Twitter Violated Users’ Privacy, and Federal Trade Commission Guidelines

Quick Hits 

• Twitter to pay $150 million and undergo additional FTC provisions after misusing user data  
• The social media site used phone numbers and email addresses entered for verification purposes to sell advertisements 
• The FTC hopes other companies take note and remember that how data is gathered and how it is used is inextricably linked under law 

Federal investigators from the Federal Trade Commission and the Department of Justice have settled a claim that the social media giant, Twitter, illegally utilized their user‘s personal data. Using a ‘bait and switch’ tactic, Twitter collected email addresses and phone numbers for security purposes while also using the data to sell targeted advertisements. 

From May 2013 to September 2019, Twitter prompted users to enter email addresses and phone numbers for account authentication efforts, like resetting passwords. The data was requested within the context of security concerns, and users agreed to share their data for authorization methods.  

By using this data to sell advertisements and boost revenue Twitter deceived users and violated the privacy of more than 140 million Twitter users. According to the FTC, this information was used to sell ads that “enriched Twitter by the multi-millions.”  

Illegally capitalizing on private data, in the name of security no less, has led the FTC to impose a $150 million civil penalty on the social media app.  

In a blog, Twitter’s Chief Privacy Officer, Damien Kieran called the issue a “privacy incident,“ claiming the site had addressed the issue and would continue to protect Twitter users’ privacy and security. “Keeping data secure and respecting privacy is something we take extremely seriously, and we have cooperated with the FTC every step of the way,” said Kieran, “In reaching this settlement, we have paid a $150M USD penalty, and we have aligned with the agency on operational updates and program enhancements to ensure that people’s personal data remains secure and their privacy protected.” 

While the Twitter blog claims this issue was an “inadvertent” mistake, the fact remains that Twitter users’ privacy was violated. The FTC has added more provisions to their initial 2011 Twitter order, including the following: 

• Twitter is prohibited from using the illegally collected phone numbers and email addresses to serve ads 
• Twitter must notify all individuals affected, communicating about the FTC action and telling them how to review their ad and multifactor authentication settings  
• Twitter must change their multifactor authentication process to include an option outside of phone numbers 
• Twitter must integrate a privacy and information security program, get regular privacy and security assessments, and report privacy and security incidents to the FTC within 30 days 

These provisions, along with the $150 million fine, are meant to encourage Twitter to watch carefully for privacy and security issues. Additionally, this compliance must also be verified by an FTC-approved privacy and security assessor.  

The FTC is hoping other companies take note of this decisive action. Lesley Fair, writing for the FTC business blog, said, “What the text giveth, a privacy policy or buried disclaimer cannot taketh away. Consumers have a right to rely on what you say at the time you ask for their information. Trying to take it back in a contradictory statement buried elsewhere on your website is unlikely to correct a misrepresentation.“ 

How a company gathers data and how that data is used are inextricably linked under law. This important privacy principle should be integrated into the company‘s data security practices. For those who ignore this principle, Fair reminds, “Violating FTC orders will result in substantial penalties. The FTC takes order enforcement seriously and will use every lawful means to hold recidivists responsible for further violations.“