The U.S. Federal Trade Commission (FTC) and the Department of Justice (DOJ) charged Twitter with a $150 million penalty for "deceptively using account security data for targeted advertising."
Twitter, like many other social media websites, asks users to provide their phone number and email address to better protect their account. But instead of using this information for the sole purpose of improving security, Twitter profited by allowing advertisers to use this data to target individuals.
This action violated a 2011 FTC order that prohibited the social media site from misrepresenting its privacy and security practices.
FTC Chair Lina M. Khan discussed:
"As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads. This practice affected more than 140 million Twitter users, while boosting Twitter's primary source of revenue."
U.S. Attorney Stephanie M. Hinds of the Northern District of California also said of the violation:
"Consumers who share their private information have a right to know if that information is being used to help advertisers target customers. Social media companies that are not honest with consumers about how their personal information is being used will be held accountable."
Twitter sells 2FA information to advertisers
Starting in 2013, Twitter began asking users to provide a phone number or email address to improve their account security. This information would be used to help reset passwords or unlock accounts, as well as enabling two-factor authentication (2FA).
Between 2014 and 2019, over 140 million users provided a phone number or email address after Twitter informed its users this information would be used for security purposes. What the company failed to communicate was that this information would also be used for targeted advertising.
Advertisers could target specific ads to specific users by matching the information with data they already had or obtained from data brokers, according to the FTC complaint.
Along with violating the 2011 FTC order, Twitter also violated the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield agreements, which require companies to follow certain privacy principles to legally transfer data from EU countries and Switzerland.
In addition to the $150 million penalty, the FTC included provisions that would:
- "Prohibit Twitter from profiting from deceptively collected data;
- Allow users to use other multi-factor authentication methods such as mobile authentication apps or security keys that do not require users to provide their telephone numbers;
- Notify users that it misused phone numbers and email addresses collected for account security to also target ads to them and provide information about Twitter's privacy and security controls;
- Implement and maintain a comprehensive privacy and information security program that requires the company, among other things, to examine and address the potential privacy and security risks of new products;
- Limit employee access to users' personal data; and
- Notify the FTC if the company experiences a data breach."
See the statement from the FTC for more information.
