Twitter to pay $150 million after deceiving users to provide contact info, using data for targeted ads

In the midst of the messy Elon-wants-to-buy-Twitter story, the company itself is facing another huge battle: a $150 million civil penalty for using the platform users’ phone numbers for targeted advertising. 

“The Department of Justice is committed to protecting the privacy of consumers’ sensitive data,” said Associate Attorney General Vanita Gupta. “The $150 million penalty reflects the seriousness of the allegations against Twitter, and the substantial new compliance measures to be imposed as a result of today’s proposed settlement will help prevent further misleading tactics that threaten users’ privacy.”

It can be recalled that Twitter settled with Federal Trade Commission (FTC) in 2011 to resolve charges “that Twitter deceived consumers and put their privacy at risk by failing to safeguard their personal information.” Under this issue, Twitter’s data security allegedly had serious lapses, causing hackers to gain unauthorized administrative control of the platform. This caused Twitter to violate a portion of the FTC Act where the Commission is empowered “to prevent unfair methods of competition and unfair or deceptive acts or practices in or affecting commerce.”

According to claims in the legal filings, Twitter violated the FTC Act and the 2011 order after misrepresenting the “security and privacy” of user data between May 2013 and September 2019. In particular, the complaint says that Twitter made “deceptive statements” that caused its users to provide a phone number or email address, thinking they would be used solely for security purposes, such as two-factor authentication. The details, however, were used for ad targeting data. Twitter apologized for it in 2019, saying it “was an error.”

“As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads,” stressed FTC Chair Lina M. Khan. “This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue.”

Twitter Chief Privacy Officer Damien Kieran addressed this settlement with DOJ and FTC through a tweet. “Our settlement with the FTC reflects Twitter’s pre-existing commitments and investments in security and privacy,” the tweet reads. “We will continue to partner with our regulators to make sure they understand how security and privacy practices at Twitter are always evolving for the better.”

Apart from the fine, however, it is important to note that Twitter will have to take some actions to prove there are improvements in its data privacy practice. It includes implementing new compliance measures, such as maintaining comprehensive privacy and information security programs and conducting regular data privacy safeguard testing. Additionally, Twitter will be required to have a privacy review accompanied by a written report before implementing new products or services that will collect the private information of the users.