Twitter, which is in the process of being acquired by Tesla CEO Elon Musk, has agreed to pay $150 million to the U.S. Federal Trade Commission (FTC) to settle allegations that it abused non-public information collected for security purposes to serve targeted ads.
In addition to the monetary penalty for "misrepresenting its privacy and security practices," the company has been banned from profiting from the deceptively collected data and ordered to notify all affected users.
"Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads," FTC Chair Lina M. Khan said in a statement. "This practice affected more than 140 million Twitter users, while boosting Twitter's primary source of revenue."
According to a complaint filed by the U.S. Justice Department, Twitter in May 2013 began enforcing a requirement for users to provide either a phone number or email address to improve account security.
The intention was to ostensibly help users recover access to their locked accounts as well as enable two-factor authentication by sending a one-time password to the registered phone number or email address after signing in with a username and password.
But what Twitter failed to make transparent was that it also allowed advertisers to use this information to target specific ads by matching them with email addresses and phone numbers already obtained from other third-parties such as data brokers.
The social media platform reiterated the issue was addressed as of September 17, 2019, adding it will work to make investments with regards to "operational updates and program enhancements to ensure that people's personal data remains secure and their privacy protected."
Ready to tackle new AI-driven cybersecurity challenges? Join our insightful webinar with Zscaler to address the growing threat of generative AI in cybersecurity.Supercharge Your Skills
"Consumers who share their private information have a right to know if that information is being used to help advertisers target customers," said U.S. Attorney Stephanie M. Hinds for the Northern District of California. "Social media companies that are not honest with consumers about how their personal information is being used will be held accountable."
This development marks the second time Twitter has settled with the U.S. consumer protection watchdog. In March 2011, it admitted to charges that it "deceived consumers and put their privacy at risk by failing to safeguard their personal information," thereby enabling hackers to gain administrative control over the platform twice in 2009.