It is the FTC 101. Businesses cannot tell consumers that they will use their personal information for one purpose and then use it for another. But according to the FTC, this is the kind of bait and switch that Twitter threw at unsuspecting consumers. Twitter asked users for personal information for the express purpose of protecting their accounts, but then also used it to serve financially targeted ads on Twitter. It was not the first alleged violation of the FTC Twitter Act, but it will cost the company $ 150 million in civil penalties.
The story begins with the 2010 FTC complaint against Twitter. In this case, Twitter told users that users could control who had access to their tweets and that their private messages could only be seen by recipients. But according to the FTC, Twitter had no reasonable guarantees to ensure that users’ choices were respected. The 2010 complaint cited several cases in which Twitter’s actions and inactions caused unauthorized access to users’ personal information. To resolve this case, the company accepted an order that became final in 2011 that would impose substantial financial sanctions if it further distorted “the degree to which [Twitter] maintains and protects the security, privacy, confidentiality or integrity of any non-public consumer information. “
The $ 150 million civil sanction just announced comes from a new complaint filed by the Justice Department on behalf of the FTC, alleging that Twitter violated the order in the previous case by collecting the information customer personnel for the stated purpose of security and then take advantage of it. commercially. You want to read the complaint for details, but that’s how the FTC says Twitter cheated its customers.
From May 2013 to September 2019, Twitter asked users to provide their phone numbers or email addresses for security reasons, such as enabling multifactor authentication. (Multifactor authentication is an additional layer of security that requires separate forms of identification to access an account, such as a password and code sent to a user’s verified email address.) Twitter also goes tell people that they would use their personal data to help with account recovery (e.g., if users forgot their passwords) or to re-enable full access if Twitter detects suspicious activity on a person’s account . The FTC says Twitter induced people to provide their phone numbers and email addresses by saying the company’s goal was, for example, to “protect your account.” Twitter encouraged users to provide this information because “An extra layer of security helps ensure that you, and only you, can access your Twitter account.”
But according to the FTC, there was much more behind the scenes. In fact, in addition to using people’s phone numbers and email addresses for the protection purposes the company claimed, Twitter also used the information to serve ads to people, which enriched Twitter. per million.
How persuasive was Twitter’s security argument? During the time period covered by the complaint, more than 140 million users gave their email addresses or phone numbers to Twitter for security reasons. Would that same number of people have given this information to Twitter if they knew how else Twitter would use it? We don’t believe it. If you’re surprised by the irony of a company that exploits consumer privacy concerns in a way that facilitated further invasions of consumer privacy, it’s an irony that is not lost on the FTC.
In addition to imposing a $ 150 million civil penalty for violating the 2011 order, the new order adds more provisions to protect consumers in the future:
- Twitter has banned the use of phone numbers and email addresses that it illegally collected to run ads.
- Twitter should inform users about their misuse of phone numbers and email addresses, inform them of FTC law enforcement action, and explain how they can turn off personalized ads and review their multifactor authentication settings.
- Twitter should provide multi-factor authentication options that do not require people to provide a phone number.
- Twitter needs to implement an enhanced privacy program i an enhanced information security program that includes several new provisions detailed in the order, obtaining privacy and security assessments from an independent third party approved by the FTC, and reporting privacy or security incidents to the FTC within 30 days.
What can other companies take from the latest action against Twitter?
What the text offers, a privacy policy or a buried disclaimer cannot be removed. Consumers have a right to trust what you say when they ask for your information. Attempting to retrieve it in a contradictory statement buried elsewhere on your website is unlikely to correct any misrepresentation.
Keeping customer information secure is an advantage for everyone. Consumers benefit when companies take additional steps to protect their personal data. So let’s be clear: Multifactor authentication can be an effective way to do this. Don’t discourage people from accepting multi-factor authentication by giving up their privacy to use it.
Violation of FTC orders will result in substantial penalties. The FTC takes enforcement orders seriously and will use all lawful means to hold repeat offenders responsible for new violations.
Looking for more information on the Twitter case? Read the FTC Technology Blog.