Twitter Fined $150M for Violating User Privacy

Twitter
(Image credit: Twitter)

 WASHINGTON, D.C.—The Federal Trade Commission has fined Twitter for deceptively using account security data for targeted advertising and for violating a 2011 FTC order that explicitly prohibited the company from misrepresenting its privacy and security practices. Under the proposed order, Twitter must pay a $150 million penalty and is banned from profiting from its deceptively collected data.

The FTC reported that Twitter asked users to give their phone numbers and email addresses to protect their accounts. Then, Twitter profited by allowing advertisers to use this data to target specific users. 

Under the proposed settlement, which must be approved by a federal court, Twitter did not admit wrongdoing but agreed to pay the fine and address a variety of problems with the way they handled user data. 

“As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads," said FTC Chair Lina M. Khan. "This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue.”

According to a complaint filed by the Department of Justice on behalf of the FTC, Twitter in 2013 began asking users to provide either a phone number or email address to improve account security. 

From 2014 to 2019, more than 140 million Twitter users provided their phone numbers or email addresses after the company told them this information would help secure their accounts, according to the complaint. 

Twitter, however, failed to mention that it also would be used for targeted advertising, the FTC alleged. Twitter used the phone numbers and email addresses to allow advertisers to target specific ads to specific consumers by matching the information with data they already had or obtained from data brokers, according to the FTC complaint.

Twitter’s deceptive use of users’ phone numbers and email addresses for targeted advertising also violated the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield agreements, which required participating companies to follow certain privacy principles in order to legally transfer data from EU countries and Switzerland, the FTC said. 

The Commission alleged that Twitter’s deceptive use of user email addresses and phone numbers violated the FTC Act and the 2011 Commission order, which stemmed from FTC allegations that the company deceived consumers and put their privacy at risk by failing to safeguard their personal information, resulting in two data breaches. The previous order prohibited Twitter from misrepresenting the extent to which the company maintains and protects the security, privacy, confidentiality, or integrity of any nonpublic consumer information, the FTC said. 

“The Department of Justice is committed to protecting the privacy of consumers’ sensitive data,” said Associate Attorney General Vanita Gupta. “The $150 million penalty reflects the seriousness of the allegations against Twitter, and the substantial new compliance measures to be imposed as a result of today’s proposed settlement will help prevent further misleading tactics that threaten users’ privacy.” 

“Consumers who share their private information have a right to know if that information is being used to help advertisers target customers,” said U.S. Attorney Stephanie M. Hinds for the Northern District of California. “Social media companies that are not honest with consumers about how their personal information is being used will be held accountable.”

In addition to the $150 million penalty, other provisions of the proposed order would:

  • Prohibit Twitter from profiting from deceptively collected data;
  • Allow users to use other multi-factor authentication methods such as mobile authentication apps or security keys that do not require users to provide their telephone numbers;
  • Notify users that it misused phone numbers and email addresses collected for account security to also target ads to them and provide information about Twitter’s privacy and security controls;
  • Implement and maintain a comprehensive privacy and information security program that requires the company, among other things, to examine and address the potential privacy and security risks of new products;
  • Limit employee access to users’ personal data; and
  • Notify the FTC if the company experiences a data breach.

The Commission voted 4 to 0 to refer the complaint and stipulated final order to the Department of Justice for filing. 

DOJ filed the complaint and stipulated final order in the District Court of Northern California, San Francisco Division. 

In a statement Damien Kieran, Twitter’s chief privacy officer said that “on May 25, 2022, Twitter reached a settlement with the Federal Trade Commission (FTC) regarding a privacy incident disclosed in 2019 when some email addresses and phone numbers provided for account security purposes may have been inadvertently used for advertising. This issue was addressed as of September 17, 2019, and today we want to reiterate the work we’ll continue to do to protect the privacy and security of the people who use Twitter.”

“Keeping data secure and respecting privacy is something we take extremely seriously, and we have cooperated with the FTC every step of the way,” he continued. “In reaching this settlement, we have paid a $150M USD penalty, and we have aligned with the agency on operational updates and program enhancements to ensure that people’s personal data remains secure and their privacy protected.”

Elon Musk, who has proposed acquiring Twitter has not as yet responded to the complaint and the proposed settlement. 

George Winslow

George Winslow is the senior content producer for TV Tech. He has written about the television, media and technology industries for nearly 30 years for such publications as Broadcasting & Cable, Multichannel News and TV Tech. Over the years, he has edited a number of magazines, including Multichannel News International and World Screen, and moderated panels at such major industry events as NAB and MIP TV. He has published two books and dozens of encyclopedia articles on such subjects as the media, New York City history and economics.