The United States Federal Trade Commission (FTC) has imposed a sanction of $150 million on Twitter. The social media company was alleged to be using the personal information of its users, which it promised to use to secure their accounts, for target ads.
This is not the first alleged violation of the FTC Act, under which, among other things, the agency is “empowered to prevent unfair or deceptive acts or practices in or affecting commerce.” In 2011, Twitter settled with the FTC, which had accused Twitter of serious lapses in its data security that allowed hackers to obtain unauthorized administrative control of the platform.
The order prohibited misrepresentations around how Twitter maintains information like email addresses and phone numbers collected from users.
The just-announced $150 million civil penalty stems from a new complaint filed by the Department of Justice on behalf of the FTC, alleging that Twitter violated the order in the earlier case by collecting customers’ personal information for the stated purpose of security and then exploiting it commercially.
The FTC in a statement announcing the fine, said: “Specifically, while Twitter represented to users that it collected their telephone numbers and email addresses to secure their accounts, Twitter failed to disclose that it also used user contact information to aid advertisers in reaching their preferred audiences,” the complaint, which was filed by the DOJ on behalf of the FTC.”
The complaint said users provided email addresses or telephone numbers based on Twitter’s “deceptive statements” that such information would be used for account security, like two-step authorizations.
“This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue,” the FTC added.
In addition to imposing a $150 million civil penalty for violating the 2011 order, the new order adds more provisions to protect consumers in the future:
Twitter is prohibited from using the phone numbers and email addresses it illegally collected to serve ads.
Twitter must notify users about its improper use of phone numbers and email addresses, tell them about the FTC law enforcement action, and explain how they can turn off personalized ads and review their multi-factor authentication settings.
Twitter must provide multi-factor authentication options that don’t require people to provide a phone number.
Twitter must implement an enhanced privacy program and a beefed-up information security program that includes multiple new provisions spelled out in the order, get privacy and security assessments by an independent third-party approved by the FTC, and report privacy or security incidents to the FTC within 30 days.