The Federal Trade Commission (FTC) has issued a $150 million fine against Twitter for misrepresenting its security and privacy practices.
The FTC, in cooperation with the Department of Justice (DoJ), says that Twitter has been using the email addresses and phone numbers it collects from users to enable two-factor authentication to serve targeted advertising.
In addition to the fine for the violation, Twitter has been given a list of do's and don'ts: It's prohibited from making a profit on data collected under the guise of security; it must allow users to use mobile authentication apps and security keys for multifactor authentication, which don't require a user to provide their phone number; it must notify users if their data has been misused; it must implement a comprehensive information security policy; it must limit employee access to personal user data; and it must notify the FTC of any company breaches.
“As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads," said FTC Chair Lina M. Khan in a statement about the Twitter security data misuse ruling. "This practice affected more than 140 million Twitter users, while boosting Twitter’s primary source of revenue.”