Twitter Used People’s Contact Info for Ads. Now It Is Being Fined $150 Million.

Kaveh Waddell
·3 min read

The Federal Trade Commission says Twitter “deceptively” used security email addresses and phone numbers for targeted advertising

By Kaveh Waddell

To keep accounts safe, Twitter asks users for an email address or phone number, which it says it uses to verify a person’s identity and to help them get into their account if they get locked out. But for more than six years, Twitter also allowed advertisers to use the email addresses and phone numbers for targeted marketing, according to the Federal Trade Commission.

That’s a violation of a binding promise Twitter made in 2011 not to misrepresent how it handles the privacy and security of users’ nonpublic data, the FTC says. Now Twitter is paying $150 million to settle the FTC’s allegations, and the company is barred from making a profit from the data the agency says it collected deceptively.

More than 140 million Twitter users handed over their contact information when prompted, assured by Twitter’s “deceptive statements” that the information would only be used to secure their account, according to the federal government’s official complaint (PDF).

The FTC investigation that led to this settlement was first reported in 2020.

Reusing security information for advertising is particularly harmful because it could make people less likely to use multifactor authentication, which is an important way to keep your accounts safe from attackers. “Doing this might deter people from providing information for a legitimate security purpose,” says Justin Brookman, CR’s director of consumer privacy and technology policy.

Twitter did note in its privacy policy that it would reuse people’s contact information for advertising. But, the FTC says, it wasn’t enough for the company to tuck that statement into a long document that almost nobody reads. Critically, the company didn’t reveal its advertising plans to users when it actually asked for their contact information—then, Twitter only said the information was for security.

“Stating that data is being collected for one purpose and then using it for another purpose is deceptive,” FTC Chair Lina Khan said in a statement (PDF) on Wednesday. And, Khan said, “Burying disclosures in lengthy privacy policies or terms of service documents does not cure deceptive statements the company makes at the time it collects users’ information.”

As a part of Wednesday’s settlement, Twitter agrees to tell the people who were affected by this issue. It also has to draw up new privacy-risk assessments for existing products and conduct privacy reviews when it’s launching a new product or modifying an old one.

“Our settlement with the FTC reflects Twitter’s pre-existing commitments and investments in security and privacy,” Damien Kieran, Twitter’s chief privacy officer, wrote in a tweet on Wednesday. “We will continue to partner with our regulators to make sure they understand how security and privacy practices at Twitter are always evolving for the better.”

The FTC’s complaint against Twitter is awaiting a signature from a federal judge to go into effect.

If you don’t want to use a phone number or an email for two-factor authentication, you can use an authentication app—that’s what Consumer Reports recommends, because texted security codes can be less secure.

You can also opt out of certain kinds of personalized advertising on Twitter with the platform’s privacy tools. Look for “Personalization and data” in your Twitter settings.



More from Consumer Reports:
Top pick tires for 2016
Best used cars for $25,000 and less
7 best mattresses for couples

Consumer Reports is an independent, nonprofit organization that works side by side with consumers to create a fairer, safer, and healthier world. CR does not endorse products or services, and does not accept advertising. Copyright © 2022, Consumer Reports, Inc.