Twitter has agreed to pay $150 million to settle a privacy lawsuit with the Department of Justice (DOJ) and Federal Trade Commission (FTC) for deceptively using at least 140 million users' email addresses and phone numbers for targetted advertising. According to the FTC, Twitter asked users for personal information for the express purpose of securing their accounts, but then "also used it to serve targetted ads for Twitter's financial benefit". "It wasn't Twitter's first alleged violation of the FTC Act, but this one will cost the company $150 million in civil penalties," the FTC said in a statement late on Wednesday. The case goes back to 2010 when the FTC filed its complaint against Twitter. In that case, Twitter told users that users could control who had access to their tweets and that their private messages could be viewed only by recipients.
But according to the FTC, Twitter didn't have reasonable safeguards to ensure users' choices were honoured. To settle that case, the company agreed to an order that became final in 2011 that would impose substantial financial penalties if it further misrepresented "the extent to which [Twitter] maintains and protects the security, privacy, confidentiality, or integrity of any nonpublic consumer information." "The just-announced $150 million civil penalty stems from a new complaint filed by the Department of Justice on behalf of the FTC, alleging that Twitter violated the order in the earlier case by collecting customers' personal information for the stated purpose of security and then exploiting it commercially," said the FTC. From May 2013 through September 2019, Twitter prompted users to provide their telephone numbers or email addresses for security purposes, such as to enable multi-factor authentication. Twitter also told people it would use their personal data to help with account recovery (for example, if users forgot their passwords) or to re-enable full access if Twitter detected suspicious activity on a person's account. The FTC said that Twitter induced people to provide their phone numbers and email addresses by claiming that the company's purpose was, for example, to "Safeguard your account."
Twitter further encouraged users to provide that information because "An extra layer of security helps make sure that you, and only you, can access your Twitter account." In fact, in addition to using people's phone numbers and email addresses for the protective purposes the company claimed, Twitter also used the information to serve people targeted ads - ads that enriched Twitter by the multi-millions. During the time period covered by the complaint, more than 140 million users gave Twitter their email addresses or phone numbers for security purposes. In addition to imposing a $150 million civil penalty for violating the 2011 order, the new order has prohibited Twitter from using the phone numbers and email addresses it illegally collected to serve ads. "Twitter must notify users about its improper use of phone numbers and email addresses, tell them about the FTC law enforcement action, and explain how they can turn off personalised ads and review their multi-factor authentication settings," said the US agency. Twitter must also provide multi-factor authentication options that don't require people to provide a phone number, it said, adding that violating FTC orders will result in substantial penalties.