It’s never a good sign for a company when the Federal Trade Commission gets snarky. So, it was bad news for Twitter on Wednesday when the FTC said: “Twitter to pay $150 million penalty for allegedly breaking its privacy promises – again.” The social media firm was fined for allegations it used email addresses and phone numbers it had collected to target advertising, violating an earlier agreement with the FTC.
In court documents made public on Wednesday, the FTC and the Department of Justice said Twitter broke a 2011 agreement with regulators in which the company said it would not sell information collected to protect user privacy.
Get the daily newsletter digital marketers rely on.
According to the FTC, “Twitter induced people to provide their phone numbers and email addresses by claiming that the company’s purpose was, for example, to ‘Safeguard your account.’ Twitter further encouraged users to provide that information because ‘An extra layer of security helps make sure that you, and only you, can access your Twitter account.’”
In a blog post, Twitter’s chief privacy officer, Damien Kieran, said users’ personal information “may have been inadvertently used for advertising.” He then assured readers that what “may have inadvertently” happened would definitely not happen again. “Keeping data secure and respecting privacy is something we take extremely seriously, and we have cooperated with the FTC every step of the way,”
In addition to the fine, Twitter is banned from profiting off the “deceptively collected” data and required to:
- Notify users about its improper use of phone numbers and email addresses, tell them about the FTC law enforcement action, and explain how they can turn off personalized ads and review their multi-factor authentication settings.
- Provide multi-factor authentication options that don’t require people to provide a phone number.
- Implement an enhanced privacy program and a beefed-up information security program that includes multiple new provisions spelled out in the order, get privacy and security assessments by an independent third party approved by the FTC, and report privacy or security incidents to the FTC within 30 days.
Why we care. Ultimately all companies sell one thing: Trust. Saying you need information to protect privacy and then selling it off is a pretty big violation of that trust. Is it as big as DuckDuckGo saying it won’t track your searches and then allowing Microsoft to do just that? Maybe, maybe not. Even if it isn’t, it’s still very bad. It also raises further questions about Elon Musk’s decision to buy the company, right at the moment when he is being forced to put more of his own money into the deal.