FTC To Twitter: Do What You Say (Or Pay $150M If You Don't) - Privacy Protection - Fix Bdsthanhhoavn

FTC To Twitter: Do What You Say (Or Pay $150M If You Don’t) – Privacy Protection


To print this article, all you need is to be registered or login on Mondaq.com.

Privacy law 101 includes a simple but important basic concept
that organizations may only use personal information they collect
for what they say they will, and how they say they will. According to the Federal Trade Commission
(“FTC”) and the Department of Justice
(“DOJ”), Twitter got this wrong – and it is going to
cost Twitter $150M as a result.

On May 25, 2022, Twitter reached a proposed settlement with the DOJ and the FTC
to resolve allegations that Twitter violated the FTC Act and an Order issued by the FTC in 2011 by
misrepresenting how it would make use of users’ personal
information, including users’ nonpublic contact
information.

“As the complaint notes, Twitter obtained data from users
on the pretext of harnessing it for security purposes but then
ended up also using the data to target users with ads,” said
FTC Chair Lina M. Khan. “This practice affected more than 140
million Twitter users, while boosting Twitter’s primary source
of revenue.”

U.S. Attorney Stephanie M. Hinds for the Northern District of
California noted, “Consumers who share their private
information have a right to know if that information is being used
to help advertisers target customers. Social media companies that
are not honest with consumers about how their personal information
is being used will be held accountable.”

The Complaint alleged that from May 2013 until at least
September 2019, Twitter misrepresented to more than 140 million
users the extent to which it maintained and protected the security
and privacy of their nonpublic contact information. Twitter told
users that it collected their phone numbers and email addresses to
secure their accounts – but, according to the Complaint,
failed to disclose that it also used this information for
advertising purposes. The Complaint alleged that these
misrepresentations violated the FTC Act, as well as the 2011 FTC
Order that specifically prohibited Twitter from making
misrepresentations regarding the security of nonpublic consumer
information.

The Complaint also alleged that Twitter misrepresented that it
processed personal information of its users in accordance with the
EU-US and Swiss-US Privacy Shield Frameworks. Under such
frameworks, Twitter self-certified, among other things, that it
would not process user personal information in a way that is not
compatible with the purposes for which it was collected or
subsequently authorized by the user. While these frameworks have
been largely forgotten by many organizations due to their
invalidity as a data transfer mechanism by the Court of Justice of
the European Union, representations that organizations made (and
continue to make in via their neglected privacy policies) under
those frameworks can live on.

In addition to paying $150 million in civil penalties, the
proposed settlement would: (a) prohibit Twitter from profiting from
deceptively collected data; (b) allow users to use other
multi-factor authentication methods such as mobile authentication
apps or security keys that do not require users to provide their
telephone numbers; (c) notify users that it misused phone numbers
and email addresses collected for account security to also target
ads to them and provide information about Twitter’s privacy and
security controls; (d) implement and maintain a comprehensive
privacy and information security program that requires the company,
among other things, to examine and address the potential privacy
and security risks of new products; (e) limit employee access to
users’ personal data; and (f) notify the FTC if the company
experiences a data breach.

Organizations should be very careful when drafting notices to
consumers about how they will handle consumers’ personal
information, and when developing a privacy program, organizations
must fully review their entire data collection processes to review
all notices provided during the consumer journey. If there are
inconsistencies in consumer notices of data collection and use
practices of the organization (e.g., you tell consumers that you
will only use their email address for one thing when they provide
it to you, but your privacy policy says you will use that
information for a whole host of other things), chance are,
regulators will construe those inconsistencies in favor of the
consumer. It is also important to note that burying content about
data use in a privacy policy is unlikely to constitute notice to
consumers where the user experience says something different.

The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.

POPULAR ARTICLES ON: Privacy from United States

Tags: #FTC #Twitter #Pay #150M #Dont #Privacy #Protection

Leave a Comment