Twitter, the FTC, and Deceptive Practices, New Regulations
On May 25, 2022, the U.S. Federal Trade Commission or the FTC for short fined communications and social media company Twitter $150 million in civil penalties for “violations of Section 5(a) of the Federal Trade Commission Act of 1914 (‘the FTC Act‘) and of a 2011 order previously issued by the FTC, for deceptively using account security data for targeted advertising.” Under the FTC Act, businesses and organizations within the U.S. are prohibited from selling products or services, or obtaining personal information from consumers through the use of deceptive, unfair, or illegal practices. To this point, businesses that fail to adhere to the law are subject to numerous penalties.
What did Twitter do to violate the law?
The violations that were imposed against Twitter in May of 2012 stem from a string of compliance that the FTC filed against the company dating back to 2010. In 2010, the FTC alleged that Twitter effectively failed to protect the personal information of the various users of its site, as hackers had been able to gain unauthorized administrative control of the social media platform. In turn, these hackers were able to access non-public user accounts and information, as well as tweets that had been designated as private. What’s more, the hackers also went so far as to send out fake tweets from legitimate users, including then-Present Barack Obama, as well as major U.S. news channel Fox News, among others.
To accomplish all this, the FTC claimed that the hackers in question used a weak and extremely common lowercase dictionary, that contained neither capital letters, nor special characters, two basic features of strong passwords. According to the FTC, these hackers were able to gain access to the social media site so easily due to various failures on the part of the company as it concerns the safeguarding of their user information and data. Most notably, the FTC claimed that Twitter had misled its users about the steps and measures that the company had taken to protect their data. In the end, the social media company reached a settlement with the FTC, including the mandatory establishment of a comprehensive information security program, among other provisions.
Despite this, the FTC has reported that Twitter failed to comply with the stipulations that were set forth in their 2011 agreement with the FTC, as the company racked up a litany of new violations between 2013 to 2019. During this period of time, the FTC alleges that the company requested a wide range of personal information from its users, including telephone numbers and email addresses, under the guise of providing said users with two-factor authentication in order to better protect their accounts. However, the FTC claims that this information was instead used for the purpose of engaging in targeted advertising, a clear violation of the FTC Act. These target ads led to millions of dollars in revenue for the company.
What are the provisions of Twitter’s new settlement with the FTC?
In addition to paying $150 million in civil penalties for violating the FTC Act, the social media company is also required to implement a variety of procedures aimed at ensuring that the information of its users remains protected from unauthorized access or disclosure. These provisions include:
- Twitter is prohibited from using the information it collected illegally from 2013 to 2019 for the purpose of engaging in any further targeted advertising campaigns.
- Twitter is required to notify all of its users about the FTC law enforcement actions that have been imposed, provide details about the how the company’s improper use of phone numbers and email addresses led to such a decision, and outline the manner in which their users can turn off personalized advertising, as well as review their multi-factor authentication settings.
- Twitter must provide its users with multi-factor authentication settings that do not require said users to provide their phone numbers.
- Twitter must implement a new enhanced privacy and information security program, in conjunction with requirements set forth by the FTC, as well as report any new privacy or security incidents to the FTC within 30 days of such an occurrence.
While many American consumers may view privacy in the context of individual hackers or bad actors looking to pilfer their personal information, the rise of internet access and communication in the past 20 years has completed altered the landscape of privacy and data protection. As such, consumers must also be vigilant about the forms of personal information they submit when using major websites and online applications such as Twitter, as this information can also be used for nefarious purposes. With this being said, the various violations that have been made against Twitter on behalf of the FTC display the potential dangers that can occur when big businesses are not regulated with respect to their collection of personal information.