Twitter will pay $150 million in fine for breaching privacy promises — again

It’s FTC 101. Companies cannot tell consumers that they will use their personal information for one purpose and then use it for another. But according to the Federal Trade Commission (FTC), this is the type of digital Twitter that attracts unsuspecting consumers. Twitter asked users for personal information for the express purpose of securing their accounts, but it also used it to serve targeted ads for Twitter’s financial benefit. This wasn’t Twitter’s first alleged violation of an FTC law, but one that would cost the company $150 million in civil fines.

The story begins with the 2010 Federal Trade Commission complaint against Twitter. In this case, Twitter told users that users can control who can access their tweets and that their private messages can only be viewed by recipients. But according to the Federal Trade Commission, Twitter had no reasonable safeguards to ensure that users’ choices were respected. A 2010 complaint cited multiple instances in which Twitter’s actions – and inaction – led to unauthorized access to users’ personal information. To settle the issue, the company agreed to an order that became final in 2011 that would impose heavy fines if he misrepresented “the extent of [Twitter] Maintains and protects the security, privacy, confidentiality, or integrity of any non-public consumer information.”

The recently announced $150 million civil penalty stems from a new complaint filed by the Department of Justice on behalf of the Federal Trade Commission, alleging that Twitter breached the order in the previous case by collecting and then exploiting customers’ personal information for the stated purpose of security. commercially. You’ll want to read the complaint for details, but here’s how the FTC says Twitter deceived its customers.

From May 2013 through September 2019, Twitter required users to provide their phone numbers or email addresses for security purposes, such as enabling multi-factor authentication. (Multi-factor authentication is an extra layer of security that requires separate forms of identification to access an account — for example, a password and a code sent to a user’s verified email address.) Twitter also told people it would use their personal data in order to help Account recovery (for example, if users forget their passwords) or to re-enable full access if Twitter detects suspicious activity on someone’s account. The FTC says Twitter urged people to provide their phone numbers and email addresses by claiming that the company’s goal was, for example, to “protect your account.” Twitter also encouraged users to provide this information because “an extra layer of security helps make sure that only you can access your Twitter account.”

But according to the Federal Trade Commission, there was a lot going on behind the scenes. In fact, in addition to using people’s phone numbers and email addresses for the preventative purposes the company claims, Twitter has also used the information to serve targeted ads to people – ads that have affected Twitter by millions.

How convincing was Twitter’s security move? During the time period covered by the complaint, more than 140 million Twitter users gave their email addresses or phone numbers for security purposes. Would the same number of people have given Twitter that information if they knew how Twitter would otherwise use it? We don’t think so. If you are shocked by the cynicism of a company that exploits consumer concerns about consumer privacy in a way that facilitates further corporate foraysnsumers’ Privacy, it’s a paradox that is not lost on the FTC.

In addition to imposing a $150 million civil penalty for violating the 2011 order, the new order adds more provisions to protect future consumers:

• Twitter is prohibited from using phone numbers and email addresses that it has unlawfully collected to serve ads.
• Twitter must notify users about its improper use of phone numbers and email addresses, inform them of Federal Trade Commission law enforcement actions, explain how they can turn off personalized ads and review their multifactor authentication settings.
• Twitter should offer multi-factor authentication options that don’t require people to provide a phone number.
• Twitter should implement an enhanced privacy program And An enhanced information security program that includes multiple new provisions outlined in the application, obtain privacy and security assessments by an independent FTC-approved third party, and report privacy or security incidents to the FTC within 30 days.

What can other companies take from the latest action against Twitter?

What text provides, no buried privacy policy or disclaimer can remove. Consumers have the right to rely on what you say when you ask for their information. Attempting to retrieve it in a contradictory statement buried elsewhere on your website is unlikely to correct a misrepresentation.

Keeping customer information secure is a win-win situation. Consumers benefit when companies take additional steps to protect their personal data. Let’s be clear: Multifactor authentication can be an effective way to do this. Don’t discourage people from agreeing to multifactor authentication by making them give up their privacy to use it.

Violation of FTC orders will result in significant penalties. The Federal Trade Commission (FTC) takes enforcement of orders very seriously and will use all legal means to hold perpetrators responsible for further violations.

Looking for more about Twitter status? Read the FTC’s Tech blog.