Facebook-Cambridge Analytica Data Scandal: 87 Million Profiles, $5.7B in Penalties, and the API Permissions Failure That Redefined Privacy Regulation

The Facebook-Cambridge Analytica incident reset the global regulatory treatment of consumer data exposure in three irreversible ways: the FTC began enforcing consent failures with penalties orders of magnitude larger than any prior consumer-protection action, the European Union accelerated the General Data Protection Regulation's adoption and enforcement posture, and U.S. state legislators introduced and passed the California Consumer Privacy Act and its successors. The $5 billion FTC settlement in July 2019 was the largest consumer-protection penalty in U.S. history at the time of imposition and remains the structural reference point for every subsequent privacy enforcement action against major U.S. platforms. The case established that consent-based data exposure — data collected through legitimate API access that was nonetheless used outside the scope users would have understood — is a regulatory category equivalent to technical breach, and that platforms enabling that exposure are accountable for the downstream uses regardless of whether they directly executed them. The total disclosed cost across regulatory penalties, class action settlements, and securities enforcement exceeded $5.7 billion.

In March 2018, The Guardian, The New York Times, and Channel 4 News published the account of former Cambridge Analytica employee Christopher Wylie, who disclosed that Cambridge Analytica had obtained personal data and inferred psychographic profiles for approximately 87 million Facebook users. The data had been collected by researcher Aleksandr Kogan via a personality-quiz Facebook app called "This Is Your Digital Life," operating through Kogan's company Global Science Research (GSR). The app used Facebook's then-permitted Friends API to collect data not just from quiz takers — approximately 270,000 individuals — but from their entire friend networks. Kogan transferred the data to Cambridge Analytica in 2014 in violation of Facebook's platform terms.

The data and its uses

The exposed data included names, locations, "likes," and other Facebook profile attributes. The novelty was not in the data itself but in what Cambridge Analytica did with it: the company combined the Facebook data with commercial consumer datasets and with Cambridge University Psychometrics Centre research methods to build what it characterized as psychographic profiles — predictions about each user's openness, conscientiousness, extraversion, agreeableness, and neuroticism (the "OCEAN" or "Big Five" personality dimensions), and the resulting predictions about which political and consumer messages would be most persuasive to that user.

Cambridge Analytica's psychographic targeting was deployed in U.S. political campaigns including Ted Cruz's 2016 Republican primary campaign and the 2016 Trump general election campaign. The company's parent SCL Group worked with the official Vote Leave campaign and other Brexit-aligned organizations during the 2016 U.K. referendum, though the precise scope of those engagements was subsequently disputed. The combined disclosures — psychographic targeting of voters in two of the most consequential political events of the decade, executed using data obtained without the consent of the users — created the most severe consumer-data-related public reaction since the dawn of social media.

The Kogan-SCL transfer

Aleksandr Kogan was a Moldovan-born researcher at the University of Cambridge Department of Psychology. The Psychometrics Centre at Cambridge had published research on inferring personality traits from Facebook likes since 2012. Kogan, who also held a part-time appointment at St. Petersburg State University in Russia, was approached by SCL Group (Cambridge Analytica's parent) in 2014 to provide datasets for political-campaign psychographic modeling. He developed "This Is Your Digital Life" as a vehicle for collecting the necessary data. Facebook approved the app for the Friends API access that the collection required. Kogan paid users $1-$2 each to take the personality quiz and consent to data collection. Approximately 270,000 individuals participated; through the Friends API, the app collected data on approximately 87 million people.

Kogan transferred the dataset to Cambridge Analytica in mid-2014 in exchange for payment of approximately $800,000. The transfer violated Facebook's platform terms, which permitted apps to collect user data for the app's own purposes but prohibited transfer to third parties for monetization or other uses outside the user's understanding. Cambridge Analytica had been founded in 2013 by SCL Group with funding from Robert Mercer and strategic direction from Steve Bannon, and was at that time scaling its political-campaign psychographic targeting capability for U.S. operations.

Facebook's response timeline

Facebook learned of the Kogan-Cambridge Analytica data transfer in December 2015 through reporting in The Guardian. Facebook demanded that Cambridge Analytica certify deletion of the data and that Kogan certify deletion of his copy. Facebook did not effectively verify the deletions, did not notify the approximately 87 million affected users, and did not disclose the incident publicly. Wylie's March 2018 disclosures revealed that Cambridge Analytica had retained at least some of the data and had used it operationally in the intervening years.

The public disclosures triggered Mark Zuckerberg's testimony before the U.S. Senate Commerce and Judiciary Committees and the House Energy and Commerce Committee in April 2018. The European Parliament held parallel hearings. The U.K. Parliament Digital, Culture, Media and Sport Committee published an exhaustive report on disinformation and fake news with Cambridge Analytica as a central case study. Cambridge Analytica entered administration in the U.K. and filed for Chapter 7 bankruptcy in the U.S. in May 2018. The FTC opened the investigation that culminated in the July 2019 $5 billion settlement.

The technical mechanism was not a vulnerability or breach in the traditional sense. Facebook's Friends API — formally part of the Open Graph API v1 — operated from 2007 through 2015 and allowed installed apps to collect data not just about the user who installed the app but about all of that user's Facebook friends. Names, locations, "likes," birthday, education, work history, religious views, political views, relationship status, and other profile data were available depending on what permissions the installing user granted and what the user's friends had set as visible to friends.

The Open Graph v1 permissions architecture

The Open Graph v1 permissions model was a foundational architectural decision with consequences that took years to fully manifest. Apps could request granular permissions at install time: user_likes, user_friends, friends_likes, friends_education_history, friends_relationships, friends_religion_politics, read_stream (which allowed reading the user's News Feed), and read_mailbox (which allowed reading the user's Facebook messages), among many others. The friends_* permissions were the most consequential: they allowed apps to collect data on people who had never installed the app and had no opportunity to consent.

The privacy-economic logic of this architecture was that users' privacy settings determined what their friends' apps could see. A user who had set "likes" to "Friends Only" would have those likes shared with apps installed by any of their friends. The architecture treated app installation as transitive consent: by accepting an app's permissions, the installing user implicitly consented to expose their friends' data to that app, on the theory that the installing user was acting as a delegate for what their friends would consent to. The architecture had no mechanism for friends to be notified, no mechanism for them to opt out, and no mechanism for them to learn which apps had collected their data.

The v1-to-v2 migration

Facebook introduced Open Graph API v2 at the f8 developer conference on April 30, 2014. The v2 release removed the friends_* permissions and restricted apps to data about users who had installed the app. Apps using v1 had a one-year migration window — through April 30, 2015 — during which they could continue to use the friends_* permissions. Kogan's "This Is Your Digital Life" was approved and active during this window, which is why the collection was technically compliant with Facebook's platform terms at the moment of data extraction. The platform-terms violation was the subsequent transfer to Cambridge Analytica.

The one-year migration window is a critical operational detail. Facebook had recognized by 2014 that the friends_* permissions created systemic privacy risk; it nonetheless permitted continued collection during the migration. The data collected during that window persisted indefinitely in the apps' control unless the apps voluntarily deleted it. Facebook's December 2015 demand that Kogan certify deletion was an attempt to address this gap through contractual mechanisms; the failure to verify the deletion is the operational failure on which the FTC's enforcement action ultimately rested.

The Six4Three discovery cache

The Six4Three v. Facebook litigation, ongoing in California state court from 2015 onward over a wholly different developer-platform dispute, produced a discovery cache of internal Facebook communications that — when disclosed by U.K. Parliament's DCMS Committee in December 2018 — substantially deepened public understanding of Facebook's internal awareness of Friends API risks before 2014. The disclosed documents indicated that Facebook executives had internal discussions about the data-exposure risks of the Friends API and had considered restricting it earlier than 2014, and that the timing of the v1-to-v2 migration reflected competitive and commercial considerations as well as privacy concerns. The Six4Three documents are part of the documentary record on which subsequent regulatory and academic analysis of the case has relied.

The psychographic-profiling layer

Cambridge Analytica's contribution to the operation was not the data collection — that was Kogan's — but the analytical layer built on top of the data. The Psychometrics Centre at the University of Cambridge had published research starting in 2012 demonstrating that Facebook "likes" could be used to predict personality traits along the OCEAN dimensions with accuracy approaching that of human acquaintances and, in some dimensions, spouses. Cambridge Analytica licensed this approach (through Kogan, who had collaborated with the Psychometrics Centre) and operationalized it: the firm took the Facebook data, computed OCEAN predictions for each profile, joined those predictions to commercial consumer data (purchase history, voter registration, demographic data), and produced targeted persuasion content tailored to each predicted personality profile.

The empirical effectiveness of the psychographic-targeting layer remains disputed in the academic literature. Multiple studies have concluded that the persuasion effects of psychographic targeting are smaller than Cambridge Analytica's own marketing materials suggested. The regulatory and political significance of the case nonetheless does not turn on the effectiveness of the targeting; it turns on the fact that the targeting was attempted, that users had no opportunity to consent to or refuse it, and that Facebook's platform had enabled the collection that made it possible.

The detection and notification failure

The detection failure is the operational core of the FTC's enforcement action. Facebook's December 2015 awareness of the Kogan-Cambridge Analytica transfer did not lead to (1) public disclosure to affected users, (2) public regulatory notification, (3) verification of the certified deletion through technical means, or (4) audit of other developers who had accessed the Friends API for similar policy violations. The FTC's 2019 enforcement action treated each of these failures as a continuing violation of the 2011 FTC consent order requiring Facebook to obtain user consent for privacy-impacting changes and to submit to ongoing privacy assessments. The four-year gap between Facebook's December 2015 awareness and Wylie's March 2018 public disclosures is the period during which the violations accumulated.

The Cambridge Analytica case is foundational for private equity diligence on consumer platforms, social applications, marketing technology, advertising technology, data brokers, and any business with developer ecosystems or third-party data integrations. The case surfaced diligence dimensions — platform policy enforcement, API access governance, third-party data flow monitoring, user-consent architecture, and regulatory consent-order history — that are now standard considerations for technology and consumer-facing targets in privacy-sensitive jurisdictions.

API security and third-party integration diligence

Pre-Cambridge Analytica, API security in PE diligence was treated primarily as an application security concern: vulnerability scanning, authentication review, rate-limiting review. Post-Cambridge Analytica, API security diligence has expanded to include the governance dimension: which third parties have API access, what data they can access, what their contractual restrictions are, how their compliance with those restrictions is monitored, and what audit trails exist for actual access. For targets with developer ecosystems or B2B API products, the diligence question is no longer just "is the API secure" but "how does the target verify that the parties accessing the API are doing so in accordance with the terms they agreed to."

For targets that operate as data processors or data brokers — companies whose business model includes selling, sharing, or facilitating third-party access to user data — the diligence scope extends to the entire downstream chain of recipients. The Kogan-to-Cambridge Analytica transfer is the prototype: the target's direct customer may comply with terms, but a customer of that customer may not, and the target's regulatory exposure under FTC and GDPR enforcement standards extends down the chain. Standard practice for sophisticated technology M&A now includes review of downstream data-flow contracts and, where possible, audit rights for the buyer to verify post-closing compliance.

The FTC consent-order workstream

For acquirers of consumer platforms, social applications, or any company with FTC enforcement history, diligence on existing FTC consent orders is now a discrete workstream. The diligence questions are: does the target have an active FTC consent order; what does the order require; is the target in compliance; what is the cost of compliance; what is the residual exposure of any pending FTC inquiry; and what is the effect of the proposed transaction on the order (assignment, modification, termination, or new obligations).

The Facebook 2011 consent order's 20-year duration is a significant operational detail. Companies with FTC consent orders may carry those orders for time horizons that exceed typical PE hold periods. Acquirers may inherit the obligation and the enforcement risk; the obligation does not extinguish with the change of ownership. Standard practice now includes specific FTC consent-order representations in M&A agreements, indemnification structures sized against the consent order's penalty exposure, and post-closing audit committee oversight of consent-order compliance.

GDPR and DPA enforcement exposure

For targets operating in or marketing to the European Union, the United Kingdom, or other GDPR-adjacent jurisdictions, diligence must include review of the target's GDPR compliance posture, prior DPA inquiries and enforcement actions, the adequacy of the target's data protection impact assessments, the existence and competency of the Data Protection Officer function, and the structure of cross-border data transfer mechanisms (Standard Contractual Clauses, adequacy decisions, Binding Corporate Rules). GDPR Article 83 permits administrative fines up to 4% of global annual turnover or €20 million, whichever is greater, for serious violations. For consumer platforms with substantial EU operations, this exposure category alone can rival or exceed the deal value in extreme cases.

State privacy law patchwork and the compliance-by-jurisdiction model

The state-by-state privacy law cascade that followed Cambridge Analytica — CCPA, CPRA, Virginia CDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA, and successors across nearly twenty additional states — creates a compliance environment in which targets must operate to the highest-enforcement standard rather than to federal-level expectations. Diligence must therefore include review of the target's jurisdictional analysis: which state laws apply, how the target's compliance program addresses each, and what residual non-compliance risk exists. The diligence is materially complicated by the fact that the laws are not harmonized and that state Attorneys General have begun active enforcement that varies substantially in posture.

The July 2024 Texas Attorney General settlement with Meta — $1.4 billion for biometric privacy violations under Texas state law — established state AGs as substantive privacy enforcement actors. For targets with biometric data processing, geolocation data, or other categories that state laws specifically address, diligence must include review of state-specific exposure that may not appear in standard federal-level privacy reviews.

The board-level privacy oversight inheritance

For acquirers planning to maintain target operations under existing FTC consent orders or settlements that include board-level privacy oversight requirements (the Facebook Independent Privacy Committee being the prototype), diligence must confirm that the target's board governance structures meet the order's requirements and that the post-closing governance structure will continue to meet them. PE acquirers that intend to take controlled positions with majority board representation must specifically evaluate whether their planned board composition satisfies the independent-director standards the consent order may impose. The structural question can affect the deal's governance plan in ways that affect sponsor return profiles.

Cyber insurance, privacy-specific coverage, and post-CA underwriting

The cyber and privacy insurance markets evolved substantially after Cambridge Analytica to address consent-failure scenarios distinctly from technical-breach scenarios. Standard cyber policies pre-2018 typically excluded consent-failure scenarios or treated them as ambiguous coverage. Post-CA underwriting has produced policy structures that explicitly address regulatory penalties under privacy regimes (FTC, FCC, state AGs, GDPR DPAs), class action settlements for privacy violations, and the costs of regulatory consent-order compliance. For targets in privacy-sensitive sectors, diligence must include review of policy adequacy under post-CA underwriting standards and the adequacy of sublimits for regulatory penalty exposure.

The IPO-readiness implications

For PE sponsors planning IPO exits of consumer platforms, marketing technology, advertising technology, or data-related businesses, the post-CA regulatory environment substantially affects S-1 risk-factor disclosure, the substance of the company's privacy program at the time of registration, and the post-IPO compliance infrastructure. The SEC's 2023 Cybersecurity Disclosure Rules formalized expectations for cybersecurity disclosure; the parallel evolution in privacy-disclosure expectations has been less formal but no less real. Sophisticated underwriters and prospective public-market investors now ask about FTC consent-order history, GDPR DPA enforcement posture, state AG settlements, and the company's privacy-program maturity in ways that the post-CA environment specifically informs. Building this infrastructure during the S-1 process is too late; the audit-committee-level privacy oversight, the independent privacy assessments, and the documented compliance procedures must be in place well before the IPO process begins.