Twitter pays $150 million settlement for breaking privacy rules

---

Twitter agreed to pay a $150 million civil penalty after being sued by the U.S. Department of Justice, on behalf of the U.S. Federal Trade Commission, for selling user data under the guise of improving account security. The case represented the first major deal between a social media giant and the Federal Trade Commission under President Joe Biden’s administration.

Key Players

The U.S. Federal Trade Commission (FTC), a federal agency that protects consumers and competition by preventing anticompetitive, deceptive, and unfair business practices, initiated the action against Twitter in 2019, after a similar complaint was filed in 2010.

The U.S. Department of Justice, the federal agency responsible for defending the interests of the United States through the enforcement of the law and administration of justice, filed a complaint against Twitter on behalf of the FTC, citing violations of privacy and exploitation of users’ personal information. 

Twitter is an American microblogging and social networking service on which users post and interact via tweets. As of 2022, Twitter had nearly 400 million users worldwide, and earned about 85% of annual revenue from advertisements. 

Further Details

In 2010, the FTC filed a complaint against Twitter, alleging it told users they had control over which accounts could view their tweets, and that private messages could only be viewed by recipients. However, the FTC said Twitter failed to set up those safeguards and that unauthorized persons gained access to users’ private messages. As part of a 2011 order, Twitter agreed it would pay a substantial penalty if it ever again misrepresented its privacy and security provisions. 

From May 2013 to September 2019, Twitter prompted users to provide personal information, such as phone numbers and email addresses, to enable multifactor authentication measures. But according to the FTC, Twitter failed to disclose to its consumers that it had used that data to sell targeted advertisements. 

In its new complaint, the FTC said Twitter’s actions violated the 2011 order and the FTC Act prohibiting deceptive acts affecting commerce and breached E.U.-U.S. and Swiss-U.S. privacy shield agreements that require companies to follow specific privacy principles to  transfer data legally from EU countries and Switzerland. 

“As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads,” FTC Chair Lina M. Khan said. “This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue.”

As a result of the privacy violation, the FTC also said Twitter gained a multimillion dollar profit.

Outcome

Twitter and FTC reach $150 million settlement

To settle the case, on May 25, 2022, Twitter agreed to pay $150 million, a civil penalty that represented about 3% of its revenue in 2021, The Wall Street Journal reported. 

“The $150 million penalty reflects the seriousness of the allegations against Twitter, and the substantial new compliance measures to be imposed as a result of today’s proposed settlement will help prevent further misleading tactics that threaten users’ privacy,” Associate Attorney General Vanita Gupta said. 

“Consumers who share their private information have a right to know if that information is being used to help advertisers target customers,” Stephanie M. Hinds, U.S. Attorney for the Northern District of California, said. “Social media companies that are not honest with consumers about how their personal information is being used will be held accountable.” 

The settlement also required Twitter to adopt and enforce enhanced security provisions, cease using the collected data for targeted advertisements, disclose the FTC violation to affected users, explain to users how to turn off personalized advertisements, review its multifactor authentication settings, and provide multifactor authentication options that would not require user contact information, such as phone numbers or emails. 

Twitter announces new committee to improve user privacy and security 

After the settlement, Damien Kieran, chief privacy officer of Twitter, released a statement, informing users that “some email addresses and phone numbers provided for account security purposes may have been inadvertently used for advertising.” 

Kieran said Twitter had cooperated and collaborated with the FTC and announced a new Data Governance Committee to help improve user privacy and security.

Federal Judge signs FTC approved final order for Twitter settlement 

The FTC voted 4-0 to refer the complaint and stipulated final order to the Justice Department. The complaint and stipulated final order had been filed in the U.S. District Court of Northern California, San Francisco Division. 

On May 26, 2022, Federal Magistrate Judge Thomas S. Hixson entered the final order for civil penalty, monetary judgment, and injunctive relief.