Facebook may have broken state and federal law in Cambridge Analytica data share

Feds and state AGs are looking hard at whether Facebook violated its pact with users.
March 20, 2018, 4:26pm

The Federal Trade Commission and several state attorneys general have begun probing whether Facebook violated any federal regulations or state privacy laws in their dealings with the campaign consultant group Cambridge Analytica, which Donald Trump’s presidential campaign paid $5.9 million during the 2016 race.

Facebook faces potential legal consequences and fines on multiple fronts for allowing Cambridge Analytica to get access to 50 millions users’ data that had originally been gathered by an academic for research and then failing to notify users after Facebook discovered the data had been sold off to the political group.


All of these issues will determine the extent of the fines and of Facebook’s liability, which is not clear cut. We don’t yet know all the facts about what users knew about their data being shared, and the federal government’s lag in regulating these new technologies has produced a confusing web of state laws and federal agency rules.

2011 Consent Decree

The Federal Trade Commission, charged with protecting consumers, has sent the social media giant a list of questions that will likely try to discover whether Facebook’s data sharing with Cambridge Analytica violated a 2011 consent decree between the FTC and Facebook. The order prevents the company from sharing their user data outside of a user’s specific privacy settings without consent, prohibits Facebook from making deceptive statements — including statements related to third party data sharing — and requires Facebook to report all the facts about compliance with the order to the FTC.

Read: We spoke to the whistleblower who exposed Facebook's scam

Former deputy director for the Federal Trade Commission’s Bureau of Consumer Protection and privacy program Jessica Rich, who worked on the order, said Facebook seems to have shared data without the necessary consent and may have made deceptive statements, both violations of the order.

“I think one factual inquiry that may be very significant is what happened in 2015 when Facebook learned that Cambridge Analytica was not complying with its policies?” Rich said. “It appears from the reporting that Facebook really just gave them a slap on the wrist and asked them to self-certify they would do better in the future.”

The FTC will consider whether Facebook acted reasonably to protect consumer data based on the policies the company had in place at the time and potential harm the data sharing caused consumers. In 2014 when Kogan began to extract data through the app, Facebook allowed for third parties to collect not only the data of people who consented, but their friends’ data too. The company got rid of that functionality in 2015.

If the FTC believes Facebook violated their own terms of service or generally misled consumers, that could be considered an unfair business practice and grounds for FTC action.


Read: Cambridge Analytica bragged about using fake news, bribes, and Ukrainian hookers to influence elections

Rich estimates that the FTC will determine if Facebook violated the order or if it will bring a new action against the company within one year. The FTC can penalize Facebook up to $16,000 for each violation of the order, and if all 50 million data shares were unlawful, that could be a very big tab for the company. The FTC could also bring a new action against Facebook under the FTC Act for any unfair business practices, which could result in a new consent decree, but no financial penalties.

Web of privacy laws

In addition to federal law, each state has its own laws that govern privacy and consumer protection. Facebook may have violated state laws as well.

“State attorneys general will probably be looking at this case under state data security and breach notification laws and under state laws that prohibit unfair and deceptive practices by companies,” said Laura Moy, Deputy Director of the Georgetown Law Center on Privacy and Technology.

Massachusetts Attorney General Maura Healey was the first to announce that the state would investigate the Facebook-Cambridge Analytica data share for possible violations. A spokesperson told VICE News that Healy’s office had been in touch with Facebook in order to determine if Massachusetts can bring legal action on behalf of its residents. Connecticut Attorney General George Jepsen also issued a written inquiry to Facebook to answer questions about the matter and Pennsylvania’s Attorney General Josh Shapiro told NPR that his office is reviewing the matter.

“Wild Wild West”

Facebook may have an even bigger problem than states or the FTC. The recent reports have made members of Congress reconsider whether the federal government should pass legislation governing personal data and what tech companies are allowed to do with it.

Republican Sen. John Kennedy of Louisiana and Democratic Sen. Amy Klobuchar of Minnesota asked the Judiciary Committee Chairman Chuck Grassley on Monday to convene a hearing with the CEO’s of major tech companies, including Facebook, Google, and Twitter. That would include Mark Zuckerberg as the Senators specifically cited the Cambridge Analytica scandal.


“While Facebook has pledged to enforce its policies to protect people's information, questions remain as to whether those policies are sufficient and whether Congress should take action to protect people's private information,” the Senators wrote, an implicit threat of regulating the social media giant. Spokesperson George Hartmann said in a statement that Sen. Grassley was considering the matter but that no decision had been made.

Facebook is taking the matter so seriously that they have reportedly agreed to begin briefing lawmakers as soon as this week.

The federal government has largely kept a hands-off approach with internet companies, crowing about how they were evidence of American innovation and also struggling to understand potential consequences of these unprecedented products.

“This incident really shows that the collection of detailed data from consumers and making it accessible to all sorts of third parties is really a wild wild west and consumers really do need more protection in these large platforms,” Rich said.

Even some people in tech now believe that more regulation is inevitable and perhaps for the better. Aaron Levie, the CEO of the cloud platform company Box, tweeted over the weekend with a link to the Facebook-Cambridge Analytica story: “Welp. Tech is definitely about to get regulated. And probably for the best.”

Cover image: Mark Zuckerberg, chief executive officer and founder of Facebook Inc., waves after the morning session during the Allen & Co. conference in Sun Valley, Idaho, U.S., on Thursday, July 13, 2017. (David Paul Morris/Bloomberg via Getty Images)