The Federal Trade Commission and the US Department of Justice have ordered Twitter to pay a $150 million penalty for using customer’s phone numbers to target them with ads without expressly stating those intentions.
Twitter “deceptively” used account security data for targeted advertising, violating a 2011 order that explicitly prohibited the company from misrepresenting its privacy and security practices, the FTC said this week.
“Twitter asked users to give their phone numbers and email addresses to protect their accounts,” according to the press release. “The firm then profited by allowing advertisers to use this data to target specific users.”
A complaint filed by the Department of Justice on behalf of the FTC states that, in 2013, Twitter began asking users for a phone number or email address to bolster account security.
“For example, the information was used to help reset user passwords and unlock accounts the company might have blocked due to suspicious activity, as well as for enabling two-factor authentication,” the FTC notes.
More than 140 million users did just that between 2014 and 2019, unaware that Twitter would also use that data to target them with ads tailored to their tastes and online habits, the FTC alleges.
“Twitter used the phone numbers and email addresses to allow advertisers to target specific ads to specific consumers by matching the information with data they already had or obtained from data brokers,” according to the complaint.
The practice also allegedly put users’ privacy at risk by failing to safeguard their personal information in two data breaches.
The FTC backed the $150 million penalty with provisions that:
- prohibit Twitter from profiting from deceptively collected data;
- let customers use other multi-factor authentication methods such as mobile apps or secuty keys that do not require telephone numbers;
- notify users that it misused phone numbers and email addresses collected for account security to also target ads to them and provide information about Twitter’s privacy and security contls;
- implement and maintain a comprehensive privacy and information security program that requires the company, among other things, to examine and address the potential privacy and secuty risks of new products;
- limit employee access to users’ personal data; and
- notify the FTC if the company experiences a data breach.