Twitter has agreed to pay a $150 million penalty for targeting ads at users with phone numbers and email addresses collected from those users when they enabled two-factor authentication. Twitter agreed to the fine and “robust compliance measures to protect users’ data privacy” to settle a lawsuit filed on Wednesday by the US government.
“As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads,” Federal Trade Commission Chair Lina Khan said. “This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue.”
The settlement was reached with both the FTC and Department of Justice. “The $150 million penalty reflects the seriousness of the allegations against Twitter, and the substantial new compliance measures to be imposed as a result of today’s proposed settlement will help prevent further misleading tactics that threaten users’ privacy,” DOJ Associate Attorney General Vanita Gupta said. The payment will go to the US Treasury, according to the settlement.
US says Twitter violated law and 2011 settlement
The government’s lawsuit said Twitter violated the FTC Act and a 2011 settlement with the FTC by “deceiving users about the extent to which Twitter maintained and protected the security and privacy of users’ nonpublic contact information,” the DOJ said. The 2011 settlement addressed security failures resulting in hackers taking administrative control of Twitter and gaining access to users’ private information and accounts.
“Specifically, the complaint alleges that, from May 2013 to September 2019, Twitter told its users that it was collecting their telephone numbers and email addresses for account-security purposes, but failed to disclose that it also would use that information to help companies send targeted advertisements to consumers,” the DOJ said. “The complaint further alleges that Twitter falsely claimed to comply with the European Union-US and Swiss-US Privacy Shield Frameworks, which prohibit companies from processing user information in ways that are not compatible with the purposes authorized by the users.”
In 2013, Twitter “began asking users to provide either a phone number or email address to improve account security” but then “used the phone numbers and email addresses to allow advertisers to target specific ads to specific consumers by matching the information with data they already had or obtained from data brokers,” the FTC said.
Twitter revealed problem in 2019
Twitter revealed the problem in October 2019, saying, “We recently discovered that when you provided an email address or phone number for safety or security purposes (for example, two-factor authentication) this data may have inadvertently been used for advertising purposes.”
The problem is related to the Twitter system that lets an advertiser target ads to customers based on the advertiser’s list of email addresses or phone numbers. “When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes. This was an error and we apologize,” Twitter said in 2019.
In a statement on the settlement Wednesday, Twitter said, “Keeping data secure and respecting privacy is something we take extremely seriously, and we have cooperated with the FTC every step of the way. In reaching this settlement, we have paid a $150M USD penalty, and we have aligned with the agency on operational updates and program enhancements to ensure that people’s personal data remains secure and their privacy protected.” Twitter also said the problem of email addresses and phone numbers being improperly used for advertising was fixed in September 2019.
Twitter now offers additional two-factor options, including authentication apps and physical security keys.
DOJ and FTC will monitor compliance
To prevent repeats of the security problems outlined in the government lawsuit, the settlement requires Twitter to “develop and maintain a comprehensive privacy and information-security program, conduct a privacy review with a written report prior to implementing any new product or service that collects users’ private information, and conduct regular testing of its data privacy safeguards,” the DOJ said. “Twitter also will be required to obtain regular assessments of its data privacy program from an independent assessor, provide annual certifications of compliance from a senior officer, provide reports after any data privacy incidents affecting 250 or more users, and comply with numerous other reporting and record-keeping requirements.”
Twitter will also be required to “notify all US customers who joined Twitter before Sept. 17, 2019, about the settlement and to provide users with options for protecting their privacy and security. Under the settlement terms, the Department of Justice and FTC will each have responsibility for monitoring and enforcing Twitter’s compliance.”
The complaint and settlement were filed in US District Court for the Northern District of California. The settlement must be approved by the court before it takes effect.
Twitter reported first-quarter revenue of $1.2 billion and a net income of $513 million. The company has a pending deal with Elon Musk, who agreed to buy Twitter for $44 billion. Musk has been waffling on that commitment, but he filed a new funding plan that would increase the amount of equity he puts toward the deal from $27.25 billion to $33.5 billion on Wednesday.