It’s FTC 101. Companies can’t tell consumers they’ll use their personal data for one purpose and then use it for another. But according to the FTC, that’s the kind of digital Twitter bait-and-switch that lured unsuspecting consumers. Twitter asked users for personal information for the express purpose of securing their accounts, but then used it to serve targeted ads for Twitter’s financial gain. It wasn’t Twitter’s first alleged violation of the FTC Act, but it will cost the company $150 million in civil penalties.
The story begins with the FTC’s 2010 complaint against Twitter. In that case, Twitter told users that users could control who had access to their tweets and that their private messages could only be seen by recipients. But according to the FTC, Twitter did not have reasonable safeguards in place to ensure that users’ choices were respected. The 2010 complaint cited multiple instances in which Twitter’s actions and inactions led to unauthorized access to users’ personal information. To resolve that issue, the company agreed to an order that became final in 2011 that would have imposed significant financial penalties if it further misrepresented “the extent to which [Twitter] maintain and protect the security, privacy, confidentiality or integrity of any non-public consumer information.”
The newly announced $150 million civil penalty stems from a new complaint filed by the Department of Justice on behalf of the FTC, alleging that Twitter violated the order in the previous case by collecting personal customer information for the stated purpose of security and then exploiting it commercially. You’ll want to read the complaint for details, but here’s how the FTC says Twitter misled its customers.
From May 2013 to September 2019, Twitter prompted users to provide their phone numbers or email addresses for security purposes, such as enabling multi-factor authentication. (Multi-factor authentication is an extra layer of security that requires special forms of identification to log into an account — for example, a password and a code sent to a user’s verified email address.) Twitter also told people that would use their personal data to help with account recovery (for example, if users have forgotten their passwords) or to re-enable full access if Twitter detects suspicious activity on a person’s account. The FTC says Twitter got people to give up their phone numbers and email addresses by claiming the company’s goal was to, for example, “Protect your account.” Twitter further encouraged users to provide that information because “An additional layer of security helps ensure that you, and only you, can access your Twitter account.”
But according to the FTC, much more was going on behind the scenes. In fact, in addition to using people’s phone numbers and email addresses for the protection purposes the company claimed, Twitter also used the information to serve people targeted ads — ads that made Twitter millions.
How convincing was Twitter’s level of security? During the time period covered by the complaint, more than 140 million users gave Twitter their email addresses or phone numbers for security purposes. Would the same number of people on Twitter have provided that information if they had known how Twitter would be used differently? We don’t think so. If you’re struck by the irony of a company exploiting consumer privacy concerns in a way that facilitated further co-op invasionsnsumers’ privacy, is an irony not lost on the FTC.
In addition to imposing a $150 million civil penalty for violating the 2011 order, the new order adds more provisions to protect consumers in the future:
- Twitter is prohibited from using phone numbers and email addresses it has illegally collected to serve ads.
- Twitter must notify users of the misuse of phone numbers and email addresses, tell them about the FTC’s enforcement action, and explain how they can opt out of personalized ads and review their authentication settings with many factors.
- Twitter should offer multi-factor authentication options that don’t require people to provide a phone number.
- Twitter must implement an enhanced privacy program AND an enhanced information security program that includes several new provisions set forth in the order, obtain privacy and security assessments from an independent third party approved by the FTC, and report privacy or security incidents to the FTC within 30 days.
What can other companies take from the latest action against Twitter?
What text gives, a privacy policy or buried disclaimer can’t take away. Consumers have the right to rely on what you say when you ask for their information. Trying to turn it into a contradictory statement buried elsewhere on your website is unlikely to correct a misinterpretation.
Keeping customer information secure is a win-win. Consumers benefit when companies take extra steps to protect their personal data. So let’s be clear: multi-factor authentication can be an effective way to do this. Don’t discourage people from accepting multi-factor authentication by making them give up their privacy to use it.
Violation of the FTC’s orders will result in substantial fines. The FTC takes enforcement of the order seriously and will use every legal means to hold repeat offenders accountable for further violations.
Looking for more about the Twitter issue? Read the FTC’s technical blog.
