AggregateIQ, a Canadian data company with links to the now-shuttered Cambridge Analytica did not have the correct consent required to conduct advertising campaigns on Facebook for Vote Leave, a pro-Brexit organization, a new report finds.

The director of Vote Leave, Dominic Cummings, who advised the UK Prime Minister Boris Johnson before stepping down ahead of the December 12 election, wrote in 2017 that data science was vital to winning the Brexit referendum and placed 98 percent of its marketing budget on nearly one billion targeted digital ads.

The report, from the Information and Privacy Commissioner for British Columbia and the Privacy Commissioner of Canada, finds that "for most campaigns" AggregateIQ either did not have sufficient consent from Facebook users to target them with ad, or was "unaware of how, or whether" individuals had consented to the use of their personal information. That includes advertising to Facebook users directly or using demographic data collected by Facebook that could be used to locate and target other users similar to them.

AggregateIQ also did not properly secure the data that it misused, the commissioners' report states. A data breach that allowed unauthorized access to an unsecure GitLab repository with "substantial personal information," including encryption keys and login credentials for 35 million people, was put at risk.

The company also used phone numbers to send text messages on behalf of BeLeave, another campaign group connected to Vote Leave, but that campaign was found to have sufficiently gathered the consent of individuals before using their information.

Outside of the UK, the investigation found that AggregateIQ did not properly get consent from Facebook users with regards to the work it did for SCL, a British research and strategic communication company that owned Cambridge Analytica as a subsidiary.

SCL supported a number of US political campaigns, including several in the 2014 midterm elections and a political action committee, creating psychographic profiles from personal information disclosed by Facebook to Cambridge Analytica. However, AggregateIQ "did not attempt to determine whether there was consent it could rely on for its use and disclosure of personal information."

As a result of the report, the commissioners have a number of recommendations for AggregateIQ. These include ensuring there is express consent, rather than implied, from users when gathering data, adopting "reasonable security measures," and deleting the data when it is no longer necessary or legal to retain. AggregateIQ has reportedly agreed to implement these recommendations, and signed an affidavit stating that it has deleted the personal information it gathered.

Gathering and using the personal data of individuals on Facebook for the purposes of election campaigns has remained controversial since the Cambridge Analytica scandal was first reported. Recently, Mark Zuckerberg has come under criticism after stating that users could be microtargeted with false or misleading information in the upcoming US and UK elections because Facebook does not want to fact-check advertisements from politicians.

Further Reading