On May 25, 2022, the US Department of Justice (“DOJ”) and the US Federal Trade Commission (“FTC”) announced that the government had reached a proposed $150 million settlement with Twitter Inc. to resolve allegations that the company violated the FTC Act, an administrative order issued by the FTC in March 2011, and other legal obligations, by using consumers’ information for a purpose other than that disclosed to its users at the time the data was collected.
In the complaint, the government alleges that until September 2019 Twitter disclosed to its users that it would collect such information as phone numbers and email addresses only for account-security purposes, like multi-factor authentication. However, Twitter was also allegedly selling that information to third parties for targeted advertising purposes. The complaint stated that the personal information of more than 140 million Twitter users was affected between 2014 and 2019. In addition to alleging that these activities violated the FTC Act and a March 2011 order from the FTC that prohibited the company from misrepresenting its privacy practices, the complaint asserts that these misrepresentations violated the EU-US Privacy Shield and Swiss-US Privacy Shield Frameworks, to which Twitter had self-certified compliance in 2016.
In additional to the $150 million civil penalty, the settlement, once approved by the court, will require Twitter to implement a comprehensive privacy and information-security program to protect user data; prohibit Twitter from profiting from deceptively-collected data moving forward; require Twitter to provide alternative multi-factor authentication methods to enable users to protect their accounts without disclosing their telephone numbers; and add restrictions to Twitter employees’ access to nonpublic user data. The DOJ and FTC will monitor Twitter’s compliance with the terms of settlement, and an independent assessor will undertake regular assessments of the data privacy program to ensure that Twitter complies with its reporting and record-keeping requirements.