Twitter is making headlines again and not in a good way. This week, the Federal Trade Commission announced they are fining Twitter $150 million in civil penalties for violating consumer privacy. The FTC alleges that Twitter asked users for personal information including phone numbers and email addresses to secure their accounts. Twitter gave advertisers access to that data to target ads to those users, while profiting in the process. This is a violation of the FTC Act.

DOJ and FTC team up against the Twitter

In the current matter, the Department of Justice filed a complaint against Twitter on behalf of the FTC for violating the 2011 order, addressing serious consumer privacy violations.

“As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads,” said FTC Chair Lina M. Khan. “This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue.”

“The Department of Justice is committed to protecting the privacy of consumers’ sensitive data,” said Associate Attorney General Vanita Gupta. “The $150 million penalty reflects the seriousness of the allegations against Twitter, and the substantial new compliance measures to be imposed as a result of today’s proposed settlement will help prevent further misleading tactics that threaten users’ privacy.” 

Advertising revenue

In the company’s first quarter financials, Twitter reports total revenue of $1.2 billion. Of this figure, $1.11 billion is attributed to advertising while the balance of $94.4 million is attributed to subscription and other revenue. Currently, Twitter has two subscription products – Twitter Blue and Super Follows. Both launched in 2021, to date, they only represent 7.9% of total revenue.

Repeat offender

This isn’t the first time the California-based social media platform has violated their users’ privacy. In 2010, the FTC filed a complaint against Twitter for telling users that the users were in control of who could access their tweets and that private messages could only be seen by the intended recipients. However, in 2010, the FTC filed a complaint that noted multiple incidents where Twitter’s behavior or lack of safeguards allowed others to get unauthorized access to user information. The incidents were varied in reach and severity, but they included hackers gaining administrative control of Twitter and the use of an automated password-guessing tool.

Twitter settled the case with the FTC in 2011 that included a provision that Twitter would face “substantial financial penalties” if they misrepresented how the company maintains and protects security, privacy and confidentiality or other nonpublic user information.

“When a company promises consumers that their personal information is secure, it must live up to that promise,” said David Vladeck, director of the FTC’s Bureau of Consumer Protection at the time. “Likewise, a company that allows consumers to designate their information as private must use reasonable security to uphold such designations. Consumers who use social networking sites may choose to share some information with others, but they still have a right to expect that their personal information will be kept private and secure.”

Twitter agrees to the settlement for consumer privacy allegations

According to the DOJ, Twitter has agreed to pay the $150 million fine to resolve the consumer privacy allegations and will implement “significant new compliance measures” to ensure that Twitter improves its data privacy practices.

“Twitter will be required to develop and maintain a comprehensive privacy and information-security program, conduct a privacy review with a written report prior to implementing any new product or service that collects users’ private information, and conduct regular testing of its data privacy safeguards,” said the DOJ in a May 25 statement.

“Twitter also will be required to obtain regular assessments of its data privacy program from an independent assessor, provide annual certifications of compliance from a senior officer, provide reports after any data privacy incidents affecting 250 or more users, and comply with numerous other reporting and record-keeping requirements. The settlement also will require Twitter to notify all U.S. customers who joined Twitter before Sept. 17, 2019, about the settlement and to provide users with options for protecting their privacy and security. Under the settlement terms, the Department of Justice and FTC will each have responsibility for monitoring and enforcing Twitter’s compliance,” the statement said.

Insider Take

The complaint was filed on May 25 in the U.S. District Court for the Northern District of California, the same day as Twitter’s annual shareholder meeting and the last day Twitter co-founder and former CEO Jack Dorsey served on the Twitter board. Was this a coincidence or was it intentional? Neither current CEO Parag Agrawal or prospective buyer Elon Musk have yet commented on the news, though Musk did mark the occasion of Jack’s departure on Twitter.

It will be interesting to see if the consumer privacy violations and subsequent settlement have any impact on the proposed $44 billion acquisition of Twitter by the SpaceX and Tesla CEO. Though $150 million is an incredibly small fraction of $44 billion, Musk may be stuck with other questionable business practices and potential liabilities those bring to light. Will Musk use this as an excuse to back out of the deal?