Federal regulators Wednesday announced that Twitter will pay a $150 million fine to settle allegations that it deceptively used email address and phone numbers it had collected to target advertising, in one of the largest privacy settlements federal regulators have reached with a tech giant.
The Federal Trade Commission and the Justice Department said the company also will be banned from profiting off the “deceptively collected” data and be required to notify the more than 140 million users who were affected that it used their phone numbers and email addresses for advertising, according to a news release about the settlement. And the company will be required to implement and maintain a new privacy program that will require the company to review the security risks of new products.
“The $150 million penalty reflects the seriousness of the allegations against Twitter, and the substantial new compliance measures to be imposed as a result of today’s proposed settlement will help prevent further misleading tactics that threaten users’ privacy,” Associate Attorney General Vanita Gupta said in a release.
The Twitter fine is significantly smaller than the $5 billion fine that the FTC slapped Facebook with in 2019, but is slightly higher than the 2018 settlement that states reached with Uber over a 2016 data breach. The fine amounts to about 13 percent of Twitter’s revenue in the first quarter of 2022. Democrats and critics of the tech industry have warned that such fines are toothless against some of the most well-resourced companies in the world.
As backing for the settlement, the U.S. government filed a complaint against the company Wednesday in federal court in the Northern District of California, alleging that Twitter broke federal law as well as a 2011 order it reached with the FTC over allegations that it failed to safeguard personal information.
“Keeping data secure and respecting privacy is something we take extremely seriously, and we have cooperated with the FTC every step of the way,” the company said in a blog post responding to the settlement. “Moving forward, we will continue to make investments in this work, including building and evolving processes, implementing technical measures, and conducting regular auditing and reporting to ensure we are mitigating risk at every level and function at Twitter.”
Twitter first announced in 2019 that it “inadvertently” mishandled users’ email and phone numbers for advertising purposes, one in a string of data privacy and security mishaps at the company. More recently in 2020, the company suffered a data breach that targeted high-profile politicians and billionaires, including Elon Musk.
Twitter says phone numbers users provided for security were ‘inadvertently’ used for ad purposes
Federal regulators penalized Facebook in 2019 for a similar situation.
The regulators’ complaint alleges that Twitter began asking people to provide emails and phone numbers in 2013, to help them reset accounts or enable two-factor authentication. Between 2014 and 2019, as millions shared those details, the company never told them that it would be matching those email addresses and phone numbers with data from data brokers to serve ads, the complaint alleges.
Under the settlement, Twitter will be required to give people other means to verify their accounts, such as security keys or mobile apps that do not involve phone numbers. The company will also have to limit access to users’ data and notify the FTC if it experiences a data breach.
The complaint had the backing of Democrats and Republicans on the FTC.
“We reject the characterization of substantial penalties as ‘a slap on the wrist,’” Republican commissioners Noah Phillips and Christine Wilson said in a joint statement. “Penalties matter, then and now. And so do the privacy programs and assessments that orders like today’s command.”
A previous version incorrectly stated that the FTC fined Uber $148 million over a 2016 data breach. The company reached the settlement with 50 states and the District of Columbia. This version has been corrected.