In a blog post on Friday, Facebook announced that it had suspended the firm over allegations that it kept the improperly obtained user data after telling Facebook it had been deleted.
Facebook explained in the post that Cambridge Analytica had years ago received user data from a Facebook app that purported to be a psychological research tool, though the firm was not authorized to have the information. Roughly 270,000 people downloaded and shared personal details with the app.
Cambridge Analytica later certified in 2015 that it had destroyed the information it had received, according to Facebook, although the social network said it received reports "several days ago" that not all the data was deleted. Facebook says it is investigating.
The social media company has also suspended Cambridge Analytica's parent company, Strategic Communication Laboratories; University of Cambridge psychology professor Aleksandr Kogan, the academic who created the app in question; and Christopher Wylie, the whistleblower and former Cambridge Analytica employee.
In a statement, Cambridge Analytica denied wrongdoing. It said the parent company's SCL Elections unit hired Kogan to undertake "a large scale research project in the U.S.," but subsequently deleted all data it received from Kogan's company after learning that Kogan had obtained data in violation of Facebook policies. The firm said none of Kogan's data was used in its 2016 election work for the "avoidance of doubt."
According to one tech law expert, it's no surprise that the data firm was able to harvest the Facebook profile data.
"This was not a security protocol breach," said Eric Goldman, a Santa Clara University law professor and director of the law school's High Tech Law Institute. "When Facebook gave permission to the app to collect the data from consumers, there were not technical barriers that restricted how the app might be able to use or transfer that data."
Goldman says the only thing protecting the data was a contract, and it's not surprising that some app developers would disregard their promises and transfer the data to third parties.
"It's entirely foreseeable that some of the app developers would ignore the contract restrictions that Facebook thought were protecting the consumer data," Goldman said.
And Goldman says this free movement of consumer data is fairly unique to Facebook.
"They are so open with so much consumer data to app developers," he said. "Many other sites have the richness of data that Facebook has and do a tighter control of their app developers than Facebook has historically done."
Goldman says it's unclear how much legal risk Cambridge Analytica faces over the data harvesting.
"There is certainly some risk of liability on the part of the app developer disregarding the promise that it made to Facebook," Goldman told KQED.
But he said it's less clear whether those legal risks extend to the buyers of the data -- in this case, Cambridge Analytica.
"Of course the real question is," Goldman said, "should Facebook have been more attentive to this issue up front?"