Regulators slam Twitter with $150M fine over using consumer security data for advertising

The practice violates federal law and a 2011 order from the FTC, which alleged Twitter's failure to safeguard user data led to two breaches.
(Photo by LIONEL BONAVENTURE/AFP via Getty Images)

Twitter on Wednesday agreed to pay a $150 million dollar civil penalty and follow new data privacy practices in order to settle allegations that the company used data collected for account-security purposes for advertising without customer awareness.

A complaint the Justice Department filed this week on behalf of the Federal Trade Commission alleges that Twitter failed to inform more than 140 million users that their phone numbers or emails provided for account security could also be used for targeted advertising. The practice started sometime around 2014 and ended in 2019 when Twitter publicly admitted the “error.” Twitter disclosed the FTC’s investigation in 2020.

The practice violates federal law and the terms of a 2011 settlement with the FTC over Twitter’s failure to safeguard user data, which led to two breaches.

While the fine is just a small fraction of the billion-dollar company’s revenue, it’s the second-largest privacy-related fine from the FTC to date, topped only by a massive $5 billion settlement with Facebook in 2019. Facebook’s settlement also accused the company of using security data for advertising.


“The Department of Justice is committed to protecting the privacy of consumers’ sensitive data,” said Associate Attorney General Vanita Gupta. “The $150 million penalty reflects the seriousness of the allegations against Twitter, and the substantial new compliance measures to be imposed as a result of today’s proposed settlement will help prevent further misleading tactics that threaten users’ privacy.” 

As a part of the order, Twitter agreed to allow users to enable multi-factor authentication apps that don’t require a phone number and limit employee access to personal data. In 2020 the Justice Department indicted two Twitter employees for using their employee access to spy on Saudi dissidents.

The FTC isn’t the only regulator to slam Twitter’s security measures. New York financial regulators faulted Twitter’s security practices for a 2020 hacking campaign that took over high-profile accounts to promote cryptocurrency scams.

“Keeping data secure and respecting privacy is something we take extremely seriously, and we have cooperated with the FTC every step of the way,” Twitter’s chief privacy officer Damien Kieran wrote in a blog Wednesday. “In reaching this settlement, we have paid a $150M USD penalty, and we have aligned with the agency on operational updates and program enhancements to ensure that people’s personal data remains secure and their privacy protected.”

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts