Twitter has paid a $150 million fine to the FTC over its"deceptive" use of user data for targeted advertising. The fine stems from the company’s admission in 2019 that it had for years used Twitter users’ phone numbers and email addresses provided for two-factor authentication to also serve targeted ads.
The company said that its use of the phone numbers for ads was “an error,” and that it wasn't certain how many users were affected. In a statement, FTC Chair Lina Khan said that more than 140 million users were affected by the practice, which persisted between 2014 and 2019. It was also in violation of a previous agreement Twitter had with the FTC, dating back to 2011, which "prohibited the company from misrepresenting its privacy and security practices."
In a statement, Twitter's Chief Privacy Officer Damien Kieran said the company has "cooperated with the FTC every step of the way."
"This issue was addressed as of September 17, 2019, and today we want to reiterate the work we’ll continue to do to protect the privacy and security of the people who use Twitter," Kieran wrote. "In reaching this settlement, we have paid a $150M USD penalty, and we have aligned with the agency on operational updates and program enhancements to ensure that people’s personal data remains secure and their privacy protected."
In addition to the fine, the FTC order stipulates that Twitter notify all users whose phone number and emails were originally collected for "account security" that were also used for ads. It also requires Twitter to make two-factor authentication available via methods other than phone numbers, which the company adopted in 2019. Twitter will also create a new "comprehensive privacy and information security program" to review new products for potential privacy and security risks.