By CHHS Extern Quinn Conlan
On May 25, 2022, the Federal Trade Commission (FTC) released a statement announcing a $150 million penalty against Twitter for deceptively collecting user data to sell to advertisers. This is not the first time Twitter has been in the FTC hot seat for inadequate data security. Back in March 2011, the FTC alleged that Twitter had failed to use reasonable and appropriate security measures, and failed to honor consumers’ privacy choices, in violation of FTC Act §5.
As a result, the FTC issued the “2011 Order”, an injunction prohibiting Twitter from “misleading consumers about the extent to which it protects the security, privacy, and confidentiality of nonpublic consumer information, including the measures it takes to prevent unauthorized access to nonpublic information and honor the privacy choices made by consumers” for 20 years. In other words, Twitter was not allowed to misrepresent their security systems and privacy policies. The 2011 Order also required the company to establish and maintain a comprehensive information security program, which would be assessed by an independent auditor.
The 2011 Order is legally significant. While it is a settlement, and therefore not an admission of guilt, it carries the force of law for Twitter’s future actions since the company agreed to change its practices for the next 20 years. Which brings us to the FTC settlement against Twitter today, in 2022. The FTC alleges that Twitter collected personal information from its users, including email addresses and phone numbers, claiming it was for security purposes but then discreetly sold that data to advertisers. This misrepresentation is a violation of the 2011 Order.
As a result, Twitter is settling with the FTC for $150 million in civil penalties and an extension of the injunctions first levied against it in 2011. Twitter is now required to “create and implement a privacy and security program that includes privacy risk assessments, detailed privacy reviews for new or modified products, documentation, data access controls, technical measures to monitor unauthorized access, training, and certifications.” This new program would be periodically reviewed by an independent auditor. The 2022 Settlement also requires stricter security measures to protect user data and includes a prohibition from collecting data under the guise of security but really using it for targeted advertising.
While this is certainly more accountability than has previously been exercised by the FTC, is it enough? Many criticize the FTC for punishing big corporations too rarely. Among the general criticisms, these settlements do not hold the executives responsible, the monetary penalty is merely the “cost of doing business” and the settlements do not do enough to deter future bad behavior. Additionally, no total restrictions or bars are placed on how companies can manipulate user data.
The FTC acknowledged these criticisms in their statement and argued that the $150 million civil penalty and directive to create a privacy program will have lasting effects on how large corporations treat user data. In other words, it sets an example. It further emphasized that FTC orders are valuable because they demonstrate the government’s expectations for companies’ adherence to federal regulations. The FTC closed their statement by reiterating its commitment to improving policy over time and adapting to privacy concerns as the digital landscape continues to evolve.
While the FTC’s holding Twitter accountable for its abuse of users’ data for profit is a step in the right direction, there is still much to be concerned about when it comes to consumer data. The FTC orders are purely reactionary, and while the long term goal is a change in corporate culture, the order does not prevent data misuse before it happens. Additionally, the fact that Twitter is a repeat offender demonstrates that these FTC orders are worth breaching if Twitter can make a large enough profit margin off of the advertising sales. Due to frustrations with the federal government’s inability or unwillingness to fight these large companies directly, data privacy law has moved down to the State level with multiple bills being introduced to protect users’ privacy. Only time will tell if agency regulations, State legislation, or Federal legislation will become the foundational legal protection for user data.