The Department of Justice (DOJ) says Twitter violated a 2011 Federal Trade Commission (FTC) ruling when the firm secretly exploited the personal data users handed over for security reasons.
Twitter and the DOJ have now agreed on a $150 million fine, which will be reviewed in federal court.
According to a complaint filed by the DOJ on behalf of the FTC, Twitter began asking users for a phone number or email address in 2013 to strengthen account security, such as enabling multi-factor authentication (MFA).
Twitter also said that if it detected suspicious behavior on a user’s account, it would use their personal data to assist with account recovery or re-enable full access.
But according to the FTC, there was a lot more going on behind the scenes.
In addition to using phone numbers and email addresses for security, Twitter also used the information to serve users targeted ads, which earned the firm millions of dollars.
“This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue,” said Lina Khan, who chairs the FTC.
In addition to the $150 million fine, other provisions of the proposed order:
- prohibit Twitter from profiting from falsely gathered data;
- allow users to use alternate MFA methods like authentication apps or security keys, which do not need them to submit their phone numbers;
- direct Twitter to inform users that it misused phone numbers and email addresses acquired for account security to target them with ads;
- asks Twitter to establish and maintain a robust privacy and information security program that requires the firm to analyze and handle any privacy and security concerns associated with new products, among other things;
- direct the firm to restrict employee access to users’ personal data; and
- require Twitter to notify the FTC if a data breach occurs
Twitter’ chief privacy officer, Damien Kieran, told The Guardian that the company had “cooperated with the FTC every step of the way.”
“In reaching this settlement, we have paid a $150 million penalty, and we have aligned with the agency on operational updates and program enhancements to ensure that people’s personal data remains secure and their privacy protected,” he added.
Twitter is a free service that relies on advertising for 90% of its $5 billion (£3.8 billion) annual income.
Elon Musk, who is purchasing the platform for $44 billion, has slammed its ad-based economic model and promised to diversify its income streams.
“If Twitter was not truthful here, what else is not true? This is very concerning news,” he asked in a tweet late on Wednesday.
Musk is currently very publicly questioning the number of bots and fake accounts on the platform, which Twitter says only represent around 5% of users, threatening to pull out of the deal if the company fails to provide proof of its claims.
Twitter’s settlement comes after years of controversy over social media firm’s privacy policies.
For example, in 2018 Facebook admitted that it used mobile phone numbers for targeted advertising.
The FTC fined Facebook $5 billion the following year for a number of privacy violations.
$150 million is not nothing, but is lower than we’d have seen had the fine been leveled in the UK or EU under the GDPR. There, Twitter would have paid as much as 4% of its global annual turnover: about $200 million. There is a chance that regulators in those regions will also get involved in the case if some of the customers whose information was misused are UK/EU citizens, though.