In re Facebook - Cambridge Analytica


On March 16, 2018, Facebook admitted to the unlawful transfer of 50 million user profiles to the data analytics firm Cambridge Analytica, which harvested the data without user consent. Cambridge Analytica, hired by President Trump’s 2016 presidential campaign, was able to collect the private information of approximately 270,000 users and their extensive friend networks under false pretenses as a research-driven application. All of the users that participated in the survey consented to having their data collected but was told it was for “academic use.” The third party application subsequently scraped the data of these user’s friends without their knowledge or consent and transferred the data to Cambridge Analytica. Since Facebook’s announcement, the number has increased to up to 87 million users, making it one of the largest unlawful data transfers in Facebook’s history. Lawmakers in the U.S. and abroad have opened investigations into this incident and Mark Zuckerberg testified publicly before Congress.

Top News


Facebook timelineFrom 2009 to 2011, EPIC and a coalition of consumer organizations pursued several complaints with the Federal Trade Commission, alleging that Facebook had changed user privacy settings and disclosed the personal data of users to third parties without the consent of users. EPIC conducted extensive research and documented the instances of Facebook overriding the users’ privacy settings to reveal personal information and to disclose, for commercial benefit, user data, and the personal data of friends and family members, to third parties without their knowledge or affirmative consent.

2011 FTC Investigation

In response to a complaint from EPIC and consumer privacy organizations, the FTC launched an extensive investigation into Facebook’s policies and practices. The FTC and issued a Preliminary Order against Facebook in 2011 and then a Final Order in 2012. The Final Order bars Facebook from making any future misrepresentations about the privacy and security of a user’s personal information, requires Facebook to establish a comprehensive privacy program, requires Facebook to remove user information within thirty days after a user deletes an account, requires Facebook to obtain a user’s express consent before enacting changes its data sharing methods, and requires Facebook to have an independent privacy audit every two years. According to the FTC, the Final Order will remain in effect for 20 years.

Cambridge Analytica

Cambridge Analytica is a U.K.-based data analytics consulting firm that offers services for political campaigns. Cambridge Analytica specializes in “psychographic” profiling, which uses data collected online to identify personalities of voters and influence voter behavior through targeted advertising. The data analytics firm gathers information through data mining, data brokerage, and data analysis. Cambridge Analytica is an offshoot of the parent company SCL Group and is partly owned by billionaire Robert Mercer, a major donor to President Trump’s 2016 presidential campaign. The data analytics firm has been involved in a number of political races, including Donald Trump’s presidential campaign.

Cambridge Analytica’s Data Harvesting

In 2013, a Cambridge University researcher named Dr. Aleksandr Kogan created a personality quiz application called “thisisyourdigitallife” that asked Facebook users to fill out a questionnaire for $1-2. Dr. Kogan’s application would collect the user’s personal Facebook information for “academic purposes” and also subsequently scrape private information from the profiles of their Facebook friends. The data collected included details on user identities, their residences, their friend networks, and “likes.”

In 2014, Cambridge Analytica and Dr. Kogan entered into a contract premised on the harvest and processing of the user data. Dr. Kogan violated Facebook’s terms of service and transferred the user data to Cambridge Analytica without Facebook users’ knowledge or consent. At the time, Facebook permitted such activity but has since banned it.

In April 2014, Facebook announced plans to upgrade its platform to restrict access to friends data by third party applications by 2015. Third party applications, however, did not have to delete the data they already obtained prior to the 2015 platform upgrade.

From 2014 to 2016, Cambridge Analytica engaged in the illicit collection of data of up to 87 million users. Under Facebook’s current terms of service, data collected by third party applications cannot be sold or transferred to outside parties. Investigative reports allege that the data analytics firm harvested the data to develop techniques to target voters in the 2016 presidential election, including an algorithm that could analyze individual Facebook profiles and determine voting behavior.

Cambridge Analytica whistleblower Christopher Wylie states “We exploited Facebook to harvest millions of people’s profiles. And built models to exploit what we knew about them and target their inner demons. That was the basis the entire company was built on.”

Facebook learned about the data harvesting in 2015 but did not publicly acknowledge the incident until three years later. Facebook suspended both Cambridge Analytica and Dr. Kogan after learning from the New York Times and the Guardian’s Observer that they allegedly had not destroyed the data.

Facebook’s Response and Criticisms

After the Cambridge Analytica news reports surfaced, Facebook has come under heavy scrutiny for its privacy practices and mishandling of user data. Facebook responded to the scandal by introducing a three-step plan to prevent platform abuse:

  1. Conduct a full audit of applications with suspicious activity and ban any developer that has misused personally identifiable information
  2. Restrict developer’s access to data such as removing the data if a user has not used their application in 3 months
  3. Add a new tool on the top of user’s news feed that enables users to see which applications they have used and revoke a third party application’s data access

The social media giant also is expanding its bug bounty program to reward those who find misuses of data by third party application developers as well as notify users if third party applications misused their data. Facebook chief executive Mark Zuckerberg called the illicit data harvesting a “major breach of trust” with users.

Facebook’s efforts to mitigate the damage from the Cambridge Analytica fallout has not convinced critics. The hashtag #DeleteFacebook trended on Twitter with supporters such as Tesla and SpaceX chief executive Elon Musk and WhatsApp co-founder Brian Acton supporting the social media outcry for users to delete their Facebook accounts. The protest hashtag, however, did not have a significant impact on the social networking platform according to Facebook. The company’s stock plummeted by nearly 7% the Monday after the Cambridge Analytica scandal broke.

Congressional Pressures on Facebook

Lawmakers swiftly demanded answers from Facebook after the Cambridge Analytica scandal, namely for Mark Zuckerberg to testify and explain how the information of 87 million users ended up in the possession of a data analytics firm tied to President Trump’s 2016 campaign.

In a joint letter to Facebook, Senate Commerce Committee Chairman Senator John Thune (R-S.D.), Senator Roger Wicker (R-Miss.) and Senator Jerry Moran (R-Kan.) wrote, “the possibility that Facebook has either not been transparent with consumers or has not be able to verify that third party app developers are transparent with consumers is troubling.” Similarly, Senator Ron Wyden (D-Or.) stated that the ease in which Cambridge Analytica was able to exploit Facebook’s privacy settings and harvest user data “for profit and political gain throws into question not only the prudence and desirability of Facebook’s business practices and the dangers of monetizing consumer’s private information, but also raises serious concerns about the role Facebook played in facilitating and permitting the covert collection and misuse of consumer information.” In a letter to the Senate Commerce Committee, Senator Edward Markey (D-Mass.) said “in light of these allegations, and the ongoing Federal Trade Commission (FTC) consent decree that requires Facebook to obtain explicit permission before sharing data about its users, the Committee should move quickly to hold a hearing on this incident, which has allegedly violated the privacy of tens of millions of Americans." Senator Amy Klobuchar (D-Minn.) stated, “this is a major breach that must be investigated. It’s clear these platforms can’t police themselves.”

After pressure from lawmakers, Mark Zuckerberg testified publicly before a joint hearing of two Senate committees as well as before a House committee. Mark Zuckerberg testified before both the Senate Judiciary and Senate Commerce Committees on April 10, 2018 and the House Energy and Commerce Committee on April 11, 2018.

Investigations in the U.S. and Abroad

United States

Following scrutiny over Facebook’s role in the data mishandling of up to 87 million users, the Federal Trade Commission announced on March 26, 2018, that it is investigating whether Facebook violated its 2012 Consent Order. Acting Direct Tom Pahl stated, “Companies who have settled previous FTC actions must also comply with FTC order provisions imposing privacy and data security requirements. Accordingly, the FTC takes very seriously recent press reports raising substantial concerns about the privacy practices of Facebook.”

In a letter to Facebook, 41 state and territory attorney generals demanded Mark Zuckerberg to answer a series of questions concerning Facebook’s policies and practices. Additionally, several state attorney generals have have opened both joint and independent investigations into Facebook’s involvement with Cambridge Analytica - including Massachusetts, New York, New Jersey, and Missouri. Moreover, it has been reported that the Department of Justice’s Special Counsel Robert Mueller has requested emails from Cambridge Analytica as part of his investigation into the Russian interference of the 2016 Presidential Election.

United Kingdom and Europe

Lawmakers in the United Kingdom are calling for an investigation into Cambridge Analytica’s role in disinformation, its exploitation of personal data, and its participation in the Brexit campaign. Cambridge Analytica whistleblower Christopher Wylie provided oral evidence before a British parliamentary select committee that the European Union referendum would not have resulted in the same outcome had there not been “cheating.”

The U.K. Parliament’s Digital, Culture, Media and Sport Committee asked Mark Zuckerberg to appear before the panel to answer questions regarding how Cambridge Analytica acquired Facebook user data without their consent. Mark Zuckerberg, however, refused to testify before U.K. Members of Parliament.

The British Information Commissioner launched an investigation into the use of data analytics for political purposes of 30 organizations, including Facebook. According to Commissioner Elizabeth Denham, the office is “looking at how data was collected from a third party app on Facebook and shared with Cambridge Analytica.” On March 23, 2018, the British Information Commissioner executed a warrant to inspect the Cambridge Analytica’s London office.

In Europe, President of the European Parliament Antonio Tajani tweeted that “allegations of misuse of Facebook user data is an unacceptable violation of our citizens’ privacy rights” and that the EU parliament will “investigate fully.”


On April 5, 2018, the Australian Information Commissioner opened a formal investigation into Facebook, following confirmation that over 300,000 Australian’s data may have been improperly shared with Cambridge Analytica.


On March 20, 2108, the Privacy Commissioner of Canada announced that it opened a formal investigation into Facebook. Privacy Commissioner of Canada Daniel Therrien states “Allegations about the misuse of the personal information of 50 million Facebook users are shaking the very foundation on which our digital economy is based. Not only is consumer trust at risk, so too is trust in our democratic processes.”

EPIC’s Work





Share this page:

Defend Privacy. Support EPIC.
EPIC Mueller Report book
US Needs a Data Protection Agency