FTC Fines $150 Million for Targeting Ads Based on User Account Security Information | Arent Fox Schiff


The Federal Trade Commission (FTC) and the Department of Justice (DOJ) recently ordered Twitter to pay $150 million for violating a 2011 FTC order that prohibited the company from misrepresenting its privacy practices. privacy and data security. In addition to the hefty fine, the proposed order prohibits Twitter from profiting from deceptively collected data.

The FTC Order

In a 2011 action, the FTC investigated Twitter’s data security practices and found that the practices contradicted the privacy policy presented to users. Specifically, although the privacy policy stated, “Twitter is very concerned about protecting the privacy of your personally identifiable information” and mentioned that the company uses administrative, physical, and electronic measures designed to protect information from unauthorized access and failures in its data security practices. proved otherwise. Hackers gained access to non-public user information and private tweets twice. This led the FTC to accuse Twitter of misleading consumers and inadequately protecting their personal information. Under the final order, the FTC prohibited Twitter from misleading consumers about its security, privacy, and privacy practices and mandated Twitter to maintain a comprehensive information security program.

The DOJ Complaint

According to the DOJ complaint, Twitter has violated the FTC order since 2014 by allowing advertisers to use account security data for marketing purposes. Specifically, from 2014 to 2019, nearly 150 million users provided personal information under the impression that they were doing so to secure their accounts. Instead of using the information solely for account security purposes, as instructed to users, the social media giant allowed advertisers to target “specific advertisements to specific consumers by matching the information with the data they already owned or obtained from data brokers” in violation of their reputation. FTC command.

To that end, the FTC ordered Twitter to pay a fine of $150 million. The proposed order prohibits Twitter from profiting from deceptively collected data and also advocates multi-factor authentication methods that do not require users to provide their phone numbers, limit employee access to users’ personal information and require a comprehensive privacy and information security program.

Main Takeaway

As this case shows, businesses should only process personal data for the purposes for which the data was collected and take care to avoid using the data in ways not intended by a consumer. Several US privacy laws now explicitly state that companies must not process personal data for purposes that are not reasonably necessary or compatible with the specified purposes for which the personal data is processed, unless the company does not obtain the consent of the data subject beforehand. Companies should pay close attention to their data practices, how they handle personal information, and ensure that these practices comply with their privacy policies.

[View source.]


Comments are closed.