The U.S. Federal Trade Commission fined Twitter $150 million for using email addresses and phone numbers supplied for account security purposes, such as two-factor authentication, for targeted adverts.
However, what occurred, according to Twitter, was a mistake.
According to the complaint, which the Department of Justice filed on behalf of the FTC, Twitter asked users for their phone numbers or emails for account security from 2013 to 2019, but did not disclose to them that advertisers would use the information to target messages.
Twitter confirmed that its technology “inadvertently” accessed users’ emails and phone numbers for ad targeting.
“We may have linked persons on Twitter to their list when an advertiser uploaded their marketing list based on the email or phone number the Twitter account holder gave for safety and security grounds,” Twitter said.
In a statement, the FTC said Twitter’s deception violates a 2011 order that explicitly prohibited the company from misrepresenting its privacy and security practices. Under the proposed order, Twitter must pay a $150 million penalty and is banned from profiting from its deceptively collected data.
“As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads,” said FTC Chair Lina M. Khan.
“This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue.”
“The Department of Justice is committed to protecting the privacy of consumers’ sensitive data,” said Associate Attorney General Vanita Gupta.
“The $150 million penalties reflect the seriousness of the allegations against Twitter, and the substantial new compliance measures to be imposed as a result of today’s proposed settlement will help prevent further misleading tactics that threaten users’ privacy,” Gupta said.
“Consumers who share their private information have a right to know if that information is being used to help advertisers target customers,” said U.S. Attorney Stephanie M. Hinds for the Northern District of California. “Social media companies that are not honest with consumers about how their personal information is being used will be held accountable.”
The California-based social media platform generates most of its revenue from advertising on its platform, which allows users ranging from consumers to celebrities to corporations to post 280-character messages or tweets.
According to a complaint filed by the Department of Justice on behalf of the FTC, Twitter in 2013 began asking users to provide either a phone number or email address to improve account security. For example, the information was used to help reset user passwords and unlock accounts the company might have blocked due to suspicious activity, as well as for enabling two-factor authentication. Two-factor authentication provides an extra layer of security by sending a code to either a phone number or email address to help users log into Twitter along with a username and password.
From 2014 to 2019, more than 140 million Twitter users provided their phone numbers or email addresses after the company told them this information would help secure their accounts, according to the complaint. Twitter, however, failed to mention that it also would be used for targeted advertising, the FTC alleged. Twitter used the phone numbers and email addresses to allow advertisers to target specific ads to specific consumers by matching the information with data they already had or obtained from data brokers, according to the FTC complaint.
Twitter’s deceptive use of users’ phone numbers and email addresses for targeted advertising also violated the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield agreements, which required participating companies to follow certain privacy principles in order to legally transfer data from EU countries and Switzerland.
The Commission alleged that Twitter’s deceptive use of user email addresses and phone numbers violated the FTC Act and the 2011 Commission order, which stemmed from FTC allegations that the company deceived consumers and put their privacy at risk by failing to safeguard their personal information, resulting in two data breaches. The previous order prohibited Twitter from misrepresenting the extent to which the company maintains and protects the security, privacy, confidentiality, or integrity of any nonpublic consumer information.
Twitter recently reached a settlement with the Federal Trade Commission regarding a privacy incident disclosed in 2019 when some email addresses and phone numbers provided for account security purposes may have been inadvertently used for advertising.
“Keeping data secure and respecting privacy is something we take extremely seriously, and we have cooperated with the FTC every step of the way. In reaching this settlement, we have paid a $150M USD penalty, and we have aligned with the agency on operational updates and program enhancements to ensure that people’s personal data remains secure and their privacy protected,” said Twitter’s chief privacy officer Damien Kieran in a blog post.
“Twitter’s commitment to security and privacy is not a point-in-time exercise for us but a core value we constantly enhance by updating our practices to meet the evolving needs of our customers. The recently announced Data Governance Committee is an embodiment of our dedication to strengthen the implementation of our privacy and security policies and standards, as well as to expand our internal privacy and security review processes during the product development life cycle.”
Read More Stories: Monkeypox Spreads in 20 Countries, WHO Says Outbreak ‘Containable’