The Washington, D.C., attorney general sued Facebook Wednesday in a local court, saying the company failed to protect user data and “exposed nearly half of all District residents’ data to manipulation for political purposes during the 2016 election.”
That violated the D.C. Consumer Protection Procedures Act, according to a statement from Attorney General Karl A. Racine.
“Facebook failed to protect the privacy of its users and deceived them about who had access to their data and how it was used,” he said in the statement. “Facebook put users at risk of manipulation by allowing companies like Cambridge Analytica and other third-party applications to collect personal data without users’ permission. Today’s lawsuit is about making Facebook live up to its promise to protect its users’ privacy.”
Facebook said in a statement Wednesday that it’s reviewing the lawsuit.
“We’re reviewing the complaint and look forward to continuing our discussions with attorneys general in DC and elsewhere,” a Facebook spokesperson said.
Among the ways Facebook allegedly violated the law:
- Deception: The company allegedly misled users by telling them it would protect their privacy and require third-party app developers to do the same. In reality, the complaint alleges, Facebook let Cambridge University researcher Aleksandr Kogan and his company Global Science Research gather data from users who didn’t use its apps and then sell it to Cambridge Analytica, the controversial political firm.
- Negligence: The company also didn’t properly monitor or audit third-party apps, according to the attorney general, failing to check whether Kogan’s app adhered to Facebook policies on user data.
- Confusion: Facebook’s privacy and app settings were “confusing and ambiguous,” making them hard for consumers to configure, according to the lawsuit. “Instead of allowing users to control access to their information on third-party apps directly from its main privacy settings page, Facebook required users to go to a different part of its platform for third-party app privacy settings,” according to the AG’s office. “This made it harder for consumers to realize that apps could be harvesting their data.”
- Delay: Facebook took more than two years to let users know about Cambridge Analytica’s activities. “The company conducted a cursory investigation and confirmed that the data had been improperly harvested from users and then sold to Cambridge Analytica,” according to the attorney general’s office. “However, Facebook did not inform users affected by the breach until 2018.”
- Carelessness: Facebook allegedly didn’t make sure Cambridge Analytica deleted the user data it gathered, taking the political firm at its word the data was scrubbed from its systems.