On May 25, 2022, the Federal Trade Commission (“FTC”) filed in the U.S. District Court, Northern District of California, a Complaint against Twitter, Inc., and a Joint Motion For Entry Of Stipulated Order (signed by representatives for both parties), for civil penalties, permanent injunction, monetary relief, and other equitable relief. The primary underlying problem stemmed from Twitter’s allegedly deceptive use of account security data for targeting advertising: Twitter asked users to provide their phone numbers and e-mail addresses in order to protect the user’s account, and then Twitter profited by allowing advertisers to use this customer data to target specific users. As discussed below, Twitter, among other things, agreed to pay a $150 million penalty and agreed to stop profiting from its deceptively collected user data.
As alleged in the Complaint (¶27), “Twitter has prompted users to provide a telephone number or email address for the express purpose of securing or authenticating their Twitter accounts. … Twitter collected telephone numbers and email addresses from users specifically for purposes of allowing users to enable two-factor authentication, to assist with account recovery (e.g., to provide access to accounts when users have forgotten their passwords), and to re-authenticate users (e.g., to re-enable full access to an account after Twitter has detected suspicious or malicious activity). From at least May 2013 through at least September 2019, Twitter did not disclose, or did not disclose adequately, that it used these telephone numbers and email addresses to target advertisements to those users through its Tailored Audiences and Partner Audiences services.”
The Complaint references a 2011 FTC settlement Decision and Order concerning Twitter in which Twitter settled allegations that it had misrepresented the extent to which Twitter protected the privacy and security of nonpublic consumer information. That FTC Order, among other things, prohibited Twitter from misrepresenting the extent to which Twitter maintains and protects the security, privacy, confidentiality, or integrity of any nonpublic consumer information. Premised on that 2011 FTC order, the Complaint alleges (¶29): “More than 140 million Twitter users provided email addresses or telephone numbers to Twitter based on Twitter’s deceptive statements that their information would be used for specific purposes related to account security. Twitter knew or should have known that its conduct violated the 2011 Order, which prohibits misrepresentations concerning how Twitter maintains email addresses and telephone numbers collected from users.”