FTC: Twitter to Pay $150M for User Account Information Privacy Violations

On Wednesday, the Federal Trade Commission (FTC) sued Twitter Inc. over allegations that it both violated the FTC Act and a 2011 FTC order by disingenuously placing its business interests above user privacy. Under the parties’ jointly stipulated proposed order, which is subject to judicial approval, Twitter must pay a $150 million penalty and is banned from profiting from its deceptively collected data.

The news is not a complete surprise, as in 2020, Twitter revealed that it could be on the hook for user information violations. In a quarterly financial filing, the company admitted that it could face fines of up to $250 million for the precise conduct the FTC now takes issue with, misrepresentating the extent to which Twitter maintained and protected the security and privacy of users’ non-public contact information from May 2013 to September 2019, and possibly longer.

The Northern District of California complaint explains that the online communication service’s “core business model” monetizes user information by offering it for advertising services including “Tailored Audiences” and “Partner Audiences.” Each allows advertisers to target users by matching their Twitter-collected telephone numbers and email addresses with either advertisers’ or data brokers’ lists of contact numbers and emails. 

In 2011, and after an investigation, the FTC lodged an administrative complaint alleging that Twitter misrepresented that users could control who had access to their tweets through a “protected account” and that they could send private “direct messages” that could only be viewed by the recipient when, in fact, Twitter lacked safeguards to ensure that those choices were respected. Further, the FTC contended that Twitter touted its ability to keep user accounts safe when in reality it could not prevent unauthorized access of non-public information. 

The resulting order, signed by the company’s general counsel in early 2011, prohibits Twitter from misrepresenting the extent to which it maintains and protects the security or integrity of any non-public consumer information.

This week’s complaint says that Twitter dually breached that agreement and violated the FTC Act by not disclosing or not adequately disclosing that it utilized users’ telephone numbers and email addresses for targeted advertising through its Tailored Audiences and Partner Audiences services. The lawsuit says the defendant collected over 140 million users’ information, allegedly provided to the company on their reliance that Twitter would not misuse the information, and for the purported purpose of two-factor authentication. 

“Twitter knew or should have known that its conduct violated the 2011 Order,” the seven-count lawsuit says. 

The federal government is represented by its own counsel and Twitter by Wilson Sonsini Goodrich & Rosati.