The Federal Trade Commission (FTC) and the US Department of Justice (DoJ) have ordered Twitter to pay a $150 million penalty for using customers’ phone numbers to target them with ads without explicitly saying so.
The FTC said on Wednesday that Twitter “deceptively” used account security data for targeted advertising, violating a 2011 order that prohibited the company from misrepresenting its privacy and security practices.
“Twitter asked users to give their phone numbers and email addresses to protect their accounts,” the FTC said in its press release. “The firm then profited by allowing advertisers to use this data to target specific users.”
A complaint filed by the Department of Justice on behalf of the FTC stated that Twitter began asking users for a phone number or email address to strengthen account security in 2013.
“For example, the information was used to help reset user passwords and unlock accounts the company might have blocked due to suspicious activity, as well as for enabling two-factor authentication,” the FTC added.
More than 140 million users enabled two-factor authentication between 2014 and 2019, unaware that Twitter would also use that data to target them with ads related to their interests and online habits, alleged the FTC.
“Twitter used the phone numbers and email addresses to allow advertisers to target specific ads to specific consumers by matching the information with data they already had or obtained from data brokers,” read the complaint.
The practice also allegedly put users’ privacy at risk by failing to keep their personal information protected in two separate data breaches.
Along with the $150 million penalty, the FTC ended the press release by proposing provisions that would:
- Prohibit Twitter from profiting from deceptively collected data.
- Allow users to use alternative multi-factor authentication methods such as mobile authentication apps or security keys that do not require users to provide their phone numbers.
- Notify users that it misused phone numbers and email addresses collected for account security to also target ads to them and provide information about Twitter’s privacy and security controls.
- Implement and maintain a comprehensive privacy and information security program that requires the company, among other things,to examine and address the potential privacy and security risks of new products.
- Limit employee access to users’ personal data.
- Notify the FTC if the company experiences a data breach.