The United States Department of Justice and the Federal Trade Commission have announced a settlement that will require Twitter to pay a civil penalty of $150 million to resolve allegations that it told consumers it would use their personal information for one purpose but then used it for another. In a digital bait-and-flip, Twitter asked users for personal information to secure their accounts but then used the information to serve targeted advertisements for Twitter’s financial benefit. It is not the first time the social media giant has been accused of data privacy violations.

1. Introduction

On May 25, 2022, the U.S. Department of Justice (DOJ) filed a complaint on behalf of the Federal Trade Commission (FTC) in the United States District Court, Northern District of California, that had its genesis in a previous complaint against Twitter dating back to 2010. (here) The previous complaint was finalized in an Order in 2011. The new complaint alleges that Twitter violated the 2011 Order by collecting customers’ personal information “for the stated purpose of security and then exploiting it commercially.” Specifically, the complaint alleges that from May 2013 to September 2019, Twitter told its users it was collecting their telephone numbers and email addresses for security purposes but failed to disclose that it would also use that information to help companies send targeted advertisements to consumers. (here) The complaint also alleges that Twitter falsely asserted compliance with the E.U.-U.S. and Swiss-U.S. Privacy Shield Frameworks that prohibit companies from processing users’ information in ways incompatible with the purposes authorized by the users.

2. Background

In the previous case that resulted in the 2011 Order, it was alleged that Twitter told users they could control who had access to their tweets and that their private messages could only be viewed by recipients. However, according to the FTC, Twitter failed to implement reasonable safeguards to ensure that the users choices were honoured. That complaint cited instances in which Twitter’s actions and inactions resulted in unauthorized access to users’ personal information. (here) In the 2011 Order, Twitter agreed to settlement terms that would result in substantial financial penalties if it further misrepresented “the extent to which [Twitter] maintains and protects the security, privacy, confidentiality, or integrity of any nonpublic consumer information.”. (here)

3. The Complaint

The new complaint, styled as United States v. Twitter, Inc., was filed under s. 16 (a)(1) of the Federal Trade Commission Act, 15 U.S.C. s. 56(a)(1) which authorized the plaintiff to seek injunctive, monetary and other relief for Twitter’s alleged violation of s. 5(a) of the statute as well as the previous 2011 Order. (here) Section 5(a) of the FTC Act prohibits “unfair or deceptive acts or practices in or affecting commerce.” Acts or practices are unfair if they cause or are likely to cause substantial injury to consumers that they cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition. Misrepresentations or deceptive omissions of material facts constitute deceptive acts or prohibited acts under s. 5(a). Here are three clauses from the complaint that summarize the key allegations:

• Twitter offers various services that advertisers can use to reach their existing marketing lists on Twitter, including “Tailored Audiences” and “Partner Audiences.” Tailored Audiences allows advertisers to target specific groups of Twitter users by matching the telephone numbers and email addresses that Twitter collects to the advertisers’ existing lists of telephone numbers and email addresses. Partner Audiences allows advertisers to import marketing lists from data brokers like Acxiom and Datalogix to match against the telephone numbers and email addresses collected by Twitter. Twitter has provided advertisers the ability to match against lists of email addresses since January 2014 and against lists of telephone numbers since September 2014. (para. 26)
• Twitter has prompted users to provide a telephone number or email address for the express purpose of securing or authenticating their Twitter accounts. However, through at least September 2019, Twitter also used this information to serve targeted advertising and further its own business interests through its Tailored Audiences and Partner Audiences services. For example, from at least May 2013 until at least September 2019, Twitter collected telephone numbers and email addresses from users specifically for purposes of allowing users to enable two-factor authentication, to assist with account recovery (e.g., to provide access to accounts when users have forgotten their passwords), and to re-authenticate users (e.g., to re-enable full access to an account after Twitter has detected suspicious or malicious activity). From at least May 2013 through at least September 2019, Twitter did not disclose, or did not disclose adequately, that it used these telephone numbers and email addresses to target advertisements to those users through its Tailored Audiences and Partner Audiences services. (para. 27)
• In 2011, after an FTC investigation, Twitter settled allegations that it had misrepresented the extent to which Twitter protected the privacy and security of nonpublic consumer information. The resulting Commission Order, among other things, prohibits Twitter from misrepresenting the extent to which Twitter maintains and protects the security, privacy, confidentiality, or integrity of any nonpublic consumer information. (para. 28)

The complaint alleges that more than 140 million Twitter users provided their email addresses or telephone numbers based on Twitter’s “deceptive statements that their information would be used for specific purposes related to account security” and that Twitter either knew or ought to have known that its conduct violated the 2011 Order.

4. Privacy Shield

The European Union and Switzerland have established regulatory regimes to protect individuals’ right to privacy with respect to the processing of their personal data. Both regimes prohibit businesses from transferring personal data to third countries unless the laws of the recipient jurisdiction adequately protect personal data. To ensure adequate privacy protection for commercial data transfers, the International Trade Commission of the U.S. Department of Commerce coordinated with the European Commission and the Swiss Administration to draft the E.U.-U.S. and the Swiss-U.S. Privacy Shield Frameworks. I have discussed the European litigation involving Privacy Shield, and the precursor Safe Harbour agreement, in previous posts to On The Wire. (here and here)

To rely on Privacy Shield for data transfers, a company must self-certify and annually affirm to the U.S. Department of Commerce that it complied with Privacy Shield principles. Principle 5(a) provides that “[a]n organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual.” The Frameworks define “processing” to include “any operation or set of operations which is performed upon personal data, whether or not by automated means” and includes collection, storage and use of personal information. A company under the FTC’s jurisdiction that self-certified to the Privacy Shield Principles, but failed to comply with Privacy Shield, may be liable to an enforcement action under s. 5 of the FTC Act. The complaint asserts that on November 16, 2016, Twitter self-certified its participation in Privacy Shield and reaffirmed its participation annually since then. Simply put, the core allegation here is the same. Twitter’s use of personal information for advertising purposes was not compatible with the purposes for which the information was collected.

5. Other Settlement Terms

Twitter also agreed to implement new compliance measures intended to ensure improved data practices. It will be required to develop and maintain a comprehensive privacy and security program, conduct a privacy review with a written report prior to implementing any new product or service that collects users’ private information, and conduct regular testing of its data privacy safeguards. Twitter will also be required to obtain regular assessments of its data privacy program from an independent assessor, provide annual certifications of compliance from a senior officer and provide reports after any data privacy incidents affecting 250 or more users. All U.S. customers who joined Twitter before September 17, 2019, must be notified about the settlement. The FTC and the Department of Justice will be responsible for monitoring and enforcing Twitter’s compliance.

6. Too Big To Fine

The monetary penalty is much less than the record breaking $5 billion penalty imposed on Facebook, Inc. (Meta) by the FTC in 2019 for “deceiving users about their ability to control the privacy of their personal information.” (here) To encourage users to share information on its platform, Facebook promises users they can control the privacy of their information through Facebook’s privacy settings. Following a year long investigation, the FTC and the DOJ alleged that Facebook repeatedly used “deceptive disclosures and settings” to allow the company to share users’ personal information with third party apps that were downloaded by the user’s Facebook “friends”. The FTC claimed that many users were unaware that Facebook was sharing such information and therefore did not take steps to opt out. According to tech reporter Cat Zakrzewski of The Washington Post, the penalty in Twitter’s case amounts to about 13 percent of the company’s revenue in the first quarter of 2022. (here) All of which leads to the question – just how big does a fine have to be to deter the recidivist behaviour of a tech behemoth?

7. Conclusion

In the press release concurrent with the filing of the complaint, the FTC said it takes “order enforcement seriously and will use every lawful means to hold recidivists responsible for further violations.” Associate Attorney General Vanita Gupta seemed to view the penalty as proportionate and the new compliance measures as creating a structure for future accountability. “The $150 million penalty reflects the seriousness of the allegations against Twitter, and the substantial new compliance measures […] will help prevent further misleading tactics that threaten users’ privacy,” she said. Maybe, then, the real question is more one of accountability than deterrence. Justin Brookman, the director of Technology Policy at Consumer Reports, contextualized the penalty as part of the general crackdown on the targeted advertising industry.”We’re seeing a confluence of regulators, but also browsers and operating systems, cut down on cookies and cut down on a lot of tools companies use to track people across services,” he said. Companies will have to find new ways to generate revenue, he added. “[T]he days of just printing money from targeted ads are coming to a close.” (here)