Twitter has been fined $150m (£119m) by US authorities after collecting users’ email addresses and phone numbers for security purposes but then using the data to target them with adverts.
The social media platform had told users the information would be used to keep their accounts safe, according to a settlement with the US Department of Justice (DoJ) and the Federal Trade Commission.
“While Twitter represented to users that it collected their telephone numbers and email addresses to secure their accounts, Twitter failed to disclose that it also used user contact information to aid advertisers in reaching their preferred audiences,” said a court complaint filed by the DoJ.
The offences occurred between May 2013 and September 2019, according to the court document, with the information ostensibly used for purposes including two-factor authentication. But Twitter would then use this data to allow advertisers to target specific groups of Twitter users, by matching the telephone numbers and email addresses to the advertisers’ own lists of telephone numbers and email addresses.
In addition to the financial settlement, the agreement requires Twitter to improve its compliance practices. The complaint said the misrepresentations violated the FTC Act and a 2011 settlement with the agency.
Twitter’s chief privacy officer, Damien Kieran, said in a statement that the company had “cooperated with the FTC every step of the way”.
“In reaching this settlement, we have paid a $150m penalty, and we have aligned with the agency on operational updates and program enhancements to ensure that people’s personal data remains secure and their privacy protected,” he added.
Twitter makes 90% of its annual revenue of $5bn (£3.8bn) from advertising. Its dependency on that revenue has drawn the attention of Elon Musk, who has agreed to buy the company for $44bn.
The Tesla chief executive has criticised the ad-driven model and pledged to generate revenue for Twitter from different areas, although he announced this month that the deal was “on hold” while he seeks clarification from Twitter on the number of spam or fake accounts on the service.
Musk jumped on the FTC announcement on Wednesday. “If Twitter was not truthful here, what else is not true? This is very concerning news,” he said in a tweet to his more than 95 million followers. Musk’s comments came as he revealed changes to the funding package for his takeover, announcing that the amount of cash he must raise to buy Twitter stood at $33.5bn compared with $27.5bn previously.
“Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads,” said the FTC chair, Lina Khan, in a statement. “This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue.”
The complaint also alleges that Twitter falsely said it complied with the European Union-US and Swiss-US privacy shield frameworks, which bar companies from using data in ways that consumers do not authorise.
Twitter’s settlement follows years of fallout over the privacy practices of tech companies. Revelations in 2018 that Facebook, the world’s biggest social network, was using phone numbers provided for two-factor authentication to serve ads enraged privacy advocates. Facebook, now called Meta, similarly settled with the FTC over the issue as part of a $5bn agreement reached in 2019.