California-based Twitter was fined $150 million by the Federal Trade Commission (FTC) and Department of Justice (DOJ) for violating the FTC Act, a 2011 FTC Order, and the privacy principles under the EU-US and Swiss Privacy Shield Frameworks. Twitter deceptively prompted users to provide their telephone numbers or email addresses to increase their account security. Advertisers were then allowed to use this data to serve targeted ads.
Violation of the FTC Act
The Department of Justice (DOJ) filed the complaint against Twitter on behalf of the FTC. Per the complaint, between May 2013 and September 2019, Twitter users were prompted to provide their phone numbers or email addresses for various security related purposes, including enabling two-factor authentication (2FA), to safeguard accounts in the event of either to recover a lost password or to re-authenticate their account. Twitter further required users to provide telephone numbers or email addresses to re-enable full access to their account after Twitter detected suspicious or malicious activity. It was not until September 2019 that Twitter disclosed that the phone numbers and email addresses provided to safeguard accounts or re-authenticate accounts were being used to target advertisements to users.
Violation of the EU-US and Swiss Privacy Shield Framework
Per the DOJ’s complaint Twitter misrepresented that it processed personal data in accordance with the EU-US and Swiss Privacy Shield Framework. To rely on the EU-US and Swiss-US Privacy Shield for data transfers, companies needed to self-certify and annually confirm to the Department of Commerce (DOC) that it complied with the Privacy Shield Principles. The Privacy Shield principle of Data Integrity and Purpose Limitation provides that an organization may not process personal information in a way that is incompatible with the purpose for which it has been collected or subsequently authorized by the individual. On November 16, 2016, Twitter self-certified its participation in the EU-US and Swiss-US Privacy Shield frameworks and it reaffirmed its participation each year thereafter. Twitter’s use of user phone numbers and email addresses for advertising purposes is not compatible with the security related purposes for which it collected those phone numbers and email addresses, and Twitter did not obtain subsequent authorization to use the information for advertising purposes.
Violation of the 2011 FTC Order
Back in 2011 Twitter was charged with engaging in deceptive acts or practices for failure to provide reasonable security measures to prevent unauthorized access to nonpublic user information and failure to honor privacy choices exercised by users. This 2011 complaint alleged that there were serious lapses in Twitter’s security that allowed hackers to obtain unauthorized administrative control of Twitter. Hackers also had the ability to access non-public user information and tweets that users had designated as private, and the ability to send tweets from any account (one tweet was sent from the account of then-President-elect Barack Obama offering his followers a chance to win $500 in free gasoline and at least one tweet was sent from the account of Fox News). Per the 2011 FTC Order, Twitter, was explicitly prohibited from misrepresenting its privacy and security practices.
Fines, civil penalties and injunctions per the 2022 Stipulated Order
On May 26, 2022 the Stipulated Order for Civil Penalty, Monetary Judgment, and Injunctive Relief was entered. Under the Stipulated Order Twitter:
- Must pay $150 million;
- Is still prohibited from misrepresenting how it maintains and protects the privacy, security, confidentiality or integrity of users’ information;
- Is required to allow users to use other multi-factor authentication methods such as allowing the use of mobile authentication apps or use of security keys that do not require users to provide their telephone numbers;
- Must give a required notice to its users that it may have served targeted ads based on email addresses or phone numbers users provided to Twitter to secure their accounts, along with information about their options to control their privacy and security;
- Is required to establish and maintain a privacy and information security program that protects user information. This entails the designation of an employee to coordinate and be responsible for the program, implementation of safeguard controls, implementation of training, required vulnerability and penetrating testing, contractual requirements for Twitter’s service providers, and independent program assessments by third parties;
- Is now subject to a host of DOJ reporting requirements including impact assessments for all new or modified products and various other assessments along with the required annual certification of compliance reporting; and
- Is further required to notify the DOJ of data breaches affecting 250 or more users within 30 days of discovering the incident.