On May 25, 2022, the Federal Trade Commission (“FTC”) filed in the U.S. District Court, Northern District of California, a Complaint against Twitter, Inc., and a Joint Motion For Entry Of Stipulated Order (signed by representatives for both parties), for civil penalties, permanent injunction, monetary relief, and other equitable relief. The primary underlying problem stemmed from Twitter’s allegedly deceptive use of account security data for targeting advertising: Twitter asked users to provide their phone numbers and e-mail addresses in order to protect the user’s account, and then Twitter profited by allowing advertisers to use this customer data to target specific users. As discussed below, Twitter, among other things, agreed to pay a $150 million penalty and agreed to stop profiting from its deceptively collected user data.
As alleged in the Complaint (¶27), “Twitter has prompted users to provide a telephone number or email address for the express purpose of securing or authenticating their Twitter accounts. … Twitter collected telephone numbers and email addresses from users specifically for purposes of allowing users to enable two-factor authentication, to assist with account recovery (e.g., to provide access to accounts when users have forgotten their passwords), and to re-authenticate users (e.g., to re-enable full access to an account after Twitter has detected suspicious or malicious activity). From at least May 2013 through at least September 2019, Twitter did not disclose, or did not disclose adequately, that it used these telephone numbers and email addresses to target advertisements to those users through its Tailored Audiences and Partner Audiences services.”
The Complaint references a 2011 FTC settlement Decision and Order concerning Twitter in which Twitter settled allegations that it had misrepresented the extent to which Twitter protected the privacy and security of nonpublic consumer information. That FTC Order, among other things, prohibited Twitter from misrepresenting the extent to which Twitter maintains and protects the security, privacy, confidentiality, or integrity of any nonpublic consumer information. Premised on that 2011 FTC order, the Complaint alleges (¶29): “More than 140 million Twitter users provided email addresses or telephone numbers to Twitter based on Twitter’s deceptive statements that their information would be used for specific purposes related to account security. Twitter knew or should have known that its conduct violated the 2011 Order, which prohibits misrepresentations concerning how Twitter maintains email addresses and telephone numbers collected from users.”
In addition to the $150 million penalty, the Agreed Stipulated Order provides, among other things:
- Prohibitions against Twitter misrepresenting its data collection purposes and practices.
- Limitations on Twitter of the use of phone numbers or e-mail addresses specifically provided by users to Twitter to enable account security features.
- Requirement of notices to consumers concerning “Twitter’s Use of Your Personal Information for Tailored Advertising” alerting them that Twitter misused phone numbers and email addresses collected for account security to also target ads to the consumers, and to also provide information about Twitter’s privacy and security controls.
- Requirement that multi-factor authentication options be made available to access the customer’s Twitter account. There are many other widely adopted industry authentication options that do not require the consumer to provide a phone number (e.g., authentication apps, security keys, etc.).
- Requirement that Twitter maintain a comprehensive privacy and information security program that protects the privacy, security, confidentiality, and integrity of certain personal information (“Covered Information” as defined in the Order, ¶B) from the customer (e.g., first or last name, geolocation information, e-mail address, phone number, photos/videos, Internet Protocol address, User ID, Social Security number, driver’s license or other government issued ID, financial account number, credit/debit information, date of birth, biometric information, any combination of the above).
- Twenty (20) years oversight by the FTC.
The bottom line is this FTC Stipulated Order should serve as a caution to businesses: (1) be crystal clear about the purposes for which they are requesting consumer information; (2) only collect such information consistent with applicable privacy laws; and (3) have strong internal compliance controls in place to ensure that the use of that information is limited to those lawful purposes.
© 2022 Alan S. Wernick and Aronberg Goldgehn.