Twitter to pay $150M in data privacy settlement
SAN FRANCISCO - Twitter has agreed to pay a civil fine of $150 million in a settlement with the federal government that requires the social media giant to do more than just claim to protect the private data of users, according to an announcement Wednesday by officials with the Department of Justice and the Federal Trade Commission.
The settlement will resolve allegations that Twitter violated the FTC Act and an administrative order issued by the FTC in March 2011 by misrepresenting how it would make use of users' nonpublic contact information.
The government alleged that Twitter violated the FTC Act and the 2011 order by deceiving users about the extent to which Twitter maintained and protected the security and privacy of users' nonpublic contact information, according to the statement from federal officials.
Specifically, the complaint alleged that between May 2013 to September 2019, Twitter told its users that it was collecting their telephone numbers and email addresses for account-security purposes, but failed to disclose that it also would use that information to help companies send targeted advertisements to consumers.
The complaint further alleged that Twitter falsely claimed to comply with the European Union-U.S. and Swiss-U.S. Privacy Shield Frameworks, which prohibit companies from processing user information in ways not authorized by the users.
"Consumers who share their private information have a right to know if that information is being used to help advertisers target customers," said Stephanie M. Hinds, U.S. Attorney for the Northern District of California, in the statement. "Social media companies that are not honest with consumers about how their personal information is being used will be held accountable."
U.S. Department of Justice Associate Attorney General Vanita Gupta said the government is committed to protecting the privacy of consumers.
"The $150 million penalty reflects the seriousness of the allegations against Twitter, and the substantial new compliance measures to be imposed as a result of today's proposed settlement will help prevent further misleading tactics that threaten users' privacy," Gupta said in the statement.
The settlement requires Twitter to develop and maintain a comprehensive privacy and information-security program, conduct a privacy review with a written report prior to implementing any new product or service that collects users' private information, and to conduct regular testing of its data privacy safeguards.
Twitter also will be required to obtain regular assessments of its data privacy program from an independent auditor, provide annual certifications of compliance from a senior officer, provide reports after any data privacy incidents affecting 250 or more users, and to comply with numerous other reporting and record-keeping requirements.
The settlement also will require Twitter to notify all U.S. customers who joined Twitter before Sept. 17, 2019, about the settlement and to provide users with options for protecting their privacy and security.