What happened? The US Federal Trade Commission (FTC) on May 25 imposed a $150 million fine on Twitter and certain other conditions regarding its privacy practices.
What for? “Twitter asked users to give their phone numbers and email addresses to protect their accounts. The firm then profited by allowing advertisers to use this data to target specific users,” the FTC said.
Tell me more: A complaint filed by the Department of Justice on behalf of the FTC alleged that in 2013, Twitter began asking users to provide either a phone number or email address for purposes like enabling two-factor authentication and helping reset passwords. As a result, between 2014 to 2019, more than 140 million Twitter users provided their phone numbers or email addresses. But Twitter did not disclose to users that their numbers would not only be used for security-related purposes but also for targeted advertising. “Twitter used the phone numbers and email addresses to allow advertisers to target specific ads to specific consumers by matching the information with data they already had or obtained from data brokers,” the FTC said. Twitter had apologised for this practice in 2019 stating that “data may have inadvertently been used for advertising purposes.” Twitter earns nearly 90 percent of its revenue from advertising.
Why is what Twitter did illegal?
- Violates FTC Act and 2011 FTC order: “Twitter’s deceptive use of user email addresses and phone numbers violated the FTC Act and the 2011 Commission order, which stemmed from FTC allegations that the company deceived consumers and put their privacy at risk by failing to safeguard their personal information, resulting in two data breaches. The previous order prohibited Twitter from misrepresenting the extent to which the company maintains and protects the security, privacy, confidentiality, or integrity of any nonpublic consumer information,” FTC alleged.
- Violates Privacy Shield agreements: Twitter’s deceptive use of users’ phone numbers and email addresses for targeted advertising violated the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield agreements, both of which required companies to follow certain privacy principles in order to legally transfer data from EU countries and Switzerland, FTC said.
What else, apart from the $150 million fine: In addition to the fine, FTC imposed the following conditions on Twitter:
- Twitter is prohibited from profiting off of deceptively-collected data
- The platform must allow users to use other multi-factor authentication methods such as mobile authentication apps or security keys that do not require users to provide their phone numbers
- Twitter must notify users that it misused phone numbers and email addresses collected for account security to also target ads to them and provide information about Twitter’s privacy and security controls
- The company must implement and maintain comprehensive privacy and information security program that requires the company, among other things, to examine and address the potential privacy and security risks of new products
- Twitter must limit employee access to users’ personal data
- The platform must notify the FTC if it experiences a data breach.
Who said what?
- Twitter’s chief privacy officer Damien Kieran: “Keeping data secure and respecting privacy is something we take extremely seriously, and we have cooperated with the FTC every step of the way. In reaching this settlement, we have paid a $150M USD penalty, and we have aligned with the agency on operational updates and program enhancements to ensure that people’s personal data remains secure and their privacy protected,” Kieran said in a blog post.
- FTC Chair Lina M. Khan: “As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads. This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue.”
- Associate Attorney General Vanita Gupta: “The Department of Justice is committed to protecting the privacy of consumers’ sensitive data. The $150 million penalty reflects the seriousness of the allegations against Twitter, and the substantial new compliance measures to be imposed as a result of today’s proposed settlement will help prevent further misleading tactics that threaten users’ privacy.”
- Twitter’s potential future owner Elon Musk: “If Twitter was not truthful here, what else is not true? This is very concerning news.”
- Facebook To Set Up Privacy Committee And Pay $5B In FTC Settlement
- US FTC’s Second Attempt To Break Up Facebook Allowed To Proceed, Here’s Why
- Summary: US Lawmakers Introduce Bill To Tackle Social Media Addiction And Amplification Of Harmful Content
- FTC Approves Resolutions That Allow It To Expedite Investigations In Key Antitrust Areas
- US Lawmakers Push For New Rules To Prevent Illegal Sale Of Users’ Location Data
Have something to add? Post your comment and gift someone a MediaNama subscription.