The U.S. Federal Trade Commission (FTC) is acting against Twitter for deceptively using information gathered to ensure user account security for targeted advertising. Under the proposed order, Twitter must pay a US$150 million penalty and is banned from profiting from the deceptively collected data. In addition, it must satisfy a number of other conditions.
According to the complaint filed by the U.S. Department of Justice on behalf of the FTC, Twitter began asking users for either a phone number or email address in 2013 as a way to improve account security. The information would be used for two factor authentication, as well as helping users reset passwords or recover accounts that may have been locked for suspicious activity. However, the FTC alleged that the company neglected to tell the more than 140 million users who provided the information between 2014 and 2019 that it would also be used for targeted advertising.
The FTC complaint alleged that Twitter used the phone numbers and email addresses to allow advertisers to target specific ads to specific consumers by matching the information with data they already had or obtained from data brokers. This also violated the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield agreements, which required participating companies to follow certain privacy principles in order to legally transfer data from EU countries and Switzerland, as well a violating the FTC Act and a 2011 Commission order stemming from charges that Twitter had failed to protect consumers’ personal information.
In addition to the $150 million penalty, other provisions of the proposed order, submitted to the court for approval, would:
- prohibit Twitter from profiting from deceptively collected data;
- allow users to use other multi-factor authentication methods such as mobile authentication apps or security keys that do not require users to provide their telephone numbers;
- notify users that it misused phone numbers and email addresses collected for account security to also target ads to them and provide information about Twitter’s privacy and security controls;
- implement and maintain a comprehensive privacy and information security program that requires the company, among other things, to examine and address the potential privacy and security risks of new products;
- limit employee access to users’ personal data; and
- notify the FTC if the company experiences a data breach.