- Twitter reached a $150 million settlement with the Department of Justice and Federal Trade Commission over alleged misrepresentations of its data privacy practices.
- The government accused Twitter of misrepresenting the extent of its security and privacy protections of users' nonpublic contact information between at least May 2013 to September 2019.
- The U.S. alleged Twitter told users it collected contact information to secure their accounts, but didn't disclose it also used that data to target ads.
Twitter reached a $150 million settlement with the Department of Justice and Federal Trade Commission over alleged misrepresentations of its data privacy practices, the agencies announced on Wednesday.
The settlement, which still needs to be approved by a federal judge, would resolve claims from the government that Twitter did not adequately inform its users about how their contact information would be used to target ads rather than just secure their accounts, in violation of the FTC Act and a 2011 settlement it reached with the agency.
In a lawsuit accompanying the settlement announcement, the government accused Twitter of misrepresenting the extent of its security and privacy protections of users' nonpublic contact information between at least May 2013 to September 2019.
The agencies alleged Twitter told users it collected phone numbers and email addresses to secure their accounts with two-factor authentication, but did not disclose it also used that information to help advertisers target their messages. They also accused Twitter of falsely claiming to comply with international privacy shield frameworks that ban companies from processing user data for purposes they have not authorized.
In a statement announcing the settlement, FTC Chair Lina Khan said Twitter's alleged violations impacted more than 140 million Twitter users.
As part of the settlement, Twitter will also have to install new compliance measures, including creating a comprehensive privacy program, conducting a privacy review and written report before implementing any new product or service collecting private user information, and regularly testing its data privacy protections. It will also need to submit to regular independent assessments of its data privacy program. The DOJ and FTC will both be responsible for enforcing compliance with the settlement terms.
DOJ Associate Attorney General Vanita Gupta said in a statement, "The $150 million penalty reflects the seriousness of the allegations against Twitter, and the substantial new compliance measures to be imposed as a result of today's proposed settlement will help prevent further misleading tactics that threaten users' privacy."
The $150 million fine represents about 3% of Twitter's 2021 revenue of $5.08 billion.
The settlement is the latest attempt by U.S. law enforcers to apply consumer protection law to alleged data privacy violations. In 2019, the FTC settled a privacy claim against Facebook for a record $5 billion. But critics at the time said that was still not enough, given that figure represented about 9% of the company's 2018 revenue, and argued it was a slap on the wrist that would incentivize tech companies to take such risks again.
In a blog post on Wednesday, Twitter Chief Privacy Officer Damien Kieran wrote that the incident, which the company disclosed in 2019, involved user contact information provided for account security that "may have been inadvertently used for advertising."
"This issue was addressed as of September 17, 2019, and today we want to reiterate the work we'll continue to do to protect the privacy and security of the people who use Twitter," Kieran wrote.
"Keeping data secure and respecting privacy is something we take extremely seriously, and we have cooperated with the FTC every step of the way," he added. "In reaching this settlement, we have paid a $150M USD penalty, and we have aligned with the agency on operational updates and program enhancements to ensure that people's personal data remains secure and their privacy protected."