacted with a particular app. It also harvested that data from their Facebook friends – people who had no interaction whatsoever with the app. In 2014, Facebook introduced Version 2, which didn’t allow developers to collect profile data from app users’ friends. But Facebook grandfathered existing apps to allow them to continue surreptitious data collection for a longer period. (That practice was one part of the FTC’s $5 billion order enforcement action against Facebook.)

Facebook’s policy made an app that ran Version 1 very attractive to Cambridge Analytica. The company went into business with developer Aleksandr Kogan, who had a Version 1 app registered on the Facebook platform that could be repurposed to collect the profile data Cambridge Analytica wanted. But once Cambridge Analytica starting using the app, the FTC alleged the company didn’t tell consumers the truth about the information it collected. According to the complaint, app users were told:

. . . [W]e would like to download some of your Facebook data using our Facebook app. We want you to know that we will NOT download your name or any other identifiable information – we are interested in your demographics and likes.

That, alleged the FTC, was flat-out false because the app collected, among other information, Facebook IDs from at least 250,000 Facebook users who directly interacted with the app – and the Facebook ID could be used to identify the user. The app also collected Facebook IDs, names, and other information from between 50 million and 65 million of those users’ Facebook friends.

Cambridge Analytica also claimed to participate in the EU-U.S. Privacy Shield Framework and to adhere to Privacy Shield principles, two additional claims the FTC says were false or deceptive.

Cambridge Analytica CEO Alexander Nix and app developer Aleksandr Kogan signed proposed settlements with the FTC, but the case against Cambridge Analytica continued. The company, which declared bankruptcy in May 2018, failed to file an answer, and under FTC rules, that’s a waiver of its right to contest the charges in the complaint. Therefore, the Commission issued a decision finding that Cambridge Analytica violated Section 5 of the FTC Act and imposed an injunction requiring, among other things, that Cambridge Analytica delete the Facebook data it deceptively obtained, along with all associated work product. The order also requires that the company comply with its continuing obligations under the EU-U.S. Privacy Shield Framework.

Here is the foundational consumer protection principle emphasized in that decision: The FTC Act’s prohibition on unfair or deceptive practices includes misrepresentations related to how companies handle consumers’ personal information. The Commission held that Cambridge Analytica’s promise to app users that it wouldn’t download their names or any other identifiable information was false and misleading. Furthermore, it “was an express claim, and as such is presumptively material.” Therefore, there was no need for the Commission to “inquire separately into how these claims would be interpreted by reasonable consumers.” The Commission reached similar conclusions regarding Cambridge Analytica’s false and misleading representations about participating in the EU-U.S. Privacy Shield Framework and adhering to its principles.

If your company makes claims about how you use consumers’ information, remember that those promises – like any other objective representation – must be truthful and supported by appropriate substantiation.


It is your choice whether to submit a comment. If you do, you must create a user name, or we will not post your comment. The Federal Trade Commission Act authorizes this information collection for purposes of managing online comments. Comments and user names are part of the Federal Trade Commission’s (FTC) public records system, and user names also are part of the FTC’s computer user records system. We may routinely use these records as described in the FTC’s Privacy Act system notices. For more information on how the FTC handles information that we collect, please read our privacy policy.

The purpose of this blog and its comments section is to inform readers about Federal Trade Commission activity, and share information to help them avoid, report, and recover from fraud, scams, and bad business practices. Your thoughts, ideas, and concerns are welcome, and we encourage comments. But keep in mind, this is a moderated blog. We review all comments before they are posted, and we won’t post comments that don’t comply with our commenting policy. We expect commenters to treat each other and the blog writers with respect.

  • We won’t post off-topic comments, repeated identical comments, or comments that include sales pitches or promotions.
  • We won’t post comments that include vulgar messages, personal attacks by name, or offensive terms that target specific people or groups.
  • We won’t post threats, defamatory statements, or suggestions or encouragement of illegal activity.
  • We won’t post comments that include personal information, like Social Security numbers, account numbers, home addresses, and email addresses. To file a detailed report about a scam, go to

We don't edit comments to remove objectionable content, so please ensure that your comment contains none of the above. The comments posted on this blog become part of the public domain. To protect your privacy and the privacy of other people, please do not include personal information. Opinions in comments that appear in this blog belong to the individuals who expressed them. They do not belong to or represent views of the Federal Trade Commission.

Get Business Blog updates