The Federal Trade Commission (FTC) and the Department of Justice (DOJ) have ordered Twitter to pay a $150M penalty for using users' account security data deceptively.
The deception violates an FTC orderfrom 2011, that bars Twitter from "misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent unauthorized access to nonpublic information and honor the privacy choices made by consumers."
This penalty stemmed from a complaintthe DOJ filed on behalf of the FTC against Twitter. From May 2013 to September 2019, Twitter asked users to provide an email address and contact number for security reasons, such as setting up two-factor authentication (2FA); password recovery; and for re-enabling full access to accounts thought to have acting suspiciously.
However, Twitter used it for another purpose: Targeted advertising.
"As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads," said Lina M. Khan, chairperson of the FTC, in a press release. "This practice affected more than 140 million Twitter users, while boosting Twitter's primary source of revenue."
On top of Twitter paying the penalty, the FTC has added new provisionsto protect Twitter users in the future.
The company has been told it must notify users about its improper use of their phone numbers and email addresses, tell them about the FTC action, and explain how they can turn off personalized ads and review their multi-factor authentication settings. It is also prohibited from using the phone numbers and email addresses it illegally collected to serve ads. It will also have to provide multi-factor authentication options that don’t require a phone number.
It will also have to create and resource a "comprehensive privacy and information security program" that "protects the privacy, security, confidentiality, and integrity" of users' data.
The press release also noted that Twitter violated the EU-US Privacy Shield and Swiss-US Privacy Shield agreements, which require participating countries to follow certain privacy protocols when legally transferring data from the EU and Switzerland.