On May 25, 2022, the Federal Trade Commission (FTC) announced a $150 million civil penalty against Twitter Inc. for violating a previous FTC consent order by allegedly deceiving its users about how the company would use their nonpublic contact information, like telephone numbers and email addresses, despite having a disclosure in its privacy policy. The FTC announcement demonstrates that including an explicit notice of ancillary uses of customer personal data in a privacy policy is not a cure-all.
According to the underlying complaint filed by the Department of Justice on behalf of the FTC, Twitter misrepresented to its users “the extent to which it maintained and protected the security and privacy of their nonpublic contact information.” In pop-up message prompts, Twitter recommended that users add their phone numbers and email addresses to secure and safeguard their accounts—it made no mention of targeted advertising at the time of the request and collection.
Although Twitter’s privacy policy articulated that the information would be used for other purposes, including targeted marketing, according to the complaint, “Twitter did not disclose, or did not disclose adequately, that it used these telephone numbers and email addresses to target advertisements to those users.” This alleged “digital bait-and-switch” will now cost Twitter $150 million, along with a host of other repercussions and significant new compliance measures.
This hefty penalty originally stems from a 2010 FTC complaint against Twitter and a violation of the 2011 consent order to resolve that complaint. The earlier case brought by the FTC charged Twitter with improperly safeguarding users’ privacy, ultimately resulting in multiple instances of unauthorized access of users’ personal information. In settling the prior enforcement action, Twitter agreed to an FTC consent order, the violation of which would subject it to substantial civil penalties, for instance if it misrepresented in “any manner, expressly or by implication, the extent to which [it] maintains and protects the security, privacy, confidentiality, or integrity of any nonpublic consumer information.”
This negotiated civil penalty arose because, in the FTC’s view, Twitter did just that. According to this new complaint, Twitter began asking its users in 2013 to voluntarily provide either a phone number or email address to improve account security, assist with account recovery, and as part of two-factor authentication. (Two-factor authentication provides an extra layer of security by requiring a separate form of identification to access an account—for instance, by sending a code to either a phone number or email address before allowing a user to log in.)
Although Twitter did utilize users’ contact information for these stated security purposes, it simultaneously provided the information to advertisers to target specific ads to specific consumers by matching telephone numbers and email addresses to the advertisers’ lists of contact information. According to the FTC, Twitter’s misrepresentations impacted more than 140 million users who provided their contact information to the company between 2013 and 2019.
It is important to note that Twitter’s privacy policy expressly stated that users’ phone numbers and email addresses would be used for targeted advertising. But that was not enough for the FTC. The accompanying Tech@FTC Blog post explains that “[g]eneric, broad claims buried in a lengthy document do not override more specific, just-in-time statements made to consumers specifically in the context of when they are providing their information.… If a company says at the point of collection that consumers’ information will be used for a particular purpose, consumers should be able to rely on that promise.”
In addition to the $150 million civil penalty that Twitter must pay, the order imposes the following requirements on the company:
- Cease using any illegally collected contact information for any further targeted marketing.
- Notify its users of the FTC enforcement action and the company’s improper use of users’ personal information, and explain how they can turn off targeted advertising.
- Provide multi-factor authentication methods that do not require a user to provide a phone number.
- Comply with stricter privacy and security programs and reporting requirements, including obtaining assessments from independent third parties approved by the FTC.
To avoid future FTC liability, companies will need to ensure that there is no mismatch between the uses of their personal data collection and their disclosure of such uses to consumers and that any ancillary uses of data be disclosed as prominently—disclosures in privacy policies will not be sufficient. Companies subject to existing FTC enforcement orders—all of which contain substantial penalties for violations—must also remain particularly vigilant to ensure they remain in compliance with both the text and spirit of those orders or risk paying a significant price.