On May 25, 2022, Twitter reached a proposed $150 million settlement with the Department of Justice (“DOJ”) and the Federal Trade Commission to resolve allegations that the company deceptively used nonpublic user contact information obtained for account security purposes to serve targeted ads to Twitter users. In a complaint filed in federal court, the government alleged that Twitter violated both the FTC Act and a 2011 FTC Order by misrepresenting the extent to which the company maintained and protected users’ nonpublic contact information. The proposed settlement would require Twitter to pay $150 million in civil penalties and implement a comprehensive privacy and information security program “with extensive procedures to safeguard user information and assess internal and external data privacy risks.”

The complaint alleged that from May 2013 to September 2019, Twitter collected phone numbers and email addresses from over 140 million users for account security purposes, but failed to disclose that the users’ contact information also would be used to serve targeted ads to users.

In the complaint, the DOJ and FTC alleged that Twitter’s conduct violated an existing FTC Order, in addition to Section 5(a) of the FTC Act. The existing FTC Order, in effect since 2011, prohibits Twitter from misrepresenting the extent to which it maintains and protects the privacy and security of nonpublic consumer information. The 2011 FTC Order was finalized after Twitter agreed to settle allegations that the company’s data security practices had enabled threat actors to access nonpublic user information and private tweets.

The complaint further alleged that Twitter misrepresented its compliance with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, each of which prohibits the processing of personal information in a way that is incompatible with the purposes for which it was collected or authorized by the user to whom it pertains.

The proposed settlement would require Twitter to meet numerous reporting and record-keeping obligations, including conducting privacy reviews and written reports prior to implementing any new product or service that collects users’ nonpublic personal information, and regularly obtaining assessments of its privacy and information security program by an independent assessor approved by the FTC. In addition, the proposed settlement would prohibit Twitter from using the previously collected nonpublic user contact information to serve targeted ads, and require Twitter to notify users that may have been affected by the issue.