The Reason The FTC Just Hit Twitter With A $150 Million Fine

2022 is turning out to be an extremely eventful year for Twitter. Even as the fiasco over Elon Musk's proposed Twitter acquisition continues, the San Francisco-based social media giant has been slapped with a $150 million fine by the United States Federal Trade Commission (FTC).

On Wednesday, May 25, 2022, the FTC published court documents that accused the company of violating a 2011 agreement with regulatory agencies. Per the terms of this agreement, Twitter was not supposed to use personal data — including phone numbers and email addresses — it gathered from users for commercial purposes. In simpler terms, the FTC alleges that Twitter used personal information it gathered from users and used that data to target them with ads. 

Twitter made significant monetary gains in this process, and the practice boosted Twitter's primary source of revenue — advertising, the FTC states. What makes Twitter's actions even more concerning is that all this personal information was collected under the pretext of using it for "security purposes."

The penalty aside, the FTC order also prohibits Twitter from profiting from data collected from users with deceptive means. Twitter has additionally been asked to use other forms of authentication that do not involve users sharing their phone numbers with the company. Furthermore, the FTC wants Twitter to notify users that it misused their phone numbers and email addresses.

How long has this been happening?

In the FTC order, the commission states that Twitter had access to personal data from more than 140 million users in just the 2014 – 2019 period, which it then shared with advertisers. This was at a time when Twitter's terms and conditions explicitly stated to its users that this information would be used for the sole purpose of securing their accounts.

According to the FTC and the United States Department of Justice, Twitter began sharing user data with advertisers in 2013 — around the same time it started allowing users to add their phone numbers for two-factor authentication. Before being called out by the FTC, Twitter maintained that it collected phone numbers and email addresses for the purpose of improving account security. Users could, for example, easily reset their passwords, or unlock their accounts using a verified phone number or email address. 

While the average Twitter user likely assumed their phone number and associated data were secure with Twitter, the company disregarded the trust users placed with them and shared this data with advertisers, the FTC orders states.

What next for Twitter?

In response to the FTC ruling, Twitter's chief privacy officer Damien Kieran said that Twitter "may have" used email addresses and phone numbers for advertising, though he says such usage was inadvertent. In a blog post, he asserted that this "issue" was addressed more than two years ago — on September 17, 2019 — and that his company had "cooperated with the FTC every step of the way."

Kieran also confirmed that Twitter has already paid the $150 million fine and that the company will work with the FTC and ensure that personal data belonging to its users remain secure. Reiterating Twitter's commitment to privacy, Kieran talked about the company's new Data Governance Committee which was set up in late 2021 to oversee privacy-centric compliance across the board.

As part of a proposed agreement with the FTC, Twitter said it will also work to limit employee access to user data. It remains to be seen if this recent development has any impact on Elon Musk's plan to acquire Twitter.