Twitter has agreed to pay a $150 million civil penalty and implement robust data-privacy compliance measures, under a settlement reached with the Department of Justice and the Federal Trade Commission (FTC). The settlement awaits federal court approval.
“The $150 million penalty reflects the seriousness of the allegations against Twitter,” said Associate Attorney General Vanita Gupta in a press release announcing the settlement. The compliance measures “will help prevent further misleading tactics that threaten users’ privacy,” he said.
According to the government’s allegations in its complaint filed May 25 in the U.S. District Court for the Northern District of California, Twitter violated the FTC Act and a 2011 FTC administrative order, issued in March 2011, by deceiving users about the extent to which Twitter maintained and protected the security and privacy of users’ nonpublic contact information.
Specifically, from May 2013 to September 2019, Twitter obtained telephone numbers and email addresses from its users under the pretext that the data would be used for account-security purposes. However, Twitter failed to inform users that the information would be used to help companies send targeted advertisements to consumers, the complaint alleges.
“This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue,” said FTC Chair Lina Khan.
The complaint further alleges Twitter falsely claimed to comply with the European Union-U.S. and Swiss-U.S. Privacy Shield Frameworks, which prohibit companies from processing user information in ways that are not compatible with the purposes authorized by the users.
Compliance Remediation Measures
Under the terms of the settlement, the compliance measures Twitter must implement include the following:
- Develop and maintain a comprehensive privacy and information-security program;
- Conduct a privacy review with a written report prior to implementing any new product or service that collects users’ information;
- Conduct regular testing of data privacy safeguards;
- Obtain regular assessments of the data-privacy program from an independent assessor;
- Provide annual certifications of compliance from a senior officer;
- Provide reports after any data privacy incident that affects 250 or more users, and
- Comply with numerous other reporting and record-keeping requirements.
The settlement terms also require Twitter to notify all U.S. customers who joined Twitter before Sept. 17, 2019, about the settlement and provide users with options for protecting their privacy and security. The Justice Department and FTC each will have responsibility for monitoring and enforcing Twitter’s compliance.
In a statement, Stephanie Hinds, U.S. Attorney for the Northern District of California, issued this broader warning to all social media platforms: “Consumers who share their private information have a right to know if that information is being used to help advertisers target customers. Social media companies that are not honest with consumers about how their personal information is being used will be held accountable.”
Twitter did not issue a public comment on the agreement. 
Jaclyn Jaeger is a contributing editor at Compliance Chief 360° and a freelance business writer based in Manchester, New Hampshire.