There are foundational consumer protection principles that bear repeating whenever the opportunity arises. The FTC’s just-announced decision in the Cambridge Analytica case offers just such an opportunity.
You’ll want to read the complaint to get the full picture, but here are some salient facts. In late 2013 or early 2014, Cambridge Analytica – which described itself as a “data-science consultancy and marketing agency” – learned of research suggesting that people’s Facebook profile data could be used to predict their personality traits. Cambridge Analytica wanted that information for voter profiling, microtargeting, and other services it offered to U.S. political campaigns and marketing clients.
How could Cambridge Analytica access that data? That’s where Facebook’s Graph API became relevant. (An API – application programming interface – is a set of protocols and tools for building apps.) Version 1 of Facebook’s Graph API collected vast quantities of profile information from users who directly installed or interacted with a particular app. It also harvested that data from their Facebook friends – people who had no interaction whatsoever with the app. In 2014, Facebook introduced Version 2, which didn’t allow developers to collect profile data from app users’ friends. But Facebook grandfathered existing apps to allow them to continue surreptitious data collection for a longer period. (That practice was one part of the FTC’s $5 billion order enforcement action against Facebook.)
Facebook’s policy made an app that ran Version 1 very attractive to Cambridge Analytica. The company went into business with developer Aleksandr Kogan, who had a Version 1 app registered on the Facebook platform that could be repurposed to collect the profile data Cambridge Analytica wanted. But once Cambridge Analytica starting using the app, the FTC alleged the company didn’t tell consumers the truth about the information it collected. According to the complaint, app users were told:
. . . [W]e would like to download some of your Facebook data using our Facebook app. We want you to know that we will NOT download your name or any other identifiable information – we are interested in your demographics and likes.
That, alleged the FTC, was flat-out false because the app collected, among other information, Facebook IDs from at least 250,000 Facebook users who directly interacted with the app – and the Facebook ID could be used to identify the user. The app also collected Facebook IDs, names, and other information from between 50 million and 65 million of those users’ Facebook friends.
Cambridge Analytica also claimed to participate in the EU-U.S. Privacy Shield Framework and to adhere to Privacy Shield principles, two additional claims the FTC says were false or deceptive.
Cambridge Analytica CEO Alexander Nix and app developer Aleksandr Kogan signed proposed settlements with the FTC, but the case against Cambridge Analytica continued. The company, which declared bankruptcy in May 2018, failed to file an answer, and under FTC rules, that’s a waiver of its right to contest the charges in the complaint. Therefore, the Commission issued a decision finding that Cambridge Analytica violated Section 5 of the FTC Act and imposed an injunction requiring, among other things, that Cambridge Analytica delete the Facebook data it deceptively obtained, along with all associated work product. The order also requires that the company comply with its continuing obligations under the EU-U.S. Privacy Shield Framework.
Here is the foundational consumer protection principle emphasized in that decision: The FTC Act’s prohibition on unfair or deceptive practices includes misrepresentations related to how companies handle consumers’ personal information. The Commission held that Cambridge Analytica’s promise to app users that it wouldn’t download their names or any other identifiable information was false and misleading. Furthermore, it “was an express claim, and as such is presumptively material.” Therefore, there was no need for the Commission to “inquire separately into how these claims would be interpreted by reasonable consumers.” The Commission reached similar conclusions regarding Cambridge Analytica’s false and misleading representations about participating in the EU-U.S. Privacy Shield Framework and adhering to its principles.
If your company makes claims about how you use consumers’ information, remember that those promises – like any other objective representation – must be truthful and supported by appropriate substantiation.