FTC Proposes $150m Penalty for Twitter along with the Department of Justice in a stipulated final order, alleging Twitter deceptively used account security data for targeted advertising. [Read Order]
If approved by the federal court, the order requires Twitter to pay a $150 million penalty and implement additional privacy and data security measures.
According to the complaint, Twitter asked users to provide phone numbers and email addresses for account security purposes (password resets, account unlocks, etc.) without disclosing that it would use the data for other purposes, including targeted advertising. The FTC alleges that Twitter misused more than 140 million users’ data from 2014 to 2019.
The proposed order highlights the importance of adopting meaningful privacy policies and adequately disclosing the purposes for which the business will use personal information at the point of collection. These concepts are familiar to businesses regulated by the California Consumer Privacy Act (CCPA), the EU’s General Data Protection Regulation (GDPR), or similar privacy laws; however, the FTC’s order demonstrates how regulators often pursue businesses under general consumer protection laws such as the FTC Act.
With respect to Twitter, the FTC derived additional leverage from arguments that the company violated (1) a 2011 FTC Order prohibiting it from misrepresenting the security of nonpublic consumer data, and (2) US-EU and US-Swiss privacy shield agreements requiring certain principles and procedures for international data transfers.
In addition to the $150 million penalty, Twitter must implement a comprehensive data security program, refrain from profiting from deceptively collected data, allow users to use other security authentication methods that do not require user data, notify users that it misused security data and provide information regarding Twitter’s data privacy procedures, and notify the FTC in the event of a data breach.
With the proliferation of state privacy laws, and continued efforts to work out a bipartisan federal solution such as the recently released American Data Privacy and Protection Act, businesses have more incentive than ever to incorporate privacy considerations into every aspect of their operations. The FTC’s stipulated order with Twitter, however, serves as a reminder that businesses should focus on privacy issues even in the absence of specific privacy laws.
Nick is a Partner at M&S where he leads the firm’s Compliance practice areas. He brings more than a decade of experience helping clients understand and comply with federal and state privacy, advertising, and telemarketing laws and regulations.