Federal Trade Commission accuses Twitter of deceptively using account security data to sell targeted ads

FTC and DOJ Order Twitter to Pay $150 Million Fine for Violating 2011 FTC Order

Federal Trade Commission takes action against Twitter, Inc. for misleading use of account security data for targeted advertising. Twitter asked users to give their phone numbers and email addresses to protect their accounts. The company then profited by allowing advertisers to use this data to target specific users. (FTC image)

BREVARD COUNTY, FLORIDA — The Federal Trade Commission is taking action against Twitter, Inc. for deceptively using account security data for targeted advertising. Twitter asked users to give their phone numbers and email addresses to protect their accounts. The company then profited by allowing advertisers to use this data to target specific users.

Twitter’s deception violates a 2011 FTC order that explicitly prohibited the company from misrepresenting its privacy and security practices. Under the proposed order, Twitter must pay a $150 million fine and be prohibited from profiting from its deceptively collected data.

“As the complaint notes, Twitter obtained user data under the guise of mining it for security purposes, but then ended up also using the data to target users with ads,” the president said. FTC, Lina M. Khan. “This practice has impacted over 140 million Twitter users, while increasing Twitter’s primary source of revenue.”

“As the complaint notes, Twitter obtained user data under the guise of mining it for security purposes, but then ended up also using the data to target users with ads,” the president said. FTC, Lina M. Khan. “This practice has impacted over 140 million Twitter users, while increasing Twitter’s primary source of revenue.” (FTC image)

“The Department of Justice is committed to protecting the privacy of sensitive consumer data,” Associate Attorney General Vanita Gupta said. “The $150 million penalty reflects the seriousness of the allegations against Twitter, and the substantial new compliance measures that will be imposed as a result of today’s proposed settlement will help prevent further deceptive tactics that threaten users’ privacy. .”

“Consumers who share their private information have a right to know if that information is being used to help advertisers target customers,” said U.S. Attorney Stephanie M. Hinds of the Northern District of California. “Social media companies that are not honest with consumers about how their personal information is used will be held accountable.”

California-based Twitter derives most of its revenue from advertising on its platform, which allows users ranging from consumers to celebrities to businesses to post 280-character messages or tweets.

According to a complaint filed by the Justice Department on behalf of the FTC, Twitter in 2013 began asking users to provide a phone number or email address to improve account security.

For example, the information was used to reset user passwords and unlock accounts the company might have blocked due to suspicious activity, as well as to enable two-factor authentication. Two-factor authentication provides an additional layer of security by sending a code to a phone number or email address to help users log into Twitter with a username and password.

According to a complaint filed by the Justice Department on behalf of the FTC, Twitter in 2013 began asking users to provide a phone number or email address to improve account security. (Pixel Bay image)

From 2014 to 2019, more than 140 million Twitter users provided their phone numbers or email addresses after the company told them the information would help secure their accounts, according to the complaint. Twitter, however, failed to mention that it would also be used for targeted advertising, according to the FTC.

Twitter used the phone numbers and email addresses to allow advertisers to target specific ads to specific consumers by matching the information with data they already had or obtained from data brokers, the complaint says. of the FTC.

Twitter’s misleading use of users’ phone numbers and email addresses for targeted advertising also violated the EU-US Privacy Shield and Swiss-US Privacy Shield agreements, which required participating companies to follow certain principles. of privacy in order to lawfully transfer data from EU countries and Switzerland. .

The Commission alleged that Twitter’s misleading use of users’ email addresses and phone numbers violated the FTC Act and the 2011 Commission Order, which stemmed from FTC allegations that the company had deceived consumers and put their privacy at risk by failing to protect their personal information, resulting in two data breaches.

The previous order prohibited Twitter from misrepresenting the extent to which the company maintains and protects the security, privacy, confidentiality or integrity of any nonpublic consumer information.

In addition to the $150 million penalty, other provisions of the proposed order:

prohibit Twitter from profiting from data collected in a deceptive manner;

allow users to use other multi-factor authentication methods such as mobile authentication apps or security keys that do not require users to provide their phone numbers;

notify users that it has misused phone numbers and email addresses collected for account security to also target ads to them and provide information about Twitter’s privacy and security controls;

implement and maintain a comprehensive privacy and information security program that requires, among other things, the Company to review and address potential privacy and security risks of new products;

limit employee access to users’ personal data; and

notify the FTC if the company experiences a data breach.

The Commission’s vote to refer the complaint and stipulate the final order to the Department of Justice for filing was 4-0. The DOJ filed the lawsuit and entered a final order in the District Court for Northern California, San Francisco Division. Chair Lina M. Khan and Commissioner Rebecca Kelly Slaughter released a joint statement. Commissioners Noah Joshua Phillips and Christine S. Wilson released a separate joint statement.

Aurora J. William