Privacy Law 101 includes the simple but important basic concept that organizations can use the personal information they collect only for what they say they will and how they say they will. According to the Federal Trade Commission (“FTC”) and the Department of Justice (“DOJ”), Twitter made this mistake — and it will cost Twitter $150 million as a result.
On May 25, 2022, Twitter reached a proposed settlement with the DOJ and the FTC to resolve allegations that Twitter violated the FTC Act and an order issued by the FTC in 2011 by misrepresenting how it would use users’ personal information, including users’ information. non-public contact.
“As the complaint points out, Twitter obtained data from users under the pretense of using it for security purposes, but then ended up using the data to target users with ads,” said FTC Chairman Lina M. Khan. “This practice affected more than 140 million Twitter users, increasing Twitter’s primary source of revenue.”
US Attorney Stephanie M. Hinds for the Northern District of California noted: “Consumers who share their private information have a right to know if that information is being used to help advertisers target customers. Social media companies that are not honest with consumers about how their personal information is used will be held accountable.”
The complaint alleged that from May 2013 through at least September 2019, Twitter misrepresented to more than 140 million users the extent to which it maintained and protected the security and privacy of their non-public contact information. Twitter told users that it collected their phone numbers and email addresses to secure their accounts — but, according to the Complaint, it failed to disclose that it also used this information for advertising purposes. The complaint alleged that these misrepresentations violated the FTC Act, as well as the 2011 FTC Order that specifically prohibited Twitter from making misrepresentations about the security of nonpublic consumer information.
The complaint also alleged that Twitter misrepresented that it processed its users’ personal information in accordance with the EU-US and Swiss-US Privacy Shield Frameworks. Under such frameworks, Twitter self-certifies, among other things, that it will not process the user’s personal information in a way that is inconsistent with the purposes for which it was collected or subsequently authorized by the user. While these frameworks have been largely forgotten by many organizations due to their invalidity as a data transfer mechanism by the Court of Justice of the European Union, the representations that organizations have made (and continue to make through their neglected privacy policies) under those frameworks may be valid. in.
In addition to paying $150 million in civil penalties, the proposed settlement would: (a) prohibit Twitter from profiting from fraudulently collected data; (b) allow users to use other multi-factor authentication methods, such as mobile authentication apps or security keys that do not require users to provide their phone numbers; (c) notify users that it has misused phone numbers and email addresses collected for account security to also target advertising to them and provide information about Twitter’s privacy and security controls; (d) implement and maintain a comprehensive privacy and information security program that requires the company to, among other things, review and address potential privacy and security risks of new products; (e) restrict employee access to users’ personal data; and (f) notify the FTC if the Company experiences a data breach.
Organizations should be very careful when drafting notices to consumers about how they will handle consumers’ personal information, and when developing a privacy program, organizations should thoroughly review all data collection processes to review all notices provided during customer journey. If there are inconsistencies in your notices to consumers about data collection and the organization’s usage practices (eg, you tell consumers you’ll only use their email address for one thing when they give it to you, but (your privacy policy says you’ll use that information for a bunch of other things), it’s possible that regulators will interpret those inconsistencies in the consumer’s favor. It’s also important to note that burying content about data usage in a privacy policy is unlikely to constitute notice to consumers when the user experience says otherwise.
It’s always a good time to review your organization’s privacy notices and data collection processes.
©1994-2022 Mintz, Levin, Cohn, Ferris, Glovsky and Popeo, PC All rights reserved.National Law Review, Volume XII, Number 152
