The FTC has been investigating Twitter over the use of personal data for ad targeting since October last year, the social network itself revealed in a filing with the Securities and Exchange Commission. According to the document, the Commission is looking into Twitter’s “use of phone number and/or email address data provided for safety and security purposes for targeted advertising during periods between 2013 and 2019.” The company could pay a fine between $150 million and $250 million after the investigation is done.
In a blog post from 2019, Twitter disclosed that it may have “inadvertently” matched users’ phone numbers and email ads provided for two-factor and identity verification with marketing lists advertisers had uploaded. “This was an error and we apologize,” the company wrote, admitting that it didn’t know how many people were affected. “As of September 17, we have addressed the issue that allowed this to occur and are no longer using phone numbers or email addresses collected for safety or security purposes for advertising,” it added.
Twitter said it received a draft complaint from the FTC, accusing it of violating a 2011 agreement it signed with the Commission, on July 28th, 2020. As Financial Times notes, that agreement prohibits the company from misleading “consumers about the extent to which it protects the security, privacy, and confidentiality” of their data and compels it to “establish and maintain a comprehensive information security program.”
The company has already set aside $150 million to cover the minimum amount it may have to pay. If it’s preparing for an unfavorable outcome, that’s probably because it’s not the first tech company that’s had to face the same allegations from the FTC. Facebook previously had to pay $5 billion for several privacy missteps, including the use of people’s phone numbers, provided for security purposes, for its ad business.