On May 25, 2022, the Department of Justice, acting on behalf of the Federal Trade Commission, sued Twitter for failing to adequately disclose to its users its practice of using users’ phone numbers and email addresses to send them targeted advertisements. Twitter resolved the suit by agreeing to pay $150 million in civil penalties and implement a number of robust compliance measures.
The FTC alleged that Twitter’s misleading data use practices violated Section 5(a) of the Federal Trade Commission Act (FTC Act), 15 U.S.C. § 45(n), which prohibits “unfair or deceptive acts or practices in or affecting commerce.” The Complaint alleged that, from May 2013 through September 2019, Twitter encouraged its users to disclose their phone numbers and email addresses for security purposes, such as enabling two-factor authentication and establishing a method for recovering lost passwords. More than 140 million users provided their information to Twitter.
The FTC alleged, however, that Twitter deceived its users and misrepresented how it would use their phone numbers and email addresses. Twitter did indeed use the information for security purposes. But, according to the Complaint, Twitter also matched the phone numbers and email addresses with existing data, or data it obtained from data brokers, to send users targeted advertisements. Although Twitter’s privacy policy may have indicated that the phone numbers and email addresses could be used to send advertisements, according to the Complaint, Twitter did not tell users about that at the time it collected the information.