Last week, the United States Department of Justice, acting on behalf of the Federal Trade Commission, took action against Twitter, Inc. for allegedly using private account security data to sell targeted advertisements without informing the platform’s users. To settle the matter, Twitter agreed to a stipulated order requiring the social media giant to pay $150 million in civil penalties, which the court entered a day after the complaint was filed.
Understanding the recent settlement warrants a quick history lesson on Twitter’s dealings with the FTC. In 2010, the FTC filed an administrative complaint against Twitter, asserting the company misrepresented the security measures it had in place to protect private user information from unauthorized access and to honor users’ privacy choices. This ultimately led to a 2011 FTC Order that barred Twitter from misrepresenting the extent to which it “maintains and protects security, privacy, confidentiality, or integrity of any nonpublic consumer information.”
Now, in the complaint filed last week in the U.S. District Court for the Northern District of California, the FTC and DOJ allege that Twitter’s conduct from May 2013 until at least September 2019 violated the FTC Act and the 2011 order. Specifically, the agencies allege that Twitter represented to its users that it collected their phone numbers and email addresses for account security and authentication purposes, but did not inform users that it also used this information to sell targeted advertisements. According to the complaint, over 140 million users provided phone numbers and email addresses to Twitter under the belief that the information was only being used for account security.
The FTC and DOJ also claim that Twitter’s conduct violated the EU-U.S. and Swiss-U.S. Privacy Shield agreements, which require participating companies transferring data from EU countries and Switzerland to comply with established privacy standards. According to the complaint, companies under FTC enforcement jurisdiction that participate in but fail to comply with the Privacy Shield agreements may be subject to an enforcement action under Section 5 of the FTC Act.
Under the stipulated order, Twitter will pay $150 million in civil penalties for the order violations. In addition to the monetary penalty, the order provides for the following injunctive relief:
- In serving advertisements, Twitter cannot use the phone numbers and email addresses it previously collected.
- Twitter must tell users about the FTC law enforcement action, inform them that it improperly used their phone numbers and email addresses to serve ads, and explain how users can turn off personalized ads.
- Twitter must provide either a multifactor account authentication option that does not require a user’s phone number or email address, such as by allowing the use of security keys; or a widely adopted industry authentication option of equivalent security levels that is not multifactor and does not require users’ phone numbers or email addresses.
- Twitter must implement enhanced privacy and security programs in accordance with the details of the order, obtain privacy and security assessments by an FTC-approved third party, and report privacy and security incidents to the FTC within 30 days of Twitter’s discovery of the incident.
While the FTC issued a unanimous 4-0 vote in support of the complaint and stipulated final order against Twitter, there were some dueling statements issued between the Democratic and Republican commissioners reflecting the often overt hostility among them.
In a concurring statement, Republican Commissioners Christine Wilson and Noah Phillips noted that the Twitter order was strikingly similar to a 2019 final order against Facebook, which received “vitriolic” criticisms from their Democratic counterparts for perceived shortcomings that the Twitter order would share. Using a chart, they cited to criticisms made by then-Commissioner Rohit Chopra, Commissioner Rebecca Slaughter, and Democratic Congressman David Cicilline. Wilson and Phillips rejected these criticisms and celebrated the settlement with Twitter as “strong” and “excellent.”
On the other hand, Chair Lina Khan and Slaughter, in their joint statement, rejected the Republican commissioners’ comparison of the Twitter and Facebook settlements, stating “no two law violations—or law violators—are exactly alike.” Without addressing the criticisms cited in their colleagues’ concurring statement, and with an almost irreverent tone, Khan and Slaughter commented that “charting and tallying may have some visual appeal, but it is no substitute for case-by-case analysis, nor can it make apples-to-apples out of oranges and bananas.”