SAN FRANCISCO (CN) — Twitter will pay a $150 million fine to settle claims that it deceived users about data privacy, specifically how it was using their contact information to make money.
The agreement was announced Wednesday just hours after the federal government filed a federal lawsuit against the social media platform, claiming Twitter obtained users’ phone numbers and email addresses under the pretense of using the information for two-factor authentication, then used that data to help companies target them with advertisements.
“From at least May 2013 until at least September 2019, Twitter misrepresented to users of its online communication service the extent to which it maintained and protected the security and privacy of their nonpublic contact information,” the government’s complaint states. “Specifically, while Twitter represented to users that it collected their telephone numbers and email addresses to secure their accounts, Twitter failed to disclose that it also used user contact information to aid advertisers in reaching their preferred audiences.”
The complaint says Twitter violated a 2011 consent decree it reached with the Federal Trade Commission on consumer privacy following an FTC complaint that it allowed hackers to gain administrative control of the platform twice in 2009 and send fake tweets from users’ accounts.
The deal stipulated that Twitter not mislead users about data security for 20 years.
“As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads," FTC Chair Lina Khan said in a statement. “This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue."
Twitter disclosed in a 2020 corporate filing that the FTC was investigating the company for violating the 2011 consent decree, the New York Times reported at the time.
Wednesday's agreement requires Twitter to develop and maintain a “comprehensive privacy and information-security program,” and regularly test its privacy safeguards. Twitter must also have an independent assessor review its data privacy program and report any data privacy incidents affecting 250 or more users. The Justice Department and FTC will enforce compliance.
"The $150 million penalty reflects the seriousness of the allegations against Twitter, and the substantial new compliance measures to be imposed as a result of today’s proposed settlement will help prevent further misleading tactics that threaten users’ privacy,” Associate Attorney General Vanita Gupta said in a statement.