The company had told users it vetted third-party apps, yet made few checks
The attorney general for Washington, D.C. said on Wednesday the U.S. capital city had sued Facebook Inc for allegedly misleading users about how it safeguarded their personal data, in the latest fallout from the Cambridge Analytica scandal.
The world's largest social media company has drawn global scrutiny since disclosing earlier this year that a third-party personality quiz distributed on Facebook gathered profile information on 87 million users worldwide and sold the data to British political consulting firm Cambridge Analytica.
Washington, D.C. Attorney General Karl Racine said Facebook misled users because it had known about the incident for two years before disclosing it. The company had told users it vetted third-party apps, yet made few checks, Racine said.
Facebook said in a statement: "We're reviewing the complaint and look forward to continuing our discussions with attorneys general in DC and elsewhere."
Facebook could be levied a civil penalty of $5,000 per violation of the region's consumer protection law, or potentially close to $1.7 billion, if penalized for each consumer affected. The lawsuit alleges the quiz software had data on 340,000 D.C. residents, though just 852 users had directly engaged with it.
Shares in the company were down 4.7 percent in afternoon trade on Wednesday.
Privacy settings on Facebook to control what friends on the network could see and what data could be accessed by apps were also deceiving, Racine said.
"Facebook's lax oversight and confusing privacy settings put the information of millions of consumers at risk," he told reporters on Wednesday. "In our lawsuit, we're seeking to hold Facebook accountable for jeopardizing and exposing the information" of its customers.
Racine said Facebook had tried to settle the case before he filed the lawsuit, as is typical during investigations of large companies.
He described Facebook's cooperation as "reasonable," but said that a lawsuit was necessary "to expedite change" at the company.
At least six U.S. states have ongoing investigations into Facebook's privacy practices, according to state officials.
In March, a bipartisan coalition of 37 state attorneys wrote to the company, demanding to know more about the Cambridge Analytica data and its possible links to U.S. President Donald Trump's election campaign.
Also in March, the Federal Trade Commission took the unusual step of announcing that it had opened an investigation into whether the company had violated a 2011 consent decree, citing media reports that raise what it called "substantial concerns about the privacy practices of Facebook."
If the FTC finds Facebook violated the decree terms, it has the power to fine it thousands of dollars a day per violation, which could add up to billions of dollars.
State attorneys general from both major U.S. political parties have stepped up their enforcement of privacy laws in recent years, said James Tierney, a lecturer at Harvard Law School and Maine's former attorney general.
Uber Technologies Inc [UBER.UL] in September agreed to pay $148 million as part of a settlement with 50 U.S. states and Washington, D.C., which investigated a data breach that exposed personal data from 57 million Uber accounts.
(Reporting by Lisa Lambert in Washington, D.C. and Paresh Dave in San Francisco; Additional reporting by David Shepardson and Jan Wolfe in Washington, D.C.; Editing by Phil Berlowitz and Rosalba O'Brien)