• by Wendy Davis  @wendyndavis, May 25, 2022

The Federal Trade Commission has fined Twitter $150 million over allegations that it misled users by asking for their phone numbers and email addresses for security purposes, but then drew on the information for ad targeting.

"From at least May 2013 until at least September 2019, Twitter collected telephone numbers and email addresses from users specifically for purposes of allowing users to enable two-factor authentication, to assist with account recovery (e.g., to provide access to accounts when users have forgotten their passwords), and to re-authenticate users (e.g., to re-enable full access to an account after Twitter has detected suspicious or malicious activity),” the FTC alleged Wednesday in a complaint brought on its behalf in the Northern District of California by the Justice Department.

During that same time period, Twitter failed to adequately disclose “that it used these telephone numbers and email addresses to target advertisements to those users through its Tailored Audiences and Partner Audiences services,” the FTC added.

The agency said more than 140 million Twitter users provided email addresses or phone numbers to Twitter for security purposes. 

The FTC claimed that Twitter's alleged misrepresentations violated a 2011 consent decree that prohibited the company from misleading consumers about privacy. That prior decree stemmed from allegations that security glitches at Twitter resulted in hackers obtaining access to some users' names, passwords and private messages.

Twitter's chief privacy officer, Damien Kieran, said Wednesday that the company "cooperated with the FTC every step of the way," and that it has "aligned with the agency on operational updates and program enhancements to ensure that people’s personal data remains secure and their privacy protected."

Twitter disclosed in 2019 that it inadvertently allowed marketers to target people based on phone numbers and emails collected for security purposes.

The company said at the time that the emails and phone numbers were mistakenly incorporated into an ad platform that allows companies to use their own marketing lists -- which include customers' email addresses and phone numbers -- to target ads on Twitter.

One year later, the company said it anticipated an FTC fine of up to $250 million.

The FTC has also fined Facebook and Google for allegedly violating users' privacy in ways that ran afoul of prior consent decrees.

In 2019, the FTC said Facebook had agreed to a $5 billion penalty for allegedly violating a 2012 order that prohibited the company from misrepresenting the extent to which it makes users' information available to third parties.

The agency said Facebook violated the prior order in several ways, including by allowing Cambridge Analytica and other outside developers access to users' data, collecting phone numbers for security purposes but then using them for advertising, and misleading people about the use of facial-recognition technology.

Google was fined $22.5 million by the FTC in 2012 for allegedly violating a 2012 consent decree by tracking Safari users, despite representing in its privacy statements that Safari automatically prevented tracking.