Twitter fined US$150m for failing to protect users’ privacy in a span of 6 years

The social media company will pay a US$150 million penalty and put in new safeguards to settle federal regulators’ allegations.
26 May 2022

Twitter fined US$150m for failing to protect users’ privacy in a span of 6 years. (Photo by Amy Osborne / AFP)

  • Between May 2013 to September 2019, Twitter deceived users on privacy matters, claiming that it was collecting their phone numbers and email addresses for purposes of account security.
  • What it failed to disclose is that it would also use the information to enable companies to send targeted online ads to users on the platform.
  • Twitter also falsely claimed that it complied with US privacy agreements with the EU and Switzerland.

More than a decade ago, in 2010, the Federal Trade Commission (FTC) claimed that Twitter, contrary to its privacy policy statements, has been collecting personal information and using it to serve targeted ads for the company’s financial benefit. The “digital bait-and-switch” then resulted in a settlement on March 11, 2011, whereby the platform is barred for 20 years from “misleading consumers about the extent to which it protects the security, privacy and confidentiality of nonpublic consumer information.”

The 2011 settlement also required Twitter to create a “comprehensive information security program,” which will be reviewed by an independent auditor every other year for 10 years. Unfortunately, in just shy of two years, Twitter allegedly violated the order by collecting customers’ personal information for the stated purpose of security and then exploiting it commercially.

To be precise, between May 2013 to September 2019, Twitter prompted users to provide their telephone numbers or email addresses for security purposes, such as to enable multi-factor authentication. The social media platform also told people it would use their personal data to help with account recovery or to re-enable full access if Twitter detected suspicious activity on a person’s account.

But according to the FTC, much more was going on behind the scenes. In fact, in addition to using people’s phone numbers and email addresses for the protective purposes the company claimed, Twitter also used the information to serve people targeted ads – ads that enriched Twitter by the multi-millions.

“Just how persuasive was Twitter’s security pitch? During the time period covered by the complaint, more than 140 million users gave Twitter their email addresses or phone numbers for security purposes. Would that same number of people have given Twitter that information if they knew how else Twitter was going to use it? We don’t think so. If you’re struck by the irony of a company exploiting consumers’ privacy concerns in a way that facilitates further invasions of consumers’ privacy, it’s an irony not lost on the FTC,” the commission said in a statement.

The complaint further alleges that Twitter falsely claimed to comply with the European Union-US. and Swiss-US Privacy Shield Frameworks, which prohibit companies from processing user information in ways that are not compatible with the purposes authorized by the users. “It wasn’t Twitter’s first alleged violation of the FTC Act, but this one will cost the company US$150 million in civil penalties,” FTC emphasized.

New order for Twitter to protect users’ privacy

Twitter, without much choice, has agreed to settle the government’s allegations by paying the entire amount and implementing significant new compliance measures intended to ensure that Twitter improves its data privacy practices. For instance, Twitter will be required to develop and maintain a comprehensive privacy and information-security program, conduct a privacy review with a written report prior to implementing any new product or service that collects users’ private information, and conduct regular testing of its data privacy safeguards. 

Twitter also will be required to obtain regular assessments of its data privacy program from an independent assessor, provide annual certifications of compliance from a senior officer, provide reports after any data privacy incidents affecting 250 or more users, and comply with numerous other reporting and record-keeping requirements. 

The settlement also will require Twitter to notify all US customers who joined Twitter before September 17, 2019, about the settlement and to provide users with options for protecting their privacy and security. Under the settlement terms, the Department of Justice and FTC will each have responsibility for monitoring and enforcing Twitter’s compliance.