Federal authorities fined Twitter $150 million on Wednesday for allegedly deceiving consumers about how the social media corporation utilized their data.
According to the Federal Trade Commission, Twitter gathered users’ email addresses and phone numbers from May 2013 to September 2019, claiming it needed the information to protect their accounts. However, the blogging site was also sending such data to marketers so they could target individuals, something it did not disclose, according to the agency. Advertisers might target particular persons by matching users’ phone numbers or emails with the information they already have or purchased from data brokers.
“Twitter gathered data from users under the guise of using it for security purposes, but then used the data to target users with advertisements,” FTC Chair Lina Khan said. “This technique impacted over 140 million Twitter users while increasing Twitter’s principal income stream.”
In a federal complaint filed on Wednesday, officials claimed that Twitter fraudulently stated that it conformed with US privacy treaties with the European Union and Switzerland, which restrict corporations from processing user data in ways that contradict the objectives approved by users.
According to the FTC, Twitter will pay $150 million to resolve misleading advertising claims and adjust its services to provide users with more choices for verifying their accounts.
The government penalties amount to around 3% of Twitter’s yearly income. On Wednesday, the Justice Department and the FTC announced a deal with Twitter.
In addition to imposing a civil penalty of $150 million for violating the 2011 order, the new order includes additional safeguards to protect customers in the future:
- Twitter is restricted from serving to advertise using phone numbers and email addresses obtained unlawfully.
- Twitter must alert users of its inappropriate use of phone numbers and email addresses, inform them of the FTC’s legal action, explain how they may disable tailored advertisements, and examine their multi-factor authentication settings.
- Twitter must implement an enhanced privacy program and a beefed-up information security program that includes several new provisions outlined to obtain privacy and security assessments from an independent third party approved by the FTC and report privacy or security incidents to the FTC within 30 days.
This isn’t the first time regulators have accused Twitter of misusing people’s data. After two data breaches caused by Twitter’s insufficient security, the FTC prevented the company from misrepresenting “the extent to which it safeguards the security, privacy, and confidentiality of nonpublic consumer information” for 20 years in 2011. According to the FTC and the Justice Department, Twitter’s most recent actions breached the 2011 judgment.
—The Associated Press contributed to this report.