FTC Penalizes Twitter for Deceptively Using User Data

The Federal Trade Commission has ordered Twitter to pay a $150 million penalty for violating its 2011 Consent Order and to cease profiting from deceptively collected data. According to the complaint filed yesterday by the Department of Justice, from at least 2013 to 2019, Twitter asked users to provide a phone number or email address “for the express purpose of securing or authenticating their Twitter accounts.” However, Twitter also used this personal information to serve targeted advertising through its “Tailored Audiences” and “Partner Audiences” services. More than 140 million Twitter users provided email or telephone numbers to the company based on the deceptive statement regarding how that information would be used.

Under the order, Twitter will be prohibited from profiting off the deceptively collected data. Twitter must also provide users with other multi-factor authentication methods that do not require users to provide a telephone number, and must notify users that it misused phone numbers and email addresses collected for account security to target ads.

“Profiting off of account security data is as blatant a privacy violation as they come, especially given that Twitter was already under an FTC decree for mishandling personal data a decade ago,” said EPIC Senior Counsel John Davission. “The FTC must continue to impose severe penalties against privacy violators and establish market-wide rules to limit privacy abuses, as we expect the commission will.” EPIC routinely files comments with the FTC and encourages the Commission to fully use its authorities to protect consumers.