On May 25, 2022, the Federal Trade Commission (FTC) announced that it, along with the Department of Justice, fined Twitter $150 million for violating a 2011 agreement the company had with the Commission. Under the 2011 FTC order, Twitter agreed that it would protect the integrity of nonpublic consumer information, including users’ phone numbers and email addresses. According to federal investigators, Twitter broke this promise.
The FTC found that Twitter requested users’ email addresses and phone numbers under the guise of protecting their accounts as part of the “two-factor authentication” method used to provide users with an additional layer of security. But rather than limit the use of users’ data for this purpose, the FTC found that Twitter used the information it received from its users to increase the company’s own profits by allowing advertisers to use that data to target advertisements towards specific users. In the FTC’s announcement, FTC Chair Lina Khan stated, “This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue.”
The order proposed several corrective provisions in addition to the $150 million fine. If adopted, the order will prohibit Twitter from profiting from the data obtained in violation of the 2011 order. The new order would also require Twitter to:
- Provide customers with alternative multi-factor authentication methods;
- Notify users that it misused nonpublic consumer information collected for account security to target ads to them;
- Implement and maintain a broad privacy and information security program;
- Limit employee access to users’ personal data; and
- Notify the FTC of any future data breaches.
To be sure, the FTC’s charge against Twitter is not surprising. The FTC previewed this issue back in October 2021 when it released findings from an FTC staff report on Internet Service Providers’ collection and use practices. The report found that even though ISPs “promise not to sell consumers personal data, they allow it to be used, transferred, and monetized by others.” The report concluded that the ISPs’ use and collection practices mirrored problems identified in other industries and emphasized the importance of regulating data collection and use. Websites using added protection to entice users to share more information should take heed to the order against Twitter. Additionally, as many tech companies have entered into consent orders with the FTC dealing with consumer protection issues, they must take appropriate measures to ensure that they are not violating those orders.