Federal Trade Commission takes action against Twitter for deceptively using customers’ account security data to sell targeted ads. Twitter to pay 150 million dollars fine to settle privacy law suit.
May 26, 2022 |
The US Federal Trade Commission has taken action against Twitter for allowing advertisers to use its customers’ phone numbers and emails for targeted ads. Customers provided that information to Twitter to protect their accounts. The practice was reasonably long standing, from at least May 2013 until at least September 2019. The practice affected more than 140 million Twitter users.
It is interesting to note that in 2011 the FTC claimed Twitter misrepresented the extent to which it protected its customers privacy and the security of their non public information. The FTC settled that complaint.
The complaint states:
From at least May 2013 until at least September 2019, Twitter misrepresented to users of its online communication service the extent to which it maintained and protected the security and privacy of their nonpublic contact information. Specifically, while Twitter represented to users that it collected their telephone numbers and email addresses to secure their accounts, Twitter failed to disclose that it also used user contact information to aid advertisers in reaching their preferred audiences. Twitter’s misrepresentations violate the FTC Act and the 2011 Order, which specifically prohibits the company from making misrepresentations regarding the security of nonpublic consumer information. Plaintiff therefore seeks civil penalties for Twitter’s violations, as well as a permanent injunction and other equitable relief, to ensure Twitter’s future compliance with the law.
and
14. Specifically, the Administrative Complaint asserted that Twitter had engaged in deceptive acts or practices by misrepresenting that users could control who had access to their tweets through a “protected account” or could send private “direct messages” that could only be viewed by the recipient when, in fact, Twitter lacked reasonable safeguards to ensure those choices were honored, such as restricting employee access to nonpublic user information based on a person’s job requirements.
15. The Administrative Complaint also alleged that Twitter had misrepresented the controls it implemented to keep user accounts secure, when, in fact, Twitter lacked reasonable safeguards to limit or prevent unauthorized access to nonpublic user information, such as secure password requirements and other administrative, technical, or physical safeguards.
and
26. Twitter offers various services that advertisers can use to reach their existing marketing lists on Twitter, including “Tailored Audiences” and “Partner Audiences.” Tailored Audiences allows advertisers to target specific groups of Twitter users by matching the telephone numbers and email addresses that Twitter collects to the advertisers’ existing lists of telephone numbers and email addresses. Partner Audiences allows advertisers to import marketing lists from data brokers like Acxiom and Datalogix to match against the telephone numbers and email addresses collected by Twitter. Twitter has provided advertisers the ability to match against lists of email addresses since January 2014 and against lists of telephone numbers since September 2014.
27. Twitter has prompted users to provide a telephone number or email address for the express purpose of securing or authenticating their Twitter accounts. However, through at least September 2019, Twitter also used this information to serve targeted advertising and further its own business interests through its Tailored Audiences and Partner Audiences services. For example, from at least May 2013 until at least September 2019, Twitter collected telephone numbers and email addresses from users specifically for purposes of allowing users to enable two-factor authentication, to assist with account recovery (e.g., to provide access to accounts when users have forgotten their passwords), and to re-authenticate users (e.g., to re-enable full access to an account after Twitter has detected suspicious ormalicious activity). From at least May 2013 through at least September 2019, Twitter did not disclose, or did not disclose adequately, that it used these telephone numbers and email addresses to target advertisements to those users through its Tailored Audiences and Partner Audiences services.
The FTC media release is quite comprehensive, providing.
The Federal Trade Commission is taking action against Twitter, Inc. for deceptively using account security data for targeted advertising. Twitter asked users to give their phone numbers and email addresses to protect their accounts. The firm then profited by allowing advertisers to use this data to target specific users. Twitter’s deception violates a 2011 FTC order that explicitly prohibited the company from misrepresenting its privacy and security practices. Under the proposed order, Twitter must pay a $150 million penalty and is banned from profiting from its deceptively collected data.
“As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads,” said FTC Chair Lina M. Khan. “This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue.”
“The Department of Justice is committed to protecting the privacy of consumers’ sensitive data,” said Associate Attorney General Vanita Gupta. “The $150 million penalty reflects the seriousness of the allegations against Twitter, and the substantial new compliance measures to be imposed as a result of today’s proposed settlement will help prevent further misleading tactics that threaten users’ privacy.”
“Consumers who share their private information have a right to know if that information is being used to help advertisers target customers,” said U.S. Attorney Stephanie M. Hinds for the Northern District of California. “Social media companies that are not honest with consumers about how their personal information is being used will be held accountable.”
California-based Twitter generates most of its revenue from advertising on its platform, which allows users ranging from consumers to celebrities to corporations to post 280-character messages, or tweets.
According to a complaint filed by the Department of Justice on behalf of the FTC, Twitter in 2013 began asking users to provide either a phone number or email address to improve account security. For example, the information was used to help reset user passwords and unlock accounts the company might have blocked due to suspicious activity, as well as for enabling two-factor authentication. Two-factor authentication provides an extra layer of security by sending a code to either a phone number or email address to help users log into Twitter along with a username and password.
From 2014 to 2019, more than 140 million Twitter users provided their phone numbers or email addresses after the company told them this information would help secure their accounts, according to the complaint. Twitter, however, failed to mention that it also would be used for targeted advertising, the FTC alleged. Twitter used the phone numbers and email addresses to allow advertisers to target specific ads to specific consumers by matching the information with data they already had or obtained from data brokers, according to the FTC complaint.
Twitter’s deceptive use of users’ phone numbers and email addresses for targeted advertising also violated the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield agreements, which required participating companies to follow certain privacy principles in order to legally transfer data from EU countries and Switzerland.
The Commission alleged that Twitter’s deceptive use of user email addresses and phone numbers violated the FTC Act and the 2011 Commission order, which stemmed from FTC allegations that the company deceived consumers and put their privacy at risk by failing to safeguard their personal information, resulting in two data breaches. The previous order prohibited Twitter from misrepresenting the extent to which the company maintains and protects the security, privacy, confidentiality, or integrity of any nonpublic consumer information.
In addition to the $150 million penalty, other provisions of the proposed order would:
-
- prohibit Twitter from profiting from deceptively collected data;
- allow users to use other multi-factor authentication methods such as mobile authentication apps or security keys that do not require users to provide their telephone numbers;
- notify users that it misused phone numbers and email addresses collected for account security to also target ads to them and provide information about Twitter’s privacy and security controls;
- implement and maintain a comprehensive privacy and information security program that requires the company, among other things, to examine and address the potential privacy and security risks of new products;
- limit employee access to users’ personal data; and
- notify the FTC if the company experiences a data breach.
Twitter’s actions were a clear breach of privacy principles and would be illegal in most jurisdictions with privacy protections, including Australia under the Privacy Act 1988.
As with all FTC claims the coverage is damaging for the malefactor, here Twitter with the Verge’s Twitter will pay $150 million for using people’s security phone numbers to target ads, the New Daily’s Twitter hit with $211m data privacy fine and Engadget’s FTC fines Twitter $150 million for ‘deceptive’ ad targeting. More coverage is likely as the story spreads across the wires.