• by Wendy Davis  @wendyndavis, December 19, 2018

Washington, D.C. Attorney General Karl Racine sued Facebook Wednesday over allegations that the company wrongly allowed outside developers, including Cambridge Analytica, to harvest data about users.

Facebook's “lax oversight” allowed the defunct Cambridge Analytica -- President Trump's former data consultancy -- to collect information about tens of millions of the social networking service's users, including more than 340,000 D.C. residents, the lawsuit alleges.

“Facebook collects and maintains a trove of its customers' personal data, as well as data regarding consumers' digital behavior on and off the Facebook website,” Racine alleges in a complaint filed in D.C. Superior Court. “Facebook's consumers reasonably expect that Facebook will take appropriate steps to maintain and protect their data.”

The lawsuit claims that Facebook violated a D.C. consumer protection law by failing to notify users that their data could be shared without their knowledge or “affirmative consent.”

Earlier this year, reports emerged that Cambridge Analytica purchased the personal data of up to 87 million Facebook users from Alexsandr Kogan, a professor who collected the information in 2014 via his personality quiz app "thisisyourdigitallife." That app was downloaded by 270,000 Facebook users, but Kogan was able to gather information about millions of those users' friends.

In April of 2015, Facebook stopped allowing developers to access data about users' friends. But in 2014, when Kogan's app scraped the data, Facebook allowed developers to glean information about users' friends, subject to their privacy settings.

Facebook's terms of service prohibited developers like Kogan from sharing that information.

But according to Racine, Facebook didn't do enough to enforce that restriction. “Facebook could have prevented third parties from misusing its consumers' data had it implemented and maintained reasonable oversight of third-party applications consistent with its representations in its public statements, terms of service, and policies,” the lawsuit states.

Even after learning of the data transfers to Cambridge Analytica, Facebook failed to remedy the situation, the complaint alleges.

“Facebook did not ban, suspend, or limit the privileges of Kogan, Cambridge Analytica, or any of their affiliates,” the lawsuit reads. “Facebook simply requested that Kogan and Cambridge Analytica delete all data that they received through the Facebook platform, and accepted their word that they had done so.”

Racine also faults Facebook for waiting until this year to notify users about the data harvesting.

“A disclosure that Facebook consumers' data had been sold to a political consulting firm and was being used to target political advertising for the 2016 election would have influenced Facebook consumers in D.C. to, among other things, share less information on the Facebook website or deactivate their Facebook accounts,” the lawsuit alleges. “Facebook instead profited from Kogan's and Cambridge Analytica's misuse of this stolen consumer data by selling millions of dollars of advertising space to Cambridge Analytica and presidential candidate campaigns during the 2016 election.”

A Facebook spokesperson says the company is reviewing the complaint and will continue talks with attorneys general "in D.C. and elsewhere."