FTC Issues $150 Million Fine For Targeting Ads Based on Users’ Account Security Information
The Federal Trade Commission (FTC) and Department of Justice (DOJ) recently ordered Twitter to pay $150 million for violating a 2011 FTC order that prohibited the company from misrepresenting its privacy and data security practices. In addition to the lofty fine, the proposed order bans Twitter from profiting from the deceptively collected data.
The FTC Order
The DOJ’s Complaint
According to the DOJ complaint, Twitter has been violating the FTC order since 2014 by allowing advertisers to use account security data for marketing purposes. Specifically, from 2014 to 2019, almost 150 million users provided personal information under the impression that they were doing so to secure their accounts. Instead of using the information solely for account security purposes, as disclosed to users, the social media giant allowed advertisers to target “specific ads to specific consumers by matching the information with data they already had or obtained from data brokers” in violation of their standing FTC order.
To that end, the FTC ordered Twitter to pay a $150 million penalty. The proposed order prohibits Twitter from profiting from deceptively collected data and also advocates for multi-factor authentication methods that do not require users to provide their telephone numbers, limits employee access to users’ personal information, and requires comprehensive privacy and information security program.
As this case demonstrates, businesses must only process personal data for the purposes for which the data was collected and take care to avoid using data in manners not expected by a consumer. Several US state privacy laws now explicitly state that businesses shall not process personal data for purposes that are not reasonably necessary to or compatible with the specified purposes for which the personal data is processed unless the business first obtains the data subject’s consent. Companies should pay special attention to their data practices, and how they handle personal information, and ensure that these practices align with their privacy policies.