Twitter apologizes for abusing user security information after $150 million FTC settlement

Twitter published an apology on Wednesday after it was caught covertly using account security data for targeted advertising.

The social media giant admitted that for several years, users were asked to provide a phone number or email address to secure or authenticate their accounts. Twitter then used that information for targeted advertising, according to a complaint filed by the Department of Justice and Federal Trade Commission. 

In May, the company agreed to pay a $150 million fine to settle the complaint, which alleged that Twitter violated a previous order “by collecting customers’ personal information for the stated purpose of security and then exploiting it commercially.” 

In addition to the $150 million penalty, Twitter agreed to notify users that it misused the security data. 

The FTC said last month that between May 2013 and September 2019, Twitter “induced people to provide their phone numbers and email addresses by claiming that the company’s purpose was, for example, to ‘Safeguard your account.’”

But instead, Twitter “used the information to serve people targeted ads – ads that enriched Twitter by the multi-millions.”

The FTC complaint said Twitter used the phone numbers and email addresses provided to allow advertisers to target specific ads to specific consumers by matching the information with data they already had or obtained from data brokers.

Associate Attorney General Vanita Gupta said the $150 million fine “reflects the seriousness of the allegations against Twitter.”

“As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads," said FTC Chair Lina Khan. "This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue.” 

On Wednesday, Twitter published an apology and pinned it to the top of user timelines. The company said it “may have asked for your phone number or email address to secure or authenticate your account” and “may have used these phone numbers or email addresses to deliver tailored advertising to you on Twitter until September 2019.”

“On June 6, 2022, we entered into a settlement with the Federal Trade Commission to resolve this issue,” Twitter said, claiming they “never disclosed or shared your phone number or email address with advertisers.”

“We are very sorry this happened,” the statement adds.

The practice was also in violation of the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield agreements, which force companies to “follow certain privacy principles in order to legally transfer data from EU countries and Switzerland.”

In addition to the $150 million fine, the FTC said Twitter is banned from profiting off of “deceptively collected data,” forced to provide alternative methods of two-factor authentication, and ordered to implement a comprehensive privacy and information security program. 

Twitter also has to limit employee access to users’ personal data and notify the FTC if the company experiences a data breach.