Privacy law 101 includes a simple but important basic concept that organizations may only use personal information they collect for what they say they will, and how they say they will. According to the Federal Trade Commission ("FTC") and the Department of Justice ("DOJ"), Twitter got this wrong - and it is going to cost Twitter $150M as a result.
On May 25, 2022, Twitter reached a proposed settlement with the DOJ and the FTC to resolve allegations that Twitter violated the FTC Act and an Order issued by the FTC in 2011 by misrepresenting how it would make use of users’ personal information, including users’ nonpublic contact information.
“As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads," said FTC Chair Lina M. Khan. “This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue.”
U.S. Attorney Stephanie M. Hinds for the Northern District of California noted, “Consumers who share their private information have a right to know if that information is being used to help advertisers target customers. Social media companies that are not honest with consumers about how their personal information is being used will be held accountable.”
The Complaint alleged that from May 2013 until at least September 2019, Twitter misrepresented to more than 140 million users the extent to which it maintained and protected the security and privacy of their nonpublic contact information. Twitter told users that it collected their phone numbers and email addresses to secure their accounts – but, according to the Complaint, failed to disclose that it also used this information for advertising purposes. The Complaint alleged that these misrepresentations violated the FTC Act, as well as the 2011 FTC Order that specifically prohibited Twitter from making misrepresentations regarding the security of nonpublic consumer information.
The Complaint also alleged that Twitter misrepresented that it processed personal information of its users in accordance with the EU-US and Swiss-US Privacy Shield Frameworks. Under such frameworks, Twitter self-certified, among other things, that it would not process user personal information in a way that is not compatible with the purposes for which it was collected or subsequently authorized by the user. While these frameworks have been largely forgotten by many organizations due to their invalidity as a data transfer mechanism by the Court of Justice of the European Union, representations that organizations made (and continue to make in via their neglected privacy policies) under those frameworks can live on.
In addition to paying $150 million in civil penalties, the proposed settlement would: (a) prohibit Twitter from profiting from deceptively collected data; (b) allow users to use other multi-factor authentication methods such as mobile authentication apps or security keys that do not require users to provide their telephone numbers; (c) notify users that it misused phone numbers and email addresses collected for account security to also target ads to them and provide information about Twitter’s privacy and security controls; (d) implement and maintain a comprehensive privacy and information security program that requires the company, among other things, to examine and address the potential privacy and security risks of new products; (e) limit employee access to users’ personal data; and (f) notify the FTC if the company experiences a data breach.
It is always a good time to review your organization’s privacy notices and data collection processes.