Twitter to pay $150m fine for using private user data to serve ads

26 May 2022

Image: © MichaelVi/Stock.adobe.com

The FTC said more than 140m users were impacted when Twitter ‘inadvertently’ used email addresses and phone numbers – provided for account security – for advertising.

Twitter has agreed to pay a fine of $150m issued by the US Federal Trade Commission (FTC) over the improper use of private user data for targeted advertising.

The FTC took action against the social media platform for deceptively using phone numbers and email addresses for ad targeting, and Twitter has now agreed to pay the fine to settle allegations.

According to court documents filed this week, more than 140m users shared their phone numbers and email addresses with Twitter between 2013 and 2019 based on “deceptive statements” that the data would be used for account security.

Twitter admitted to the privacy incident in 2019, saying it served tailored ads by “inadvertently” using phone numbers and email addresses that were provided for two-factor authentication and other purposes.

“As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads,” FTC chair Lina M Khan said yesterday (25 May).

“This practice affected more than 140m Twitter users, while boosting Twitter’s primary source of revenue.”

Twitter received the FTC complaint in 2020 and said it expected a fine of between $150m to $250m.

The FTC said Twitter had violated a consent order from 2011 that required the company to maintain a comprehensive security programme and barred it from misleading users about the extent of its privacy practices.

Along with the $150m penalty, the FTC is proposing a new order with provisions for Twitter to follow.

The new order would prohibit Twitter from using the numbers and email addresses it collected to serve ads. It would also have to provide multi-factor authentication options that don’t require users to provide a mobile number.

Twitter has to implement an enhanced privacy programme and information security programme. The company has to get these assessed by an independent third party approved by the FTC and report privacy or security incidents to the FTC within 30 days.

US Department of Justice associate attorney general Vanita Gupta said the the $150m penalty “reflects the seriousness of the allegations against Twitter”.

“The substantial new compliance measures to be imposed as a result of today’s proposed settlement will help prevent further misleading tactics that threaten users’ privacy.”

In 2019, the FTC fined Facebook $5bn for its mishandling of user data after years of investigation. It referred to the fine as an “unprecedented penalty” and an “historic victory for American consumers”. Facebook was also subject to new privacy and data security requirements as a result of the case.

10 things you need to know direct to your inbox every weekday. Sign up for the Daily Brief, Silicon Republic’s digest of essential sci-tech news.

Leigh Mc Gowran is a journalist with Silicon Republic

editorial@siliconrepublic.com