D.C.’s Attorney General Is Suing Facebook for Its ‘Misleading’ Data Practices

AG cites Cambridge Analytica as an example

Facebook CEO Mark Zuckerberg addressed Congress earlier this year to talk about how the company he co-founded collects and uses data. Getty Images
Headshot of Marty Swant

Washington, D.C.’s attorney general, Karl Racine, is suing Facebook over its user data collection and protection practices.

The lawsuit, filed today, alleges that the Menlo Park, Calif.-based company failed to protect users’ personal data from abuse. The AG’s office said nearly half of the district’s residents had their data exposed and manipulated during the 2016 presidential election and claimed that Facebook’s “lax oversight and misleading privacy settings” allowed third-party companies to collect information without consent.

The lawsuit, first reported by the Washington Post, specifically mentions Cambridge Analytica—the now-defunct United Kingdom data firm that bought data from an online personality quiz and then used that data to target voters based on their personalities. The actions have led to a number of hearings on Capitol Hill and in British Parliament over the course of the past year, leading to questions as to whether the largest internet companies are doing enough to protect users.

“Facebook failed to protect the privacy of its users and deceived them about who had access to their data and how it was used,” Racine said in a statement. “Facebook put users at risk of manipulation by allowing companies like Cambridge Analytica and other third-party applications to collect personal data without users’ permission. Today’s lawsuit is about making Facebook live up to its promise to protect its users’ privacy.”

The 21-page complaint, filed in D.C. superior court, also alleges that Facebook misrepresented the extent of how it protects users’ personal data and how it “failed to adequately disclose” when that data was collected by third parties without users’ knowledge. The suit said 852 D.C. residents downloaded the personality test that could have affected data of at least 340,000 people.

“The District of Columbia brings this case to ensure Facebook is held accountable for its failure to protect the privacy of its consumers’ personal data,” according to the complaint. “The District seeks injunctive relief to prevent Facebook from engaging in these and similar unlawful practices, civil penalties and costs to deter Facebook from engaging in these and similar unlawful trade practices, and any appropriate restitution for consumers.”

The lawsuit also suggests that Facebook consumers might have been prompted to share less information online during the 2016 presidential election if they would have known about Cambridge Analytica’s practices when Facebook learned of them in 2015 or 2016.

When asked for comment, a Facebook spokesperson said the company is “reviewing the complaint and [we] look forward to continuing our discussions with attorneys general in D.C. and elsewhere.” (Earlier this month, Facebook played host to a one-day pop-up exhibit in New York City’s Bryant Park, where it sought to teach passersby about how they can inform themselves about how Facebook uses their data.)

The news comes as Facebook continues to be in the crosshairs of Congress, advocacy groups and regulators over a number of ways it collects and uses user data with and without consumer consent. While lawmakers introduced several bills earlier this year that would curb the collection, use and disclosure of data, so far Congress has been reluctant to regulate the social media giants. However, several key members have voiced their growing impatience with the companies’ ability to self-regulate.

Earlier this month, Sen. Mark Warner, D-Va., wrote a letter to the Federal Trade Commission complaining that the agency has been slow to act in consumers’ interest. Today, Warner took to Twitter to point out that Facebook still isn’t being transparent enough, citing a report from The New York Times this week that said some companies were allowed by Facebook to read private messages written by users.

“It is beyond obvious at this point that social media platforms are simply not up to the task of voluntarily ensuring the privacy and security of their users. Congress must step in,” he wrote.

Sen. Richard Blumenthal, D-Conn., cited a 2011 settlement between the FTC and Facebook over the company’s privacy practices. He said the FTC “must crack down” on the company’s data practices, while suggesting that Congress should also address the issue in January.

“The snail’s pace FTC investigation of Facebook’s illegal practices is becoming a bad joke,” he wrote. “Facebook has defiantly violated its consent order. Its impunity should mean tough remedies.”

While Congress has been slow to discuss regulating Facebook, a state law hastily passed in California earlier this year goes into effect next month, beginning yet another test of how well tech companies and the advertisers that rely on their data will be able to navigate a new law. The law will require user consent for any data collected and also provide a way for users to see all of the information that companies have collected on them.

As pressure mounts in California, advertising trade groups are asking federal officials to implement regulations at the national level in order to preempt California and other states from creating their own. On Tuesday, the Association of National Advertisers filed official comments with the FTC asking it to consider new privacy legislation rather than force advertisers to potentially craft different practices for each state.

The ANA said California’s law and the recently enacted General Data Protection Regulation in the European Union are “well-meaning,” but put the internet’s data-driven economy “under unwarranted threat.”

“This overly restrictive approach threatens the free flow of information that is vital to delivering the products and services that consumers value and expect,” the ANA wrote. “Unfortunately, numerous other states are considering additional and potentially inconsistent privacy and data security laws. We specifically urged the FTC to carry out a detailed review of the effects of the GDPR and the CCPA on competition and consumers.”

@martyswant martin.swant@adweek.com Marty Swant is a former technology staff writer for Adweek.