FTC Sues Twitter for Deceptively Selling Account Security Data | Practical Law

FTC Sues Twitter for Deceptively Selling Account Security Data | Practical Law

The FTC has sued Twitter, Inc., alleging that it violated Section 5 of the FTC Act and a 2011 FTC order by deceptively using account security data such as telephone numbers and email accounts to aid advertisers in reaching target audiences.

FTC Sues Twitter for Deceptively Selling Account Security Data

Practical Law Legal Update w-035-7326 (Approx. 4 pages)

FTC Sues Twitter for Deceptively Selling Account Security Data

by Practical Law Data Privacy & Cybersecurity
Published on 26 May 2022USA (National/Federal)
The FTC has sued Twitter, Inc., alleging that it violated Section 5 of the FTC Act and a 2011 FTC order by deceptively using account security data such as telephone numbers and email accounts to aid advertisers in reaching target audiences.
In a May 25, 2022 press release, the FTC announced that it sued Twitter, Inc., for deceptively selling account security data for targeted advertising. The complaint, filed by the Department of Justice on the FTC's behalf, alleges that Twitter's conduct violated FTC Act Section 5 (15 U.S.C. § 45(a)(1) and (2)) and a prior FTC order.
According to the FTC, from 2014 to 2019, Twitter asked users to provide phone numbers or email addresses to help secure accounts and failed to disclose that it would allow advertisers to use this data to target specific users. Twitter's deceptive use of users' phone numbers and email addresses for targeted advertising also allegedly violated the EU-US Privacy Shield and Swiss-US Privacy Shield agreements, which required participating companies to follow certain privacy principles to legally transfer data from EU countries and Switzerland.
The complaint further alleges that Twitter's conduct violates a 2011 FTC Order that explicitly prohibited the company from misrepresenting its privacy and security practices for 20 years.
Under a proposed stipulated order, Twitter must pay a $150 million penalty and is barred from profiting from its deceptively collected data. Other provisions of the proposed order would:
  • Allow Twitter users to use multi-factor authentication methods that do not require them to provide telephone numbers.
  • Require Twitter to notify users that it misused phone numbers and email addresses collected for account security to target ads and provide information about Twitter's privacy and security controls.
  • Require Twitter to implement and maintain a comprehensive privacy and information security program that protects the privacy, security, confidentiality, and integrity of private user information.
  • Limit Twitter employee access to users' personal data.
  • Notify the FTC if Twitter experiences a data breach.
Counsel seeking additional information on maintaining user account security data should review the FTC's blog post published in connection with this proposed settlement.