Cambridge Analytica Explained: What Really Happened to Millions of Britons' Personal Data
Cambridge Analytica Explained: What Really Happened to Millions of Britons' Personal Data
In 2018, a name that had previously been known only within political consulting circles became synonymous with one of the most alarming data privacy scandals the world had ever seen. Cambridge Analytica, a British political data firm, was revealed to have harvested the personal information of up to 87 million Facebook users globally — without their meaningful consent — and used that data to build psychological profiles intended to influence political behaviour.
For UK citizens, this was not merely a distant American story. British data, British voters, and a British-registered company sat at the heart of the scandal. Understanding what happened, why it mattered, and what changed as a result remains critically important for anyone seeking to understand their rights in the digital age.
What Was Cambridge Analytica?
Cambridge Analytica was a data analytics and political consulting firm incorporated in the United Kingdom. It was a subsidiary of the SCL Group, a private British behavioural research and strategic communications company with roots in military and government contracting.
The firm offered its services to political campaigns, presenting itself as capable of using data science and psychological profiling to target voters with tailored messaging. It worked on a number of high-profile campaigns, most notably the 2016 US presidential campaign of Donald Trump and, controversially, campaigns connected to the Brexit referendum.
How Was the Data Obtained?
The mechanism through which Cambridge Analytica obtained its data was both technically legal at the time and deeply deceptive in practice.
A Cambridge University academic named Aleksandr Kogan developed a Facebook application called 'This Is Your Digital Life', presented as a personality quiz. Approximately 270,000 Facebook users consented to take the quiz and agreed to share their data with the app. However, Facebook's platform rules at the time — since changed — allowed apps to collect not only the data of the user who installed them, but also the data of all of that user's Facebook friends, without those friends' knowledge or consent.
Through this mechanism, data from an estimated 87 million Facebook accounts was harvested globally. Kogan subsequently shared this data with Cambridge Analytica, which was a direct violation of Facebook's own policies, though the platform had done little to enforce them.
The data collected included profile information, likes, location data, and other personal details that Cambridge Analytica used to build psychographic models — essentially, psychological portraits — of individual users, categorising them by personality traits and political susceptibility.
Why Did This Matter for British Citizens?
While much of the media coverage centred on the United States, the implications for the United Kingdom were substantial.
First, Cambridge Analytica was a British company, meaning UK regulatory bodies — principally the Information Commissioner's Office (ICO) — had direct jurisdiction to investigate. The ICO conducted one of the largest and most complex investigations in its history as a result of the scandal.
Second, allegations emerged that data analytics techniques and the broader ecosystem of political micro-targeting had been used in connection with the 2016 EU referendum. While no definitive finding established that Cambridge Analytica directly influenced the Brexit vote, the investigation raised serious and unresolved questions about the use of data in British democratic processes.
Third, and most fundamentally, the scandal exposed how casually personal data was being treated by major technology platforms, and how ill-equipped existing data protection frameworks were to address the scale of the problem.
What Did the Investigations Find?
In the United Kingdom, the ICO's investigation resulted in a £500,000 fine issued to Facebook in 2018 — the maximum penalty available under the then-applicable Data Protection Act 1998. The ICO noted that Facebook had failed to safeguard users' information and had failed to be transparent about how data could be harvested by third-party developers.
Cambridge Analytica itself was fined £15,000 by the ICO for failing to respond to a subject access request — though by the time the investigation concluded, the company had entered insolvency proceedings and ceased operations in May 2018.
In the United States, Facebook reached a $5 billion settlement with the Federal Trade Commission, the largest privacy-related fine in that regulator's history at the time.
Critically, the ICO's broader investigation into the use of data analytics in political campaigning — published in its 'Democracy Disrupted' report — found systemic weaknesses in how political parties and campaign organisations handled personal data, with recommendations that many argued were insufficiently acted upon.
What Changed After the Scandal?
The Cambridge Analytica affair accelerated several significant regulatory and legislative developments.
The General Data Protection Regulation (GDPR), which came into force across the European Union in May 2018 — and was incorporated into UK law as the UK GDPR following Brexit — introduced substantially stronger requirements around consent, data minimisation, and transparency. Under these rules, the kind of opaque data sharing that enabled the Cambridge Analytica harvest would face far more serious legal consequences.
Facebook and other major platforms overhauled their developer policies, significantly restricting the ability of third-party applications to access friends' data without explicit, individual consent.
Public awareness of data rights increased markedly. The number of subject access requests submitted to organisations across the UK rose substantially in the years following the scandal, as individuals became more conscious of the data held about them.
What Can You Do to Protect Your Personal Data Today?
Whilst the regulatory landscape has improved since 2018, the responsibility for protecting personal data does not rest solely with governments and corporations. There are practical steps every UK resident can take.
Review app permissions regularly. On both Facebook and other platforms, audit which third-party applications have access to your account and revoke permissions for any you no longer use or recognise.
Exercise your data rights. Under the UK GDPR, you have the right to request a copy of the personal data any organisation holds about you, to have inaccurate data corrected, and in certain circumstances to have your data erased. These rights are enforceable.
Be cautious with personality quizzes and data-harvesting applications. The mechanism used in the Cambridge Analytica case — an innocuous-looking quiz designed to extract data — remains a common technique. Treat any application requesting access to your social media account with appropriate scepticism.
Report concerns to the ICO. If you believe an organisation has misused your personal data, you have the right to complain to the Information Commissioner's Office at ico.org.uk. The ICO has the power to investigate and impose substantial fines.
A Scandal That Should Not Be Forgotten
The Cambridge Analytica scandal was not simply a story about one rogue company. It was a revealing moment that exposed the fragility of digital privacy, the inadequacy of self-regulation by technology platforms, and the vulnerability of democratic processes to data-driven manipulation.
For British citizens, it demonstrated that data protection is not a technical abstraction but a matter of genuine civic importance. The right to control your personal information is inseparable from the right to participate freely and fairly in public life.
Understanding what happened — and remaining vigilant about how your data is used today — is among the most practical things any informed citizen can do.