The Federal Trade Commission is taking action against Twitter, Inc. for deceptively using account security data for targeted advertising. Twitter asked users to give their phone numbers and email addresses to protect their accounts. The firm then profited by allowing advertisers to use this data to target specific users. Twitter’s deception violates a 2011 FTC order that explicitly prohibited the company from misrepresenting its privacy and security practices. Under the proposed order, Twitter must pay a $150 million penalty and is banned from profiting from its deceptively collected data.
“As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads,” said FTC Chair Lina M. Khan. “This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue.”
“The Department of Justice is committed to protecting the privacy of consumers’ sensitive data,” said Associate Attorney General Vanita Gupta. “The $150 million penalty reflects the seriousness of the allegations against Twitter, and the substantial new compliance measures to be imposed as a result of today’s proposed settlement will help prevent further misleading tactics that threaten users’ privacy.”
“Consumers who share their private information have a right to know if that information is being used to help advertisers target customers,” said U.S. Attorney Stephanie M. Hinds for the Northern District of California. “Social media companies that are not honest with consumers about how their personal information is being used will be held accountable.”
California-based Twitter generates most of its revenue from advertising on its platform, which allows users ranging from consumers to celebrities to corporations to post 280-character messages, or tweets.
According to a complaint filed by the Department of Justice on behalf of the FTC, Twitter in 2013 began asking users to provide either a phone number or email address to improve account security. For example, the information was used to help reset user passwords and unlock accounts the company might have blocked due to suspicious activity, as well as for enabling two-factor authentication. Two-factor authentication provides an extra layer of security by sending a code to either a phone number or email address to help users log into Twitter along with a username and password.
From 2014 to 2019, more than 140 million Twitter users provided their phone numbers or email addresses after the company told them this information would help secure their accounts, according to the complaint. Twitter, however, failed to mention that it also would be used for targeted advertising, the FTC alleged. Twitter used the phone numbers and email addresses to allow advertisers to target specific ads to specific consumers by matching the information with data they already had or obtained from data brokers, according to the FTC complaint.
Twitter’s deceptive use of users’ phone numbers and email addresses for targeted advertising also violated the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield agreements, which required participating companies to follow certain privacy principles in order to legally transfer data from EU countries and Switzerland.
The Commission alleged that Twitter’s deceptive use of user email addresses and phone numbers violated the FTC Act and the 2011 Commission order, which stemmed from FTC allegations that the company deceived consumers and put their privacy at risk by failing to safeguard their personal information, resulting in two data breaches. The previous order prohibited Twitter from misrepresenting the extent to which the company maintains and protects the security, privacy, confidentiality, or integrity of any nonpublic consumer information.
In addition to the $150 million penalty, other provisions of the proposed order would:
- prohibit Twitter from profiting from deceptively collected data;
- allow users to use other multi-factor authentication methods such as mobile authentication apps or security keys that do not require users to provide their telephone numbers;
- notify users that it misused phone numbers and email addresses collected for account security to also target ads to them and provide information about Twitter’s privacy and security controls;
- implement and maintain a comprehensive privacy and information security program that requires the company, among other things, to examine and address the potential privacy and security risks of new products;
- limit employee access to users’ personal data; and
- notify the FTC if the company experiences a data breach.
The Commission vote to refer the complaint and stipulated final order to the Department of Justice for filing was 4-0. DOJ filed the complaint and stipulated final order in the District Court of Northern California, San Francisco Division. Chair Lina M. Khan and Commissioner Rebecca Kelly Slaughter issued a joint statement. Commissioners Noah Joshua Phillips and Christine S. Wilson issued a separate joint statement.
NOTE: Stipulated final orders have the force of law when approved and signed by the District Court judge.