According to the underlying complaint filed by the Department of Justice on behalf of the FTC, Twitter misrepresented to its users “the extent to which it maintained and protected the security and privacy of their nonpublic contact information.” In pop-up message prompts, Twitter recommended that users add their phone numbers and email addresses to secure and safeguard their accounts—it made no mention of targeted advertising at the time of the request and collection.
This hefty penalty originally stems from a 2010 FTC complaint against Twitter and a violation of the 2011 consent order to resolve that complaint. The earlier case brought by the FTC charged Twitter with improperly safeguarding users’ privacy, ultimately resulting in multiple instances of unauthorized access of users’ personal information. In settling the prior enforcement action, Twitter agreed to an FTC consent order, the violation of which would subject it to substantial civil penalties, for instance if it misrepresented in “any manner, expressly or by implication, the extent to which [it] maintains and protects the security, privacy, confidentiality, or integrity of any nonpublic consumer information.”
This negotiated civil penalty arose because, in the FTC’s view, Twitter did just that. According to this new complaint, Twitter began asking its users in 2013 to voluntarily provide either a phone number or email address to improve account security, assist with account recovery, and as part of two-factor authentication. (Two-factor authentication provides an extra layer of security by requiring a separate form of identification to access an account—for instance, by sending a code to either a phone number or email address before allowing a user to log in.)
Although Twitter did utilize users’ contact information for these stated security purposes, it simultaneously provided the information to advertisers to target specific ads to specific consumers by matching telephone numbers and email addresses to the advertisers’ lists of contact information. According to the FTC, Twitter’s misrepresentations impacted more than 140 million users who provided their contact information to the company between 2013 and 2019.
In addition to the $150 million civil penalty that Twitter must pay, the order imposes the following requirements on the company:
- Cease using any illegally collected contact information for any further targeted marketing.
- Notify its users of the FTC enforcement action and the company’s improper use of users’ personal information, and explain how they can turn off targeted advertising.
- Provide multi-factor authentication methods that do not require a user to provide a phone number.
- Comply with stricter privacy and security programs and reporting requirements, including obtaining assessments from independent third parties approved by the FTC.
To avoid future FTC liability, companies will need to ensure that there is no mismatch between the uses of their personal data collection and their disclosure of such uses to consumers and that any ancillary uses of data be disclosed as prominently—disclosures in privacy policies will not be sufficient. Companies subject to existing FTC enforcement orders—all of which contain substantial penalties for violations—must also remain particularly vigilant to ensure they remain in compliance with both the text and spirit of those orders or risk paying a significant price.