The Department of Justice and the Federal Trade Commission on May 25 announced a settlement that, if approved by a federal court, will require Twitter Inc. to pay $150 million in civil penalties and implement robust compliance measures to protect users’ data privacy. The settlement will resolve allegations that Twitter violated the FTC Act and an administrative order issued by the FTC in March 2011 by misrepresenting how it would make use of users’ nonpublic contact information, the agencies announced.
In a complaint filed on May 25 in the U.S. District Court for the Northern District of California, the government alleged that Twitter deceived users about the extent to which it maintained and protected the security and privacy of users’ nonpublic contact information. Specifically, the complaint alleges that from May 2013 to September 2019, Twitter told users that it was collecting their telephone numbers and email addresses for account security purposes, but failed to disclose that it also would use that information to help companies send targeted advertisements to consumers. The complaint also alleges that Twitter falsely claimed to comply with the European Union-U.S. and Swiss-U.S. Privacy Shield Frameworks, which prohibit companies from processing user information in ways that are not compatible with the purposes authorized by the users.
“The Department of Justice is committed to protecting the privacy of consumers’ sensitive data,” said Associate Attorney General Vanita Gupta in a statement. “The $150 million penalty reflects the seriousness of the allegations against Twitter, and the substantial new compliance measures to be imposed as a result of today’s proposed settlement will help prevent further misleading tactics that threaten users’ privacy.”
“As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads,” FTC Chair Lina Khan said in the May 25 release. “This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue.”
“Consumers who share their private information have a right to know if that information is being used to help advertisers target customers,” said U.S. Attorney Stephanie Hinds for the Northern District of California in a statement. “Social media companies that are not honest with consumers about how their personal information is being used will be held accountable.”
Twitter agreed to settle the government’s allegations by paying a $150 million civil penalty and implementing significant new compliance measures intended to ensure that Twitter improves its data privacy practices. For instance, Twitter will be required to develop and maintain a comprehensive privacy and information security program, conduct a privacy review with a written report prior to implementing any new product or service that collects users’ private information and conduct regular testing of its data privacy safeguards. Twitter also will be required to obtain regular assessments of its data privacy program from an independent assessor, provide annual certifications of compliance from a senior officer, provide reports after any data privacy incidents affecting 250 or more users and comply with numerous other reporting and record-keeping requirements. The settlement will also require Twitter to notify all U.S. customers who joined Twitter before Sept. 17, 2019, about the settlement and to provide users with options for protecting their privacy and security. Under the settlement terms, the DOJ and FTC will each be responsible for monitoring and enforcing Twitter’s compliance.
This matter is being handled by attorneys in the civil division’s consumer protection branch, including Director Gustav Eyler, Assistant Director Lisa Hsiao and trial attorneys Zachary Cowan and Deborah Sohn, Assistant U.S. Attorney Emmet Ong of the U.S. Attorney’s Office for the Northern District of California, James Kohm, Reenah Kim and Laura Koss from the FTC’s Division of Enforcement and Andrea Arias of the FTC’s Division of Privacy and Identity Protection.