May 25, 2022 - Technology

Twitter to pay $150M for violating FTC privacy order

Illustration of the Twitter bird with a hundred dollar bill in its beak.  

Illustration: Aïda Amer/Axios

Twitter has agreed to pay $150 million for using users' security data to target ads, violating a 2011 order by the Federal Trade Commission, the agency announced along with the Department of Justice Wednesday.

Driving the news: The complaint, filed by the DOJ on behalf of the FTC, stated that starting in 2013 through 2019, Twitter asked users for their phone numbers or emails for account security, but did not tell users the information would be used by advertisers to target messages.

  • The complaint says this behavior also violated the U.S.-EU privacy shield, the former data-sharing agreement between the U.S. and Europe.
  • The 2011 FTC order barred Twitter from misrepresenting its privacy and security practices to users.

What they're saying: “Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads," FTC Chair Lina Khan said in a release. "This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue."

  • “The $150 million penalty reflects the seriousness of the allegations against Twitter, and the substantial new compliance measures to be imposed as a result of today’s proposed settlement will help prevent further misleading tactics that threaten users’ privacy," Associate Attorney General Vanita Gupta said in the same release.

How it works: The DOJ filed the complaint in the U.S. District Court for the Northern District of California, and a judge has to approve it for it to go into effect. Twitter paying the fine settles the FTC's allegations.

  • Twitter said in a 2020 filing with the Securities and Exchange Commission that it may face a $150 to $250 million fine, citing a then-draft FTC complaint. The company said in 2019 it had shared email addresses and phone numbers with advertisers "unintentionally."

Details: In addition to the fine, Twitter agreed to:

  • not profit from "deceptively collected data";
  • allow users to use multi-factor authentication without phone numbers;
  • notify users of misusing their information;
  • implement a comprehensive privacy and security program and consider privacy in new products;
  • limit employee access to personal data of users and tell the FTC if there is a data breach.

"Keeping data secure and respecting privacy is something we take extremely seriously, and we have cooperated with the FTC every step of the way," Twitter said in a blog post.

  • "In reaching this settlement, we have paid a $150M USD penalty, and we have aligned with the agency on operational updates and program enhancements to ensure that people’s personal data remains secure and their privacy protected."
Go deeper