Twitter’s Privacy Violations Result in $150 Million FTC Fine

By Mitchell C. Shelowitz

As announced on May 25, 2022 by the U.S. Federal Trade Commission (the “FTC”), Twitter has agreed to pay a huge fine of $150 million for engaging in unfair or deceptive acts and practices by obtaining Twitter users’ personal information under false pretenses – and then using it for targetted marketing.^[1]

Specifically, Twitter was accused of engaging in the following three (3) different schemes to obtain user information for one purpose, while actually using it for another, undisclosed purpose, namely, marketing to benefit Twitter commercially.

1. The Two-Factor Authorization Ruse. First, Twitter was accused of obtaining user email addresses and phone numbers ostensibly to enable two (2) factor authentication of their Twitter accounts (the “Two-Factor Authorization Ruse”).^[2]  However, unbeknownst to the users, Twitter then turned around and used these phone numbers and email addresses to provide targeted advertising to those users, without their consent or knowledge. During the relevant period, approximately two (2) million users provided a telephone number or email address related to the Two-Factor Authorization Ruse.^[3]

2. The Lost Password Ruse. In addition to the Two-Factor Authorization Ruse, Twitter also deceptively obtained users’ telephone numbers and email addresses under the guise that such personal information could be used to access a Twitter account in the event of a lost password (the “Lost Password Ruse”).  Just like the Two-Factor Authorization Ruse, the telephone numbers and email addresses obtained through the Lost Password Ruse were used for targeted marketing purposes.  During the relevant period approximately thirty-seven (37) million users provided a phone number or email address related to the Lost Password Ruse.^[4]

3. The Re-authentication Ruse. Similarly, Twitter deceptively obtained telephone numbers and email addresses for re-authenticating a user account where suspicious or malicious activity was detected (the “Re-authentication Ruse”). Like the Two-Factor Authorization Ruse and the Lost Password Ruse, the telephone numbers and email addresses obtained through the Re-Authentication Ruse were used for the targeted marketing of unsuspecting Twitter users.  During the relevant period, approximately one hundred and four (104) million users provided a phone number or email address related to the Re-Authentication Ruse.^[5]

Twitter was also charged with falsely certifying that it was in compliance with the EU-US and Swiss-US Privacy Shield Frameworks – when it was not.^[6]

Significantly, Twitter was already subject to an FTC order from 2011^[7] (the “2011 FTC Order”) for failing to provide adequate security for user information and for failing to comply with privacy choices selected by users.   While no monetary penalties were imposed on Twitter at that time, Twitter was barred for twenty (20) years from misleading consumers about its protection of security, privacy, and confidentiality of nonpublic consumer information.^[8] As a result, these new violations also violated the 2011 FTC Order.

This new FTC action against Twitter is a wake up call to all social media, ecommerce, and other businesses that obtain email addresses, phone numbers, or other user information ostensibly for privacy protection purposes, but then either sell such information, or use such information for other purposes. 

SLG has extensive experience advising clients regarding unfair and deceptive acts and practices and truth in advertising in the context of FTC rules, laws, and guidelines, as well as other applicable state and federal laws in connection with social media, ecommerce, influencers, and endorsements.  To schedule a complimentary consultation, please contact SLG at info@shelgroup.com.

[1]  See May 25, 2022 FTC Press Release at https://www.ftc.gov/news-events/news/press-releases/2022/05/ftc-charges-twitter-deceptively-using-account-security-data-sell-targeted-ads.

[2]  See Consent Order at https://www.ftc.gov/system/files/ftc_gov/pdf/2023062TwitterMtnEntryOrder.pdf (the “Order”).

[3]  See Order at ¶¶ 30-38; 60-63.

[4] Id. at ¶¶ 39-44; 64-67.

[5] Id. at ¶¶ 45-51; 68-71.

[6] Id. at ¶¶ 52-58; 72-75.

[7]  Id. at ¶¶ 13-16.

[8]  See, e.g., FTC 2011 Press Release at https://www.ftc.gov/news-events/news/press-releases/2011/03/ftc-accepts-final-settlement-twitter-failure-safeguard-personal-information.