Privacy law 101 includes a simple but important basic concept that organizations may only use personal information they collect for what they say they will, and how they say they will. According to the Federal Trade Commission ("FTC") and the Department of Justice ("DOJ"), Twitter got this wrong - and it is going to cost Twitter $150M as a result.
On May 25, 2022, Twitter reached a proposed settlement with the DOJ and the FTC to resolve allegations that Twitter violated the FTC Act and an Order issued by the FTC in 2011 by misrepresenting how it would make use of users’ personal information, including users’ nonpublic contact information.
“As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads," said FTC Chair Lina M. Khan. “This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue.”
U.S. Attorney Stephanie M. Hinds for the Northern District of California noted, “Consumers who share their private information have a right to know if that information is being used to help advertisers target customers. Social media companies that are not honest with consumers about how their personal information is being used will be held accountable.”
The Complaint alleged that from May 2013 until at least September 2019, Twitter misrepresented to more than 140 million users the extent to which it maintained and protected the security and privacy of their nonpublic contact information. Twitter told users that it collected their phone numbers and email addresses to secure their accounts – but, according to the Complaint, failed to disclose that it also used this information for advertising purposes. The Complaint alleged that these misrepresentations violated the FTC Act, as well as the 2011 FTC Order that specifically prohibited Twitter from making misrepresentations regarding the security of nonpublic consumer information.
The Complaint also alleged that Twitter misrepresented that it processed personal information of its users in accordance with the EU-US and Swiss-US Privacy Shield Frameworks. Under such frameworks, Twitter self-certified, among other things, that it would not process user personal information in a way that is not compatible with the purposes for which it was collected or subsequently authorized by the user. While these frameworks have been largely forgotten by many organizations due to their invalidity as a data transfer mechanism by the Court of Justice of the European Union, representations that organizations made (and continue to make in via their neglected privacy policies) under those frameworks can live on.
In addition to paying $150 million in civil penalties, the proposed settlement would: (a) prohibit Twitter from profiting from deceptively collected data; (b) allow users to use other multi-factor authentication methods such as mobile authentication apps or security keys that do not require users to provide their telephone numbers; (c) notify users that it misused phone numbers and email addresses collected for account security to also target ads to them and provide information about Twitter’s privacy and security controls; (d) implement and maintain a comprehensive privacy and information security program that requires the company, among other things, to examine and address the potential privacy and security risks of new products; (e) limit employee access to users’ personal data; and (f) notify the FTC if the company experiences a data breach.
Organizations should be very careful when drafting notices to consumers about how they will handle consumers’ personal information, and when developing a privacy program, organizations must fully review their entire data collection processes to review all notices provided during the consumer journey. If there are inconsistencies in consumer notices of data collection and use practices of the organization (e.g., you tell consumers that you will only use their email address for one thing when they provide it to you, but your privacy policy says you will use that information for a whole host of other things), chance are, regulators will construe those inconsistencies in favor of the consumer. It is also important to note that burying content about data use in a privacy policy is unlikely to constitute notice to consumers where the user experience says something different.
It is always a good time to review your organization’s privacy notices and data collection processes.