The Federal Trade Commission is taking action against Twitter, Inc. for deceptively using account security data for targeted advertising. Twitter asked users to give their phone numbers and email addresses to protect their accounts. The firm then profited by allowing advertisers to use this data to target specific users. Twitter’s deception violates a 2011 FTC order that explicitly prohibited the company from misrepresenting its privacy and security practices. Under the proposed order, Twitter must pay a $150 million penalty and is banned from profiting from its deceptively collected data.
“As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads," said FTC Chair Lina M. Khan. "This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue.”
In addition to the $150 million penalty, other provisions of the proposed order would:
- prohibit Twitter from profiting from deceptively collected data;
- allow users to use other multi-factor authentication methods such as mobile authentication apps or security keys that do not require users to provide their telephone numbers;
- notify users that it misused phone numbers and email addresses collected for account security to also target ads to them and provide information about Twitter’s privacy and security controls;
- implement and maintain a comprehensive privacy and information security program that requires the company, among other things, to examine and address the potential privacy and security risks of new products;
- limit employee access to users’ personal data; and
- notify the FTC if the company experiences a data breach.
So which executive ordered this at Twitter? And who’s going to jail?