Twitter has agreed to pay $150 million as part of a settlement with regulators over allegations that the social media company misrepresented the “security and privacy” of user data over several years.
The FTC and Department of Justice said that between May 2013 and September 2019, Twitter asked users for personal information to secure their accounts, but then used that information to target users with ads.
This is not the first alleged violation of the FTC Act, under which, among other things, the agency is “empowered to prevent unfair or deceptive acts or practices in or affecting commerce.” In 2011, Twitter settled with the FTC, which had accused Twitter of serious lapses in its data security that allowed hackers to obtain unauthorized administrative control of the platform. The order prohibited misrepresentations around how Twitter maintains information like email addresses and phone numbers collected from users.
The penalty announced today has been a couple years in the making. Twitter first warned investors in August 2020 that it was facing an FTC probe, and potentially a fine of more than a hundred million dollars, for both violating the FTC Act again and its 2011 settlement.
“Specifically, while Twitter represented to users that it collected their telephone numbers and email addresses to secure their accounts, Twitter failed to disclose that it also used user contact information to aid advertisers in reaching their preferred audiences,” the complaint, which was filed by the DOJ on behalf of the FTC, said.
The complaint said users provided email addresses or telephone numbers based on Twitter’s “deceptive statements” that such information would be used for account security, like two-step authorizations.
“This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue,” said FTC Chair Lina Khan in a statement.
The agreement also requires Twitter to improve its compliance practices.
Twitter did not immediately respond to a request for comment.