Twitter Fined $150M for Misusing Private Data to Sell AdsFirm Deceptively Used Account Security Data of 140 Million Users
A $150 million penalty has been slapped on Twitter for deceptively using account security data of millions of users for targeted advertising, according to the U.S. Justice Department and the Federal Trade Commission.
"More than 140 million Twitter users provided email addresses or telephone numbers to Twitter based on Twitter's deceptive statements that their information would be used for specific purposes related to account security. Twitter knew or should have known that its conduct violated the 2011 FTC Order, which prohibits misrepresentations concerning how Twitter maintains email addresses and telephone numbers collected from users," says a complaint filed by the Department of Justice on behalf of the FTC.
The social media platform generates most of its revenue from advertisements, the FTC says.
Twitter on Wednesday confirmed that it had indeed paid a $150 million penalty, adding that it has taken steps to ensure that personal data of its users is secure and private.
Allegations Against Twitter
The FTC says that from May 2013 to September 2019, Twitter asked users to provide their phone numbers and email addresses as part of a verification process. The social media platform then sold this data to advertisers to help enable targeted advertisements, it says.
"In 2019, Twitter admitted to using users' phone numbers, which were submitted to enable two-step verification, for advertising purposes. This violated both EU and U.S. laws. Now we're finally seeing the outcome," privacy advocate Paul Bischoff, part of cybersecurity firm Comparitech, tells Information Security Media Group.
"What's interesting is that despite an admission of guilt, it took nearly three years for the FTC and DOJ to reach a settlement, no criminal charges were filed, and no court precedent was set. I would like to see more accountability for billion-dollar corporations," he says.
According to the court documents, Twitter is supposed to "implement robust compliance measures to protect users' data privacy and is banned from profiting from its deceptively collected data."
"Twitter falsely claimed to comply with the European Union-U.S. and Swiss-U.S. Privacy Shield Frameworks, which prohibit companies from processing user information in ways that are not compatible with the purposes authorized by the users," the DOJ says.
Twitter Chief Privacy Officer Damien Kieran says, "Keeping data secure and respecting privacy is something Twitter takes extremely seriously."
1/2 @Twitter, keeping data secure and respecting privacy is something we take extremely seriously. Today we shared an update on our settlement with the FTC regarding a privacy incident disclosed in 2019. . https://t.co/EkLBlByhKh— Damien (@Damokieran) May 25, 2022
"Our settlement with the FTC reflects Twitter's preexisting commitments and investments in security and privacy. We will continue to partner with our regulators to make sure they understand how security and privacy practices at Twitter are always evolving for the better," Kieran says.
Twitter also recently announced it is establishing a Data Governance Committee to strengthen the implementation of privacy and security policies and standards, as well as to expand Twitter's internal privacy and security review processes during the product development life cycle.
"We will continue to make investments in this work, including building and evolving processes, implementing technical measures, and conducting regular auditing and reporting to ensure we are mitigating risk at every level and function at Twitter," Kieran says in the blog. "We will also continue to partner with the FTC, and our security and privacy regulators around the world, on our shared mission of building useful products and services that meet our customers' needs while keeping the information they share with us secure and respectful of their privacy."
The DOJ says that the settlement with Twitter will require Twitter to do the following:
- Develop and maintain a comprehensive privacy and information security program.
- Conduct a privacy review with a written report prior to implementing any new product or service that collects private user information.
- Conduct regular testing of its data privacy safeguards.
- Allow users to use other multifactor authentication methods, such as mobile authentication apps or security keys that do not require users' telephone numbers.
- Obtain regular assessments of its data privacy program from an independent assessor.
- Provide annual certifications of compliance from a senior officer.
- Provide reports after any data privacy incidents affecting 250 or more users occur.
- Comply with numerous other reporting and record-keeping requirements.
Twitter is also directed to notify all U.S. customers who joined Twitter before Sept. 17, 2019, about the settlement and provide users with options for protecting their privacy and security.
Under the settlement terms, the DOJ and the FTC will monitor and enforce Twitter's compliance. The FTC also directed the social media giant to limit employee access to users' personal data and notify the FTC if the company experiences a data breach.