The Department of Justice (“DOJ”), on behalf of the Federal Trade Commission (“FTC”), filed a complaint and motion for entry of a stipulated order with the Northern District of California, which would require Twitter to pay civil penalties and take other corrective actions for their violation of the FTC Act and a previous 2011 FTC Order. The complaint states that Twitter “represented to users that it collected their telephone numbers and email addresses to secure their accounts, [but] Twitter failed to disclose that it also used user contact information to aid advertisers in reaching their preferred audiences” dating from at least May 2013 to September 2019. Moreover, the complaint alleges that Twitter’s ‘misrepresentation’ and ‘deceptive’ actions breach the Swiss-U.S. and EU-U.S. Privacy Shield Frameworks.
The proposed order would require Twitter to:
- Pay a $150 million in civil penalties;
- Allow users to use alternative multi-factor authentication methods (besides telephone numbers);
- Refrain from profiting from using collected data in undisclosed manners;
- Inform users that their information was misused;
- Establish a privacy and information security program that oversees risks associated with current and existing products;
- Disclose to the FTC any future data breaches; and
- Limit employees’ access to user’s personal data.
Twitter is not an outlier. Instead, it signals an increased focus on privacy enforcement at the state and federal levels going forward. Many companies may expect fines and penalties for not complying with state, federal, and international data privacy laws. For instance, California recently updated the California Consumer Privacy Act (“CCPA”) with the passing of Proposition 24, the California Privacy Rights Act (“CPRA”), which added additional consumer privacy rights and created a new state agency, the California Privacy Protection Agency (“CPPA”). The CPPA recently took over rulemaking authority from the California Attorney General and is beginning the rulemaking process.
Moreover, within the next twelve months, similarly comprehensive state privacy laws in Virginia, Colorado, Utah, and Connecticut will also become effective. To avoid expensive penalties, companies should consider reviewing their privacy policies and their internal controls surrounding customer’s nonpublic, personal information and customer’s privacy preferences. Privacy policies should accurately and explicitly reflect current business practices, and most importantly, comply with the upcoming privacy laws.
To view a copy of the DOJ/FTC complaint, click here.
To view the motion and stipulated order, click here.
To view a joint statement issued by FTC Chair Lina Khan and Commissioner Rebecca Kelly Slaughter, click here.
To view a concurring statement issued by FTC Commissioners Christine S. Wilson and Noah Joshua Phillips, click here.