Twitter has agreed to pay $150 million after it was accused of having sold private information from users to target advertising, without having informed them.
The Justice Department and the Federal Trade Commission (FTC) announced the settlement that, if approved by a federal court, requires Twitter to pay the amount in civil penalties, as well as improve its compliance practices to protect users’ data privacy.
Twitter’s chief privacy officer, Damien Kieran, said that in reaching the settlement, the company has paid the $150 million penalty and has also “aligned with the [FTC] on operational updates and program enhancements” to protect user privacy and security.
Kieran said the matter concerns a privacy incident disclosed in 2019 “when some email addresses and phone numbers provided for account security purposes may have been inadvertently used for advertising.”
From at least May 2013 to September 2019, Twitter allegedly “deceptively used personal information collected for specific security-related purposes for advertising,” said the complaint, which was filed by the Justice Department on behalf of the FTC.
“Specifically, while Twitter represented to users that it collected their telephone numbers and email addresses to secure their accounts, Twitter failed to disclose that it also used user contact information to aid advertisers in reaching their preferred audiences,” the complaint said.
U.S. officials pointed out in the complaint that of the $3.4 billion in revenue that Twitter earned in 2019, “$2.99 billion flowed from advertising.”
Associate Attorney General Vanita Gupta said in a statement that the $150 million amount “reflects the seriousness of the allegations against Twitter, and the substantial new compliance measures to be imposed as a result of today’s proposed settlement will help prevent further misleading tactics that threaten users’ privacy.”
The U.S. government also alleged in the complaint that the big tech company did not comply with the European Union-U.S. and Swiss-U.S. Privacy Shield Frameworks, which “generally prohibit businesses from transferring personal data to third countries unless the recipient jurisdiction’s laws are deemed to adequately protect personal data. ”
As part of the new compliance measures Twitter has agreed to in the settlement, it will be required to develop and maintain a “comprehensive privacy and information-security program,” conduct a privacy review with a written report before introducing any new initiative that collects users’ private information, and conduct regular testing of its data privacy safeguards, the Justice Department announced.
“Twitter also will be required to obtain regular assessments of its data privacy program from an independent assessor, provide annual certifications of compliance from a senior officer, provide reports after any data privacy incidents affecting 250 or more users, and comply with numerous other reporting and record-keeping requirements,” the department added.
The settlement also requires Twitter to let all U.S. users who joined the service before Sept. 17, 2019, about the settlement, and give the users options to protect their privacy and security.
Twitter is largely a free service and makes money mainly through advertising. Elon Musk, who is set to acquire Twitter in a $44 billion deal, has said he wants to diversify the company’s revenue streams and wants to increase the annual revenue to $26.4 billion by 2028.
