FTC Reaches $150 Million Settlement With Twitter Over Allegations of Deceptive Data Use
On May 25, 2022, the Department of Justice, acting on behalf of the Federal Trade Commission, sued Twitter for failing to adequately disclose to its users its practice of using users’ phone numbers and email addresses to send them targeted advertisements. Twitter resolved the suit by agreeing to pay $150 million in civil penalties and implement a number of robust compliance measures.
Background and Allegations
The FTC alleged that Twitter’s misleading data use practices violated Section 5(a) of the Federal Trade Commission Act (FTC Act), 15 U.S.C. § 45(n), which prohibits “unfair or deceptive acts or practices in or affecting commerce.” The Complaint alleged that, from May 2013 through September 2019, Twitter encouraged its users to disclose their phone numbers and email addresses for security purposes, such as enabling two-factor authentication and establishing a method for recovering lost passwords. More than 140 million users provided their information to Twitter.
This is not the first run-in between the FTC and Twitter. In 2011, the FTC asserted that Twitter violated Section 5(a) of the FTC Act when it misrepresented the safeguards it had in place to protect its users’ private information from unauthorized access. According to the FTC, hackers were able to access nonpublic user information and private tweets because of lapses in Twitter’s data security.
Under the terms of the 2011 FTC Order, Twitter was barred from misleading its users about the extent to which it protected the security, privacy, and confidentiality of nonpublic user information. According to the FTC’s latest Complaint, Twitter’s misrepresentations regarding the collection and use of its users’ phone numbers and email addresses constituted a breach of the 2011 FTC Order.
The recent FTC lawsuit also alleges that Twitter falsely represented that it was in compliance with the EU-US and Swiss-US Privacy Shield agreements. Although no longer in effect, the Privacy Shield framework required participating companies to follow certain privacy principles when transferring data out of the EU and Switzerland. Pursuant to the Privacy Shield framework, Twitter self-certified that it would not process personal information in a way that was incompatible with the purposes for which the information was collected.
In addition to a $150 million penalty, under the terms of the settlement, Twitter must:
- not profit from deceptively collected data;
- allow users to enable multi-factor authentication methods that do not require telephone numbers, such as mobile authentication applications or security keys;
- notify its users that it misused the phone numbers and email addresses collected for account security purposes and provide information related to its privacy and security controls;
- implement and maintain a comprehensive privacy and information security program that, among other things, examines and addresses potential privacy and security risks of new products;
- limit employee access to users’ personal data; and
- notify the FTC of any security breaches.
Twitter’s Chief Privacy Officer issued a statement acknowledging that “some email addresses and phone numbers may have been inadvertently used for advertising.” The company further noted that it had addressed the issue in September 2019 and emphasized its commitment to protecting the privacy and security of its users.
The Twitter lawsuit highlights the increased scrutiny and focus regulators have placed on the way companies handle their users’ personal data and the disclosures companies must make to ensure that consumers are adequately informed of how their data is used. The $150 million settlement signals that the FTC will aggressively pursue and levy substantial penalties for repeat privacy violations. Companies will be well advised to take a hard look at their privacy policies and the notifications they use when collecting personal information to make sure they clearly and accurately disclose to consumers how and for what purposes their personal data is collected, used, and safeguarded.
If you want to know more or have questions about the settlement, please contact any of the authors or members of Arnold & Porter’s Privacy, Cybersecurity & Data Strategy group.
© Arnold & Porter Kaye Scholer LLP 2022 All Rights Reserved. This blog post is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.