Case Study 23-1: Cambridge Analytica — The Data Scandal That Changed Privacy Law

Overview

Few episodes in the history of the internet have concentrated public attention on data privacy as sharply as the Cambridge Analytica scandal. In March 2018, reporting by The Guardian, The New York Times, and Channel 4 News revealed that the British political consulting firm Cambridge Analytica had harvested the personal data of approximately 87 million Facebook users without their knowledge or consent, and used that data to build psychographic profiles for targeted political advertising campaigns including the 2016 US presidential election and the Brexit referendum. The story triggered congressional hearings, regulatory investigations on multiple continents, and the eventual dissolution of Cambridge Analytica itself — but its deepest legacy was accelerating the enforcement of data protection frameworks that had been on the books but largely unenforced.

This case study examines what happened, how it happened, what consequences followed, and what it means for the future of data privacy in an AI-enabled world.

Background: Facebook's Data Model and Third-Party Applications

To understand Cambridge Analytica, it is necessary to understand how Facebook's platform worked in 2013 and 2014 — specifically, the permissions it granted to third-party application developers.

Facebook built its dominance not only through its own social network, but through an ecosystem of third-party applications that ran on the Facebook platform. Developers could build quiz applications, games, and tools that accessed Facebook user data in exchange for making their apps available through Facebook's platform. The value exchange was designed to be mutual: users got apps, developers got access to users, and Facebook got more engagement on its platform.

The critical feature — the one that made Cambridge Analytica possible — was that when a Facebook user granted permissions to a third-party app, that app could access not only the user's own data but the data of the user's friends, without those friends ever interacting with the app or granting it any permissions. This "friends of friends" data access was not hidden — it was disclosed in Facebook's developer terms — but it was not disclosed in a way that users or their friends meaningfully understood.

In 2014, Facebook changed its policies to restrict this friends data access. But data collected before the policy change remained in third-party hands. The barn door was closed after the horse had bolted.

The Academic Front: Aleksandr Kogan and "This Is Your Digital Life"

The data harvesting that fed Cambridge Analytica began with a Cambridge University researcher named Aleksandr Kogan. In 2013, Kogan developed a Facebook application called "thisisyourdigitallife" — a personality quiz that paid participants a few dollars to take a psychographic assessment.

The quiz was unremarkable in itself. What was remarkable was its data access. Users who took the quiz granted the app permission to access their Facebook profile data — their likes, their political views, their relationship status, their location, their birthday — and, through the friends-of-friends permission, the same data for all of their Facebook friends. Approximately 270,000 people took the quiz. Each of them brought along an average of 320 Facebook friends, none of whom had consented to anything.

The result was a dataset covering approximately 87 million people: their Facebook profile data, their interests and likes, their political affiliations, their relationship statuses, their locations. This data was never intended by its subjects for political profiling. It was the incidental exhaust of their social networking activity, collected without their knowledge and assembled into a tool for behavioral manipulation.

Under Facebook's developer terms, Kogan was prohibited from selling or transferring the data to third parties. He transferred it anyway — to Cambridge Analytica and its parent company, SCL Group. Facebook later claimed this transfer violated its policies. The fact that such a transfer was technically possible, that there were no meaningful technical controls preventing it, and that Facebook did not discover it until years later raises obvious questions about whether Facebook genuinely prioritized data protection or merely included protective language in its terms of service.

Cambridge Analytica: The Psychographic Profiling Machine

Cambridge Analytica was founded in 2013 as a subsidiary of the London-based SCL Group, a political consulting firm with a history of working on elections in developing countries. Cambridge Analytica was established specifically to bring SCL's methods to American politics, backed initially by conservative donor Robert Mercer and led by Steve Bannon.

The firm's central claim was that it had developed a proprietary method — based on psychographic profiling using the "OCEAN" model (Openness, Conscientiousness, Extraversion, Agreeableness, Neuroticism) — that could predict individual political behavior and be used to micro-target political messages with extraordinary precision. Cambridge Analytica claimed to have built psychographic profiles on every adult American.

The OCEAN model is a legitimate personality psychology framework. The claim that Cambridge Analytica could derive reliable OCEAN scores from Facebook data and use them to predict political behavior with high accuracy has been contested by academic psychologists. Research published after the scandal found that the predictive power of Cambridge Analytica's methods was more modest than claimed. But the firm sold its methods aggressively to political clients, and the absence of empirical evidence for its claims did not prevent them from winning contracts.

Data Operations

Cambridge Analytica combined the Facebook data harvested by Kogan with other data sources: commercial consumer data purchased from data brokers, voter files purchased from state election authorities, and additional data acquired through surveys and other means. The combination was processed by machine learning algorithms designed to predict personality traits, political views, and susceptibility to particular messages.

The result was a profile database that claimed to characterize individuals on dimensions relevant to political persuasion: their political leanings, their openness to change, their response to authority, their susceptibility to fear-based messaging. These profiles were then used to target political advertising — different messages to different psychographic segments, designed to exploit the specific vulnerabilities of each segment.

The 2016 US Presidential Election

Cambridge Analytica was hired by the Trump presidential campaign in June 2016. The firm claimed to have used its psychographic profiling to identify persuadable voters in key states and target them with messages designed for their specific psychological profile. The campaign particularly focused on voter suppression — identifying voters who might have supported Clinton but could be discouraged from voting through targeted messaging about Clinton's record.

Whether Cambridge Analytica's psychographic methods actually influenced the 2016 election outcome remains contested. The firm's own claims were inflated; subsequent academic analysis suggested its methods were less powerful than advertised. Other factors — Russian interference, FBI Director Comey's letter, candidate quality, economic anxiety — were also significant. But the mere possibility that psychological profiling of harvested personal data could influence democratic elections was alarming enough to generate significant public concern.

Brexit

Cambridge Analytica's parent company, SCL Group, was also connected to the Leave.EU campaign in the 2016 Brexit referendum through Nigel Farage's UKIP-aligned operation. The precise nature of this connection was disputed and investigated by the UK's Electoral Commission. The investigation found that Cambridge Analytica did not work directly for the official Vote Leave campaign, but the connections between SCL and Leave.EU were real and raised concerns about undisclosed foreign involvement in UK democratic processes.

The Whistleblower: Christopher Wylie

The Cambridge Analytica story might never have become public without Christopher Wylie, a Canadian data scientist who helped design the data harvesting operation before becoming disillusioned with its applications. Wylie left Cambridge Analytica in 2014 and eventually became a whistleblower, providing documents and testimony to The Guardian, The New York Times, and the UK Parliament's Digital, Culture, Media and Sport (DCMS) Committee.

Wylie's testimony was vivid and devastating. He described Cambridge Analytica as having "built psychological warfare tools" and characterized the operation as deliberately exploiting psychological vulnerabilities for political manipulation. His documentation of the data harvesting, the firm's methods, and its connections to the Trump campaign provided the factual foundation for regulatory investigations on both sides of the Atlantic.

Wylie's motivation was not simple altruism — he acknowledged his own role in creating the system he later criticized. But his disclosure illustrates the critical role that whistleblowers play in making opaque data operations visible to the public and to regulators.

Regulatory Response

The ICO Investigation

The UK Information Commissioner's Office launched an investigation into Cambridge Analytica and Facebook in March 2018. The investigation was led by Information Commissioner Elizabeth Denham and was one of the largest investigations the ICO had ever undertaken. Over 18 months, the ICO reviewed 700 emails and documents, conducted multiple interviews, and coordinated with data protection authorities in other countries.

The ICO's 2020 final report found that Facebook had failed to keep users' personal data safe and had failed to be transparent about how data could be used by third-party developers. The ICO fined Facebook 500,000 pounds — the maximum fine available under the pre-GDPR Data Protection Act 1998. This was the maximum penalty available under the law at the time, but a fraction of what GDPR would have allowed: 4% of Facebook's global annual turnover would have been approximately 1.6 billion pounds.

The ICO found that Cambridge Analytica had failed to respond to a statutory information notice and that the company had processed personal data without a lawful basis. However, by the time the investigation concluded, Cambridge Analytica had dissolved, making enforcement largely moot.

Congressional Testimony

Facebook CEO Mark Zuckerberg testified before the US Senate Commerce and Judiciary Committees on April 10, 2018, and before the House Energy and Commerce Committee on April 11, 2018. The testimony was historic — the first time a major Silicon Valley CEO had testified before Congress about data privacy.

The hearings exposed a significant technical literacy gap between the senators asking questions and the witness answering them. Senator Orrin Hatch infamously asked Zuckerberg "How do you sustain a business model in which users don't pay for your service?" — to which Zuckerberg replied, "Senator, we run ads." But the hearings also produced genuine scrutiny, with Senator Dick Durbin asking Zuckerberg whether he would be comfortable sharing the name of the hotel he stayed in the previous night — and Zuckerberg declining.

Zuckerberg acknowledged that Facebook had been too slow to respond to data misuse, committed to improving privacy controls, and accepted that regulation might be appropriate. He repeatedly promised to "follow up" on specific technical questions from senators. His testimony, while deflecting accountability, contributed to public understanding that the data economy operated with minimal oversight.

FTC Settlement

In July 2019, the Federal Trade Commission approved a $5 billion settlement with Facebook for violating a 2012 FTC consent decree that had required the company to protect users' privacy. The settlement was the largest fine the FTC had ever imposed. Critics noted that $5 billion, while large in absolute terms, represented roughly three months of Facebook's revenue, and that the settlement did not require structural changes to Facebook's business model. Facebook's share price actually increased when the settlement was announced, as investors had feared a larger fine or more restrictive requirements.

What Changed in Privacy Law

GDPR Enforcement Acceleration

The Cambridge Analytica scandal broke as GDPR was being prepared for implementation on May 25, 2018. The scandal created significant public pressure for enforcement and demonstrated the harms that GDPR was designed to prevent. EU data protection authorities, which had been criticized for insufficient enforcement activity, faced intense political pressure to take GDPR seriously.

The scandal also demonstrated the inadequacy of pre-GDPR frameworks. The ICO's maximum fine under the 1998 Data Protection Act — 500,000 pounds — was demonstrably insufficient to deter the world's largest social media company. GDPR's threat of 4% of global annual turnover was designed specifically to create consequences proportionate to the scale of tech platforms.

State Privacy Legislation

Cambridge Analytica's political impact in California was particularly significant. The California Consumer Privacy Act was moving through the legislative process at the same time as the scandal broke. The scandal galvanized public support for privacy legislation and contributed to CCPA's passage in June 2018 — the most significant US privacy legislation since HIPAA.

Platform Accountability

Facebook's response to the scandal included significant changes to its developer platform, restricting the types of data third-party apps could access and imposing new audit requirements on developers. These changes addressed the specific mechanism that had enabled Cambridge Analytica but left the underlying data economy largely intact. Facebook's business model — collecting behavioral data and selling advertising targeted based on that data — continued unchanged.

Dissolution of Cambridge Analytica

Cambridge Analytica announced it was ceasing operations and declaring insolvency in May 2018, two months after the scandal broke. The company attributed its closure to the loss of clients and the mounting legal costs of investigations. Its assets and personnel largely migrated to successor companies operating under different names. The dissolution did not resolve the underlying data privacy questions or compensate any of the 87 million people whose data had been harvested.

Lessons for Business Professionals

The Cambridge Analytica case teaches several enduring lessons for business professionals working with AI and data:

Platform accountability extends to third-party use. Facebook's claim that Cambridge Analytica violated its developer terms was true but insufficient. When organizations build platforms that make certain data uses possible, they bear moral and legal responsibility for those uses — particularly when the platform benefits commercially from the permissive data access that enables misuse.

Data collected for one purpose will be used for others. The Facebook users who installed "thisisyourdigitallife" or whose friends did so consented to a personality quiz, not to political profiling. The gap between the purpose for which data is collected and the purpose for which it is subsequently used is a fundamental privacy risk that must be addressed in system design.

Technical controls matter more than legal terms. Facebook's developer terms prohibited the sale of user data to third parties. Kogan sold it anyway. The terms of service provided no practical protection. Technical controls — systems that make prohibited data uses technically impossible, not merely contractually forbidden — provide more genuine protection than legal agreements.

Whistleblowers and journalism are essential accountability mechanisms. The Cambridge Analytica scandal was not discovered by a regulatory inspection or a corporate compliance program. It was discovered by a whistleblower and revealed by journalists. This reflects the opacity of data operations — the impossibility of meaningful external oversight when data processing happens in private systems invisible to data subjects and regulators alike.

Scale and influence require commensurate responsibility. Organizations that process data at the scale of Facebook, that have the influence over public information and democratic discourse that Facebook has, bear responsibilities commensurate with that scale and influence. The argument that Facebook was merely a platform on which bad actors operated is inadequate when the platform's design choices made the bad acts possible and profitable.