As part of the investigation against Facebook’s privacy lapses, the FTC announced today that it is suing Cambridge Analytica. The agency has already agreed to settlement with former Cambridge Analytica CEO Alexander Nix, as well as app developer Aleksandr Kogan.

The Federal Trade Commission described the administrative complaint in a press release. It alleged that Cambridge Analytica and the app developer that worked with the company “employed deceptive tactics to harvest personal information from tens of millions of Facebook users for voter profiling and targeting.”

In particular, an app called GSRApp or “thisisyourdigitallife” took advantage of Facebook’s API to collect personal information without proper consent. The app collected profile data from 250,000 to 270,000 users located in the U.S. In addition to the answers to personality questions, the app collected page likes of those users.

But the app went one step further by collecting likes and personal information from the Facebook friends of those users. It represents 50 million to 65 million people, including at least 30 million people in the U.S.

While Cambridge Analytica, Nix and Kogan took advantage of Facebook’s generous API, they misled users of the app. And that’s what the FTC didn’t like:

Almost half of the app users, however, originally refused to provide their Facebook profile information. To address this issue, the GSRApp began telling app users that it would not ‘download your name or any other identifiable information—we are interested in your demographics and likes.’ The FTC alleges, however, that this was false, and that the GSRApp in fact collected users’ Facebook User ID, which connects individuals to their Facebook profiles, as well as other personal information such as their gender, birthdate, location, and their Facebook friends list.

Cambridge Analytica then allegedly used this data to generate personality scores and launch targeted advertising campaigns according to voter profiling.

Finally, according to the FTC, Cambridge Analytica complied with the EU-U.S. Privacy Shield framework, but the certification lapsed in May 2018. The FTC alleges that Cambridge Analytica failed to protect personal information from EU users after Cambridge Analytica stopped complying to the Privacy Shield.

Cambridge Analytica has filed for bankruptcy and couldn’t settle the FTC’s allegations. But its former CEO as well as the person who developed the malicious app have settled.

Going forward, they can’t make “false or deceptive statements regarding the extent to which they collect, use, share, or sell personal information, as well as the purposes for which they collect, use, share, or sell such information.”

And, of course, they have to delete all personal information they have collected through the GSRApp and projects related to that data set. The commission vote against Cambridge Analytica and for the settlement was 5-0.

If you want to learn more about Cambridge Analytica, Netflix released a documentary today about the Cambridge Analytica scandal.