Just a day after The New York Times ran a detailed report on how Facebook allowed certain companies unlimited access to profile information of millions of users in violation of its own privacy rules, the attorney general of the District of Columbia has filed a lawsuit against Facebook for allowing a third-party app to harvest profile information of millions of users without obtaining prior consent.
According to the Washington Post, the lawsuit is the first official regulatory action in the U.S. against Facebook after the company's role in the Cambridge Analytica fiasco was revealed to the public. In April this year, Facebook's chief technology officer Mike Schroepfer admitted that the Cambridge Analytica scandal compromised personal details of up to 87 million people, 70 million of whom were from the United States.
Cambridge Analytica entered into an agreement Global Science Research (GSR), a firm owned by Cambridge University academic Aleksandr Kogan. Thanks to the agreement, Kogan designed a new app named thisisyourdigitallife and then used it to collect Facebook data of hundreds of thousands of Facebook users who had agreed to take personality tests and to have their data collected for academic use.
Not only did Kogan's app harvest Facebook data of those who participated in the tests, but also harvested profiles of their Facebook friends, thereby extending its reach to millions of users. While it was initially believed that around 270,000 Facebook users had consented to the personality tests, the BBC later revealed that the real count of such Facebook users was 305,000.
Even though the attorney general of the District of Columbia has fired the first official salvo against Facebook to ensure that the company faces justice for not protecting data security of millions of people, the Federal Trade Commission (FTC) is yet to take any action against Facebook even though it launched an investigation as soon as the scandal was revealed to the public.
Back in 2012, the FTC did allow Facebook to pay an undisclosed amount to settle regulatory action on grounds that "Facebook deceived consumers by telling them they could keep their information on Facebook private, and then repeatedly allowing it to be shared and made public."
"The settlement requires Facebook to take several steps to make sure it lives up to its promises in the future, including by giving consumers clear and prominent notice and obtaining their express consent before sharing their information beyond their privacy settings, by maintaining a comprehensive privacy program to protect consumers' information, and by obtaining biennial privacy audits from an independent third party," the FTC said while announcing the settlement.
However, with Facebook facing regulatory action in several countries for its actions post-2014, it is clear that the company may have failed to act in accordance with promises made to the FTC. Karl Racine, the attorney general, told Washington Post that his office has “had discussions with a number of other states that are similarly interested in protecting the data and personal information of their consumers,” suggesting that Facebook could face similar lawsuits from other U.S. states in the coming days.
In the UK, Facebook has already been fined £500,000 by the Information Commissioner's Office who observed that Facebook contravened the law by failing to safeguard people’s information and that the company failed to be transparent about how people’s data was harvested by others.