Why Your Business’ Use of Personal Data Matters

The FTC Reaches $150 Million Settlement with Twitter for “Deceptively Using Account Security Data” to Sell Ads

In May 2022, the Federal Trade Commission (FTC) and Twitter settled, subject to court approval, for Twitter to pay a $150 million penalty for “deceptively using account security data to sell targeted ads” for profit.

The Facts

Between 2013 and 2019, Twitter requested that over 140 million users provide their email addresses and phone numbers to help secure their accounts through multifactor authentication (MFA) and account recovery. Twitter did not offer other means of implementing MFA—such as tokens or security keys—that did not involve user’s personal data.

Later, Twitter decided to repurpose those email addresses and phone numbers collected for security by using that personal data as identifiers for targeted advertising. It did so without notifying consumers of the secondary use of personal data collected for the purpose of improving account security. This type of activity is known in data protection compliance circles as a “purpose limitation violation”. In other words, notifying an individual that you are collecting data for one purpose and then using it for another without further notice or consent.