FTC charges Twitter with using account security data to sell targeted ads

The U.S. Federal Trade Commission (FTC) is acting against Twitter for deceptively using information gathered to ensure user account security for targeted advertising. Under the proposed order, Twitter must pay a US$150 million penalty and is banned from profiting from the deceptively collected data. In addition, it must satisfy a number of other conditions.

According to the complaint filed by the U.S. Department of Justice on behalf of the FTC, Twitter began asking users for either a phone number or email address in 2013 as a way to improve account security. The information would be used for two factor authentication, as well as helping users reset passwords or recover accounts that may have been locked for suspicious activity. However, the FTC alleged that the company neglected to tell the more than 140 million users who provided the information between 2014 and 2019 that it would also be used for targeted advertising.

The FTC complaint alleged that Twitter used the phone numbers and email addresses to allow advertisers to target specific ads to specific consumers by matching the information with data they already had or obtained from data brokers. This also violated the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield agreements, which required participating companies to follow certain privacy principles in order to legally transfer data from EU countries and Switzerland, as well a violating the FTC Act and a 2011 Commission order stemming from charges that Twitter had failed to protect consumers’ personal information.

In addition to the $150 million penalty, other provisions of the proposed order, submitted to the court for approval, would:

  • prohibit Twitter from profiting from deceptively collected data;
  • allow users to use other multi-factor authentication methods such as mobile authentication apps or security keys that do not require users to provide their telephone numbers;
  • notify users that it misused phone numbers and email addresses collected for account security to also target ads to them and provide information about Twitter’s privacy and security controls;
  • implement and maintain a comprehensive privacy and information security program that requires the company, among other things, to examine and address the potential privacy and security risks of new products;
  • limit employee access to users’ personal data; and
  • notify the FTC if the company experiences a data breach.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Lynn Greiner
Lynn Greiner
Lynn Greiner has been interpreting tech for businesses for over 20 years and has worked in the industry as well as writing about it, giving her a unique perspective into the issues companies face. She has both IT credentials and a business degree.

Featured Articles

Stemming the tide of cybercrime

By: Derek Manky Technology continues to play a significant role in accelerating...

Power through a work-from-anywhere lifestyle with the LG gram

“The right tool for the right job” is an old adage...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now