In a complaint filed by the Justice Department on behalf of the Federal Trade Commission (“FTC”), the FTC alleged that Twitter mislead the users and did not provide full and adequate disclosure on processing of certain personal information.
According to the FTC, between the years 2013 to 2019 Twitter used a multy-factor authentication mechanism for security purposes, however, used the information obtained through such (i.e., contact information) for other purposes such as serving targeted ads for Twitter’s financial benefit. Specifically, while Twitter represented to users that it collected their telephone numbers and email addresses to secure their accounts, Twitter failed to disclose that it also used user contact information to aid advertisers in reaching their preferred audiences. It wasn’t Twitter’s first alleged violation of the FTC Act, but this one will cost the company $150 million in civil penalties.
Twitter induced its users to provide their phone numbers and email addresses by claiming that the company’s purpose was, for example, to “Safeguard your account.” Twitter further encouraged users to provide that information because “An extra layer of security helps make sure that you, and only you, can access your Twitter account.”
Misrepresentations or deceptive omissions of material fact constitute deceptive acts or practices prohibited by Section 5(a) of the FTC Act.
In 2010 the FTC complaint against Twitter and claimed that Twitter didn’t have reasonable safeguards to ensure users’ choices (i.e., choosing to make the twitts private) were honored. The 2010 complaint cited multiple instances in which Twitter’s actions – and inactions – led to unauthorized access of users’ personal information.
On May 25th 2022, the parties reached the following settlement, which must be approved by a federal court:
- Twitter shall pay a $150 million civil penalty
- Twitter shall implement significant new compliance measures to ensure improvement of its data privacy practices, such as to develop and maintain a comprehensive privacy and information-security program, conduct a privacy review with a written report prior to implementing any new product or service that collects users’ private information, and conduct regular testing of its data privacy safeguards.
- Twitter will be required to obtain regular assessments of its data privacy program from an independent assessor, provide annual certifications of compliance from a senior officer, provide reports after any data privacy incidents affecting 250 or more users.
- Twitter shall notify all U.S. customers who joined Twitter before Sept. 17, 2019, about the settlement and to provide users with options for protecting their privacy and security.
What can you take from the this?
- A privacy policy or buried disclaimers: Consumers have a right to rely on what you say at the time you ask for their information. Trying to take it back in a contradictory statement buried elsewhere on your website is unlikely to correct a misrepresentation.
- Keeping customers’ information secure: Consumers benefit when companies take extra steps to protect their personal data. However, do not use information that was provided for securing the consumer’s account for other purposes.
- Violating FTC orders will result in substantial penalties.
This update is intended to provide only a general background regarding this matter. This update should not be regarded as setting out binding legal advice but rather as a practical overview that is based on our understanding. APM & Co. is not licensed to practice law outside of Israel.
APM Technology and Regulation Team.