The Federal Trade Commission (FTC) and Department of Justice (DOJ) recently ordered Twitter to pay $150 million for violating a 2011 FTC order that prohibited the company from misrepresenting its privacy and data security practices. In addition to the lofty fine, the proposed order bans Twitter from profiting from the deceptively collected data.
The FTC Order
In a 2011 action, the FTC investigated Twitter’s data security practices and found that the practices contradicted the privacy policy presented to users. Specifically, although the privacy policy stated, “Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information” and mentioned that the company employs administrative, physical, and electronic measures designed to protect information from unauthorized access and lapses in its data security practices proved otherwise. Hackers obtained access to non-public user information and private tweets on two occasions. This led the FTC to charge Twitter for deceiving consumers and inadequately protecting their personal information. Under the final order, the FTC barred Twitter from misleading consumers about its security, privacy, and confidentiality practices and mandated Twitter to maintain a comprehensive information security program.
The DOJ’s Complaint
According to the DOJ complaint, Twitter has been violating the FTC order since 2014 by allowing advertisers to use account security data for marketing purposes. Specifically, from 2014 to 2019, almost 150 million users provided personal information under the impression that they were doing so to secure their accounts. Instead of using the information solely for account security purposes, as disclosed to users, the social media giant allowed advertisers to target “specific ads to specific consumers by matching the information with data they already had or obtained from data brokers” in violation of their standing FTC order.
To that end, the FTC ordered Twitter to pay a $150 million penalty. The proposed order prohibits Twitter from profiting from deceptively collected data and also advocates for multi-factor authentication methods that do not require users to provide their telephone numbers, limits employee access to users’ personal information, and requires comprehensive privacy and information security program.
Primary Takeaway
As this case demonstrates, businesses must only process personal data for the purposes for which the data was collected and take care to avoid using data in manners not expected by a consumer. Several US state privacy laws now explicitly state that businesses shall not process personal data for purposes that are not reasonably necessary to or compatible with the specified purposes for which the personal data is processed unless the business first obtains the data subject’s consent. Companies should pay special attention to their data practices, and how they handle personal information, and ensure that these practices align with their privacy policies.