Twitter To Pay $150 Million Penalty For Privacy Breach

The Federal Trade Commission (FTC) accuses Twitter of deceptively using account security information to sell targeted advertising.

In response to a 2011 FTC order, the FTC and Department of Justice (DOJ) have ordered Twitter to pay $150 million in penalties and cease profiting from the falsely collected information.

The FTC has taken action against Twitter, Inc. for the deceptive use of account security information for targeted advertising. In order to protect user accounts, Twitter asked for users’ phone numbers and email addresses. Afterwards the company charged advertisers for the right to use this data to target specific users.

According to a 2011 FTC order, Twitter cannot misrepresent its privacy and security practices. According to the proposed order, Twitter will be required to pay a $150 million penalty and is not allowed to profit from its deceptively collected data.

“As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads,” said FTC Chair Lina M. Khan. “This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue.”

“The Department of Justice is committed to protecting the privacy of consumers’ sensitive data,” said Associate Attorney General Vanita Gupta. “The $150 million penalty reflects the seriousness of the allegations against Twitter, and the substantial new compliance measures to be imposed as a result of today’s proposed settlement will help prevent further misleading tactics that threaten users’ privacy.”

“Consumers who share their private information have a right to know if that information is being used to help advertisers target customers,” said U.S. Attorney Stephanie M. Hinds for the Northern District of California. “Social media companies that are not honest with consumers about how their personal information is being used will be held accountable.”

According to the complaint, over 140 million Twitter users provided their phone numbers and email addresses between 2014 and 2019, after the platform told them it would help protect their accounts. According to the FTC, Twitter failed to disclose that its services would be used for targeted advertising. Twitter used the phone numbers and e-mail addresses to allow advertisers to target specific advertisements to specific customers by matching this information with information they already had or obtained from a third party data broker.

In addition to the $150 million penalty, other provisions of the proposed order would:

• Prohibit Twitter from profiting from deceptively collected data;
• Allow users to use other multi-factor authentication methods such as mobile authentication apps or security keys that do not require users to provide their telephone numbers;
• Notify users that it misused phone numbers and email addresses collected for account security to also target ads to them and provide information about Twitter’s privacy and security controls;
• Implement and maintain a comprehensive privacy and information security program that requires the company, among other things, to examine and address the potential privacy and security risks of new products;
• Limit employee access to users’ personal data; and
• Notify the FTC if the company experiences a data breach.