The Federal Trade Commission has announced it is taking action against Twitter for deceptively using account security data for targeted advertising.
The $150m penalty amounts to roughly 3% of Twitter’s 2021 revenue ($5.08bn), most of which ($4.5bn) was generated through advertising.
According to the complaint filed by the US Department of Justice on behalf of the FTC, Twitter in 2013 began asking users to supply phone numbers and email addresses to improve their account security through multi-factor authentication. The social media company then profited off that data by selling it to advertisers to use it to target specific users.
A 2011 FTC order explicitly prohibited Twitter from misrepresenting its privacy and security practices.
From 2014 to 2019, more than 140 million Twitter users provided their phone numbers or email addresses. Twitter currently has around 400 million users globally.
The deception also violated the EU-US Privacy Shield and Swiss-US Privacy Shield agreements, which require participating companies to follow certain privacy principles to legally transfer data from EU countries and Switzerland, respectively.
“Consumers who share their private information have a right to know if that information is being used to help advertisers target customers,” said US attorney for the Northern District of California Stephanie M. Hinds.
“Social media companies that are not honest with consumers about how their personal information is being used will be held accountable.”
Associate Attorney General Vanita Gupta said the $150m penalty “reflects the seriousness of the allegations against Twitter, and the substantial new compliance measures to be imposed as a result of today’s proposed settlement will help prevent further misleading tactics that threaten users’ privacy”.
In addition to the fine, the FTC will prohibit Twitter from profiting from deceptively collected data and limit employee access to users’ personal data. It will also require Twitter to allow users to use other multi-factor authentication (MFA) methods that do not require users to provide telephone numbers (e.g., MFA apps or security keys), require that users are notified that the company misused their data, implement and maintain a comprehensive privacy and information security program, and notify the FTC if the company experiences a data breach.
Twitter’s chief privacy officer Damien Kieran said: “Keeping data secure and respecting privacy is something we take extremely seriously, and we have cooperated with the FTC every step of the way.”
The ruling adds to recent drama surrounding the social media site. Amid the on-hold takeover bid by Elon Musk, Twitter’s stock has been volatile, falling nearly 13% year-to-date.
Read more: What will Twitter look like under Musk and how will it impact brands?
