Washington DC has sued Facebook, slamming the biz for lax oversight, misleading privacy settings and taking two years to 'fess up to mass data harvesting.
The lawsuit, filed in the US capital, comes just days after a damning report from the New York Times that claimed more than 150 firms had special access to users' data, including messages and friends' info, as recently as this year.
"Facebook failed to protect the privacy of its users and deceived them about who had access to their data and how it was used," said District of Columbia Attorney General Karl Racine.
"Facebook put users at risk of manipulation by allowing companies like Cambridge Analytica and other third-party applications to collect personal data without users' permission."
He said the lawsuit, which is seeking an injunction against the firm as well as cash for consumers, penalties, and costs, was "about making Facebook live up to its promise to protect its users' privacy".
The sueball centres on the Facebook user data sucked up by Aleksandr Kogan's app and sold on to Cambridge Analytica to use for political profiling ahead of the 2016 presidential election. More than 340,000 consumers in the district were affected.
Dear Santa, all I want for Christmas is: 1. More ad revenue, and 2. Good PR. Lots of love – Mark, aged 34½READ MORE
The suit alleges that Facebook misled consumers about how their data was used, manipulated them with confusing privacy settings and failed to monitor the apps using its platform, which ultimately led to the misuse of users' data – and that this was entirely avoidable.
"Facebook could have prevented third parties from misusing its consumers' data had it implemented and maintained reasonable oversight of third-party applications consistent with its representations in its public statements, terms of service, and policies."
The complaint (PDF) alleges that Facebook violated the district's consumer protection laws on five counts.
Facebook misrepresented the extent to which it protects consumers' data, and that it failed to properly inform users that their data could be slurped up without their knowledge or affirmative consent, it added.
As well as failing to monitor third-party apps such as Kogan's, when it became clear that data had been improperly passed on to Cambridge Analytica, Facebook failed to tell consumers until newspapers revealed the full extent of the harvesting earlier this year. It also failed to ensure it was properly deleted.
At the same time, the complaint said, Facebook made it hard for consumers to realise what info apps were slurping up; rather than giving clear controls, the firm "maintained confusing and ambiguous privacy and applications settings" buried on different pages.
A final allegation in the complaint relates to the story that broke earlier this week, that Facebook struck special access deals with some companies, granting them souped-up access to data without needing to jump through the usual hoops by naming them "service providers".
The lawsuit alleges the firm failed to tell consumers that some companies were able to "override" privacy settings by granting special permissions to some, including mobile providers.
The Office of the Attorney General is seeking an injunction to make sure the social network puts safeguards in place to monitor users' data and makes it easier for users to control their privacy settings. It also wants damages paid to consumers and the district.
It is the first government action taken against the firm, although the Federal Trade Commission opened an investigation into the Cambridge Analytica scandal earlier this year. ®