It’s FTC 101. Companies can’t tell consumers they will use their personal information for one purpose and then use it for another. But according to the FTC, that’s the kind of digital bait-and-switch Twitter pulled on unsuspecting consumers. Twitter asked users for personal information for the express purpose of securing their accounts, but then also used it to serve targeted ads for Twitter’s financial benefit. It wasn’t Twitter’s first alleged violation of the FTC Act, but this one will cost the company $150 million in civil penalties.
The story starts with the FTC’s 2010 complaint against Twitter. In that case, Twitter told users that users could control who had access to their tweets and that their private messages could be viewed only by recipients. But according to the FTC, Twitter didn’t have reasonable safeguards to ensure users’ choices were honored. The 2010 complaint cited multiple instances in which Twitter’s actions – and inactions – led to unauthorized access of users’ personal information. To settle that case, the company agreed to an order that became final in 2011 that would impose substantial financial penalties if it further misrepresented “the extent to which [Twitter] maintains and protects the security, privacy, confidentiality, or integrity of any nonpublic consumer information.”
The just-announced $150 million civil penalty stems from a new complaint filed by the Department of Justice on behalf of the FTC, alleging that Twitter violated the order in the earlier case by collecting customers’ personal information for the stated purpose of security and then exploiting it commercially. You’ll want to read the complaint for the details, but here’s how the FTC says Twitter received its customers.
From May 2013 through September 2019, Twitter prompted users to provide their telephone numbers or email addresses for security purposes, such as to enable multi-factor authentication. (Multi-factor authentication is an additional layer of security that requires separate forms of identification to access an account – for example, a password and a code sent to a user’s verified email address.) Twitter also told people it would use their personal data to help with account recovery (for example, if users forgot their passwords) or to re-enable full access if Twitter detected suspicious activity on a person’s account. The FTC says Twitter induced people to provide their phone numbers and email addresses by claiming that the company’s purpose was, for example, to “Safeguard your account.” Twitter further encouraged users to provide that information because “An extra layer of security helps make sure that you, and only you, can access your Twitter account.”
But according to the FTC, much more was going on behind the scenes. In fact, in addition to using people’s phone numbers and email addresses for the protective purposes the company claimed, Twitter also used the information to serve people targeted ads – ads that enriched Twitter by the multi-millions.
Just how persuasive was Twitter’s security pitch? During the time period covered by the complaint, more than 140 million users gave Twitter their email addresses or phone numbers for security purposes. Would that same number of people have given Twitter that information if they knew how else Twitter was going to use it? We don’t think so. If you’re struck by the irony of a company exploiting consumers’ privacy concerns in a way that facilitated further invasions of consumers’ privacy, it’s an irony not lost on the FTC.
In addition to imposing a $150 million civil penalty for violating the 2011 order, the new order adds more provisions to protect consumers in the future:
- Twitter is prohibited from using the phone numbers and email addresses it illegally collected to serve ads.
- Twitter must notify users about its improper use of phone numbers and email addresses, tell them about the FTC law enforcement action, and explain how they can turn off personalized ads and review their multi-factor authentication settings.
- Twitter must provide multi-factor authentication options that don’t require people to provide a phone number.
- Twitter must implement an enhanced privacy program and a beefed-up information security program that includes multiple new provisions spelled out in the order, get privacy and security assessments by an independent third party approved by the FTC, and report privacy or security incidents to the FTC within 30 days.
What can other companies take from the latest action against Twitter?
Keeping customers’ information secure is a win-win. Consumers benefit when companies take extra steps to protect their personal data. So let’s be clear: Multi-factor authentication can be an effective way to do that. Don’t discourage people from agreeing to multi-factor authentication by making them give up their privacy to use it.
Violating FTC orders will result in substantial penalties. The FTC takes order enforcement seriously and will use every lawful means to hold recidivists responsible for further violations.
Looking for more about the Twitter case? Read the FTC’s Tech Blog.