The Federal and Trade Commission (“FTC”) announced today a settlement with Twitter, Inc. (“Twitter”) in which Twitter agreed to pay $150 million for its alleged misuse of user account security data, specifically email addresses and phone numbers, for advertising purposes. The government alleged that the misuse of account data was in violation of a 2011 FTC Order against Twitter, which prohibited the company from misrepresenting the extent to which it maintains and protects the security, privacy, confidentiality, or integrity of any nonpublic consumer information. The government alleged that the misuse of consumer data also violated the EU-US Privacy Shield, and the Swiss-U.S. Privacy Shield.
In addition to the paying a $150 million fine, the government announced that Twitter has agreed to the following:
- Twitter will not profit from deceptively collected data;
- Users will have other options to multi-factor authentication such as apps or security keys that do not require the provision of phone numbers;
- Notify all users that Twitter misused the phone numbers and emails collected for targeted advertising and to provide users with information about Twitter’s privacy and security controls;
- Implement and maintain a comprehensive privacy and information security program which requires an assessment of the potential privacy and security requirements of new products;
- Limit employee access to users’ personal data; and
- Notify the FTC if it experiences a data breach.
With this enforcement action against Twitter, the FTC is clearly making a statement to companies in the business of collecting consumer data that they need to truthfully disclose the purposes for which data used for advertising purposes is collected, and that failure to disclose this information will have potential federal regulatory consequences. Digital health companies should take note of this particular enforcement action, and ensure that they avoid engaging in the same practices that were the subject of this enforcement action.