If you’re like us, you have probably noticed a recent trend of companies updating their website privacy policies to address the California Consumer Privacy Act (CCPA). While it’s easy to get wrapped up in how to satisfy CCPA’s onerous and confusing requirements for the form and content of notices and privacy policies, a series of recent settlements in privacy cases brought by the FTC should serve as a reminder: When drafting content directed to consumers like collection notices and website privacy policies, accuracy in substance is still more important than complying with statutorily-imposed form and content requirements.
On December 18, 2019, the FTC issued Final Orders approving settlements in cases that it brought earlier this year against the former CEO of Cambridge Analytica, LLC, Alexander Nix, as well as an app developer, Aleksandr Kogan, who worked with the company to create the application at the center of the controversy surrounding Cambridge Analytica’s deceptive harvesting of Facebook users’ personal information. The Final Orders against Nix and Kogan followed the FTC’s November 25, 2019 Final Order granting summary decision against Cambridge Analytica (which filed for bankruptcy in 2018) for similar violations.
The FTC’s Complaint against Cambridge Analytica alleged that the company violated Section 5 of the Federal Trade Commission Act by using false and deceptive tactics to collect personal information from tens of millions of Facebook users through a Facebook application called the “GSRApp.” The GSRApp asked users to answer survey questions and also asked for consent for the app to collect their Facebook profile data. When the GSRApp asked consumers to authorize the app to collect their Facebook data, it displayed the following representation:
In this part, we would like to download some of your Facebook data using our Facebook app. We want you to know that we will NOT download your name or any other identifiable information—we are interested in your demographics and likes.
In fact, once authorized, the GSRApp collected the Facebook User ID, gender, birthdate, location, friends list, and “likes” of public Facebook pages of app users and their Facebook friends. That data was then used for voter profiling and targeted advertising purposes. According to the FTC, that false representation was added to the app only after Cambridge Analytica found that half of the survey participants initially refused to grant the GSRApp permission to collect their Facebook profile data.
- That it was a participant in the EU-U.S. Privacy Shield, even though it had allowed its certification to lapse;
- That it would adhere to the Privacy Shield principles, even though it failed to affirm to the Department of Commerce, as required, that it would continue to apply those principles to personal information it acquired while participating in the program.
The FTC found in its full commission Opinion against Cambridge Analytica that all of these statements were deceptive and violated Section 5 of the FTC Act. As a result of those violations, the FTC ordered the (now defunct) company to, among other things:
- Provide the Commission with the name, address, and phone number for each person with whom the company shared personal information collected from consumers through the GSRApp;
- Delete or destroy all personal information collected from consumers through the GSRApp (including any algorithms, equations, or other work product that originated from the personal information);
- Never disclose, use, sell, or receive any benefit from that personal information.
So, as companies scramble to update their privacy policies and craft notice language to address the requirements of CCPA before January 1, it is important not to lose sight of the FTC Act prohibition on unfair or deceptive acts or practices. As we discussed here, this is not the first time in recent months that the FTC has settled with companies for making false or deceptive claims in their website privacy policies. Nor will it likely be the last. Don’t fall into the trap of parroting statutorily-required content without scrutinizing whether claims you make about the data you collect and how you use and share it are truthful.