Recently, the U.S. Federal Trade Commission issued an important opinion, concluding that Cambridge Analytica, LLC, the data analytics and consulting company, engaged in “deceptive practices to harvest personal information” of tens of millions social media users, by way of using their data from a company developed app, GSRapp, for voter profiling purposes without the users’ knowledge or consent. In addition, the FTC found that Cambridge Analytica engaged in deceptive practices connected to their EU-US Privacy Shield (“Privacy Shield”) framework participation.
In particular the FTC opinion highlighted that Cambridge Analytica and its then CEO and GSRapp app developer deceived consumers, by falsely telling app users that it would not collect users’ names or other identifiable information, but then collected User IDs which allowed Cambridge Analytica access to users’ social media profiles containing identifiable information.
Regarding Cambridge Analytica’s deceptive Privacy Shield practices, the FTC concluded that Cambridge Analytica continued to claim participation in the Privacy Shield framework, after allowing its certification to pass. Moreover, the company failed to adhere to the Privacy Shield requirement that after ceasing participation in the framework, a company must affirm to the Department of Commerce that the company will continue to apply Privacy Shield protections to personal information that was collected during the time period the company participated in the framework.
The FTC’s Final Order prohibits Cambridge Analytica from making false representations regarding the extent to which it protects the privacy and confidentiality of personal information, and its participation in the Privacy Shield framework as well as other other similar regulatory or standard-setting organizations. Further, the company must continue to apply Privacy Shield framework protection to all personal information collected during the time period the company participated in the program, or alternatively delete or return the information. Finally, Cambridge Analytica must delete all personal information collected by the GSRapp.
The FTC’s opinion and order against Cambridge Analytica is particularly of relevance, as the newly effective California Consumer Privacy Act was a direct response to Cambridge Analytica’s deceptive practices towards user personal information, as well as other similar incidents of late. The CCPA creates extensive obligations for companies that handle consumer personal information, and provides consumers with enhanced control over their data, with the aim of preventing deceptive activity such as that of Cambridge Analytica. Key relevant CCPA provisions include:
- A business that collects a consumer’s personal information must inform consumers, at or before the point of collection, as to the categories of personal information to be collected and the purposes for which the categories of personal information will be used. This does not include specific pieces of personal information.
- A consumer’s right to request information regarding the categories of personal information collected on them, the sources of that information (such as from an online survey or user profile as in the case of Cambridge Analytica), the categories of personal information used for business purposes or sold to third parties, and the “specific pieces” of information collected.
- A consumer’s right to request that a business deletes personal information collected about them.
The CCPA is here (effective since January 1) and the development of a meaningful data protection program has never been more important. Jackson Lewis has established a CCPA Team that is available to answer questions regarding the CCPA and assist covered businesses in their compliance efforts.