Twitter has agreed to pay a $150 million fine after federal law enforcement officials accused the social media company of illegally selling advertisements based on an improper use of personal data over six years.
In court documents made public on Wednesday, the Federal Trade Commission and the Department of Justice say Twitter violated a 2011 agreement with regulators in which the company vowed to not use information gathered for security purposes, like users’ phone numbers and email addresses, to help advertisers target people with ads.
Federal investigators say Twitter broke that promise.
“As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads,” said FTC Chair Lina Khan.
Twitter requires users to provide a telephone number and email address to authenticate accounts. This information also helps people reset their passwords and unlock their accounts when the company blocks logging in due to suspicious activity.
But until at least September 2019, Twitter was also using that information to boost its advertising business by allowing advertisers access to users’ phone numbers and email addresses. That ran afoul of the agreement the company had with regulators.
“If you’re telling people you’re using their phone numbers to secure their accounts, and then you use them for other purposes, you’re deceiving them and breaking the law,” said Sam Levine, who leads the FTC’s Bureau of Consumer Protection, in an interview with NPR.
More than 140 million Twitter users provided this kind of personal information based on “Twitter’s deceptive statements,” according to federal prosecutors.
“Consumers who share their private information have a right to know if that information is being used to help advertisers target customers,” said US Attorney Stephanie Hinds for the Northern District of California.
Twitter’s chief privacy officer, Damien Kieran, acknowledged in a blog post that users’ personal information “may have been inadvertently used for advertising.”
He said the company is no longer selling information gathered for security purposes to advertisers.
“Keeping data secure and respecting privacy is something we take extremely seriously, and we have cooperated with the FTC every step of the way,” Kieran wrote.
Under terms of a proposed agreement, Twitter agreed to stop profiting from information gathered for security purposes. The deal, which still needs the court’s approval, also would limit employees’ access to users’ personal data.
The action echoes a sweeping settlement that included a $5 billion fine against Facebook in 2019 in which the social media giant committed to stop selling information obtained for security purposes to advertisers.
Justin Brookman, the director of Technology Policy at Consumer Reports, said as regulators continue to crack down on targeted ads, companies like Twitter that have long relied on tracking tools could be in trouble.
“We’re seeing a confluence of regulators, but also browsers and operating systems, cut down on cookies and cut down on a lot of tools companies use to track people across services,” Brookman said. “I think, in some respects, a lot of these tools are going away and companies are going to have to find new ways to make revenue, that the days of just printing money from targeted ads are coming to a close.”
The settlement comes during a precarious time at Twitter.
The company has been in a state of crisis since Tesla CEO Elon Musk launched a $44 billion hostile takeover of the social media site last month.
Musk recently declared the deal is “temporarily on hold,” arguing that he must first determine how widespread bot accounts are on the site.
But corporate merger experts, and members of Twitter’s chief executive, have noted that the deal is still moving forward, since Musk is in a legally binding contract with the company pending shareholder and regulatory review.
Musk has not yet commented on Wednesday’s settlement.