November 28, 2022

Volume XII, Number 332


FTC Issues $150 Million Fine For Targeting Ads Based on Users’ Account Security Information

The Federal Trade Commission (FTC) and Department of Justice (DOJ) recently ordered Twitter to pay $150 million for violating a 2011 FTC order that prohibited the company from misrepresenting its privacy and data security practices. In addition to the lofty fine, the proposed order bans Twitter from profiting from the deceptively collected data.

The FTC Order

In a 2011 action, the FTC investigated Twitter’s data security practices and found that the practices contradicted the privacy policy presented to users. Specifically, although the privacy policy stated, “Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information” and mentioned that the company employs administrative, physical, and electronic measures designed to protect information from unauthorized access and lapses in its data security practices proved otherwise. Hackers obtained access to non-public user information and private tweets on two occasions. This led the FTC to charge Twitter for deceiving consumers and inadequately protecting their personal information. Under the final order, the FTC barred Twitter from misleading consumers about its security, privacy, and confidentiality practices and mandated Twitter to maintain a comprehensive information security program.

The DOJ’s Complaint 

According to the DOJ complaint, Twitter has been violating the FTC order since 2014 by allowing advertisers to use account security data for marketing purposes. Specifically, from 2014 to 2019, almost 150 million users provided personal information under the impression that they were doing so to secure their accounts. Instead of using the information solely for account security purposes, as disclosed to users, the social media giant allowed advertisers to target “specific ads to specific consumers by matching the information with data they already had or obtained from data brokers” in violation of their standing FTC order.  

To that end, the FTC ordered Twitter to pay a $150 million penalty. The proposed order prohibits Twitter from profiting from deceptively collected data and also advocates for multi-factor authentication methods that do not require users to provide their telephone numbers, limits employee access to users’ personal information, and requires comprehensive privacy and information security program.

Primary Takeaway

As this case demonstrates, businesses must only process personal data for the purposes for which the data was collected and take care to avoid using data in manners not expected by a consumer. Several US state privacy laws now explicitly state that businesses shall not process personal data for purposes that are not reasonably necessary to or compatible with the specified purposes for which the personal data is processed unless the business first obtains the data subject’s consent. Companies should pay special attention to their data practices, and how they handle personal information, and ensure that these practices align with their privacy policies.

© 2022 ArentFox Schiff LLPNational Law Review, Volume XII, Number 160

About this Author

Eva J. Pulliam Attorney Brand Protection Arent Fox Schiff Washington DC

Eva splits her time between Washington and San Francisco and concentrates her practice on brand protection: protecting data, brand image, and brand names. She advises clients across numerous industries on best practices in the areas of data privacy, advertising and marketing, and trademark. Household names, tech giants and startups, non-profits, and other innovative organizations call on Eva to guide them through product development and brand management. 

In the privacy space, Eva counsels clients around data collection, use, and transfer, as...

Christine Chong Privacy Attorney ArentFox Schiff San Francisco

As an Associate on the privacy, cybersecurity, and data protection team, Christine helps clients with regulatory compliance, data breach response, technology transactions, vendor contracting, marketing initiatives, and external and internal-facing policies. Her clients include international consumer products, e-commerce, manufacturing, data analytics services, retail and technology businesses, and not-for-profit organizations. 

Christine regularly advises on ethical data use, machine learning and artificial intelligence, vendor contracting, and...

Destiny Planter Attorney Copyright Law ArentFox Schiff Washington DC

Prior to joining ArentFox Schiff, Destiny was awarded the Frances Phillips Fellowship. She used this opportunity to work with the African Network for the Prevention and Protection against Child Abuse and Neglect and volunteer in orphanages in Kenya and Ghana. She then joined the Carolina College Advising Corps at Ben L. Smith High School in Greensboro, North Carolina, where she worked to increase the rates of college enrollment and completion among low-income, first-generation college and underrepresented high school students.

While in law...