By Lesley Fair
It’s FTC 101. Companies can’t tell consumers they will use their personal information for one purpose and then use it for another. But according to the FTC, that’s the kind of digital bait-and-switch Twitter pulled on unsuspecting consumers. Twitter asked users for personal information for the express purpose of securing their accounts, but then also used it to serve targeted ads for Twitter’s financial benefit. It wasn’t Twitter’s first alleged violation of the FTC Act, but this one will cost the company $150 million in civil penalties.
The story starts with the FTC’s 2010 complaint against Twitter. In that case, Twitter told users that users could control who had access to their tweets and that their private messages could be viewed only by recipients. But according to the FTC, Twitter didn’t have reasonable safeguards to ensure users’ choices were honored. The 2010 complaint cited multiple instances in which Twitter’s actions – and inactions – led to unauthorized access of users’ personal information. To settle that case, the company agreed to an order that became final in 2011 that would impose substantial financial penalties if it further misrepresented “the extent to which [Twitter] maintains and protects the security, privacy, confidentiality, or integrity of any nonpublic consumer information.”
The just-announced $150 million civil penalty stems from a new complaint filed by the Department of Justice on behalf of the FTC, alleging that Twitter violated the order in the earlier case by collecting customers’ personal information for the stated purpose of security and then exploiting it commercially. You’ll want to read the complaint for the details, but here’s how the FTC says Twitter deceived its customers.
From May 2013 through September 2019, Twitter prompted users to provide their telephone numbers or email addresses for security purposes, such as to enable multi-factor authentication. (Multi-factor authentication is an additional layer of security that requires separate forms of identification to access an account – for example, a password and a code sent to a user’s verified email address.) Twitter also told people it would use their personal data to help with account recovery (for example, if users forgot their passwords) or to re-enable full access if Twitter detected suspicious activity on a person’s account. The FTC says Twitter induced people to provide their phone numbers and email addresses by claiming that the company’s purpose was, for example, to “Safeguard your account.” Twitter further encouraged users to provide that information because “An extra layer of security helps make sure that you, and only you, can access your Twitter account.”
But according to the FTC, much more was going on behind the scenes.
Read more at the FTC’s Blog.