Twitter Inc. on Wednesday agreed to new oversight and a $150 million penalty to settle a federal privacy suit, the first major deal between a large tech company and the Biden administration Federal Trade Commission, which has pledged to more aggressively police data abuses.
Federal prosecutors alleged that Twitter collected phone numbers and email addresses for account security measures and then fed the information into its advertising tools, an additional use of the data the government said it failed to disclose. The alleged activity violated a 2011 consent order between the FTC and Twitter that barred it from misrepresenting how it used individuals’ contact information.
FTC Chairwoman Lina Khan, appointed by President Biden last year, has promised expansive use of her agency’s power to scrutinize companies’ data practices and potentially bar certain behaviors.
The pending Twitter settlement, rather than exploring new ground, suggests an extension of how previous administrations used existing enforcement authorities, current and former officials say.
“This is very much a continuation. But this is a strong order,” said Jessica Rich, a former director of the FTC’s Bureau of Consumer Protection who now works for law firm Kelley Drye & Warren LLP. Ms. Rich, who helped put together the 2011 consent order Twitter allegedly violated, said the new order contains provisions that are “much more robust.”
Between 2013 and 2019, Twitter told users that it was collecting their information to enable multifactor authentication measures on their accounts, according to a Justice Department complaint filed on behalf of the FTC. The company didn’t properly notify users that it was then using the information to help sell ads.
The allegedly deceptive behavior affected up to 140 million people, according to a statement from the FTC, which began its probe during the Trump administration.
In a blog post Wednesday, Twitter Chief Privacy Officer Damien Kieran said that user data “may have been inadvertently used for advertising” and that the company resolved the issue in 2019.
As part of the settlement, he said, “we have aligned with the agency on operational updates and program enhancements to ensure that people’s personal data remains secure and their privacy protected.”
The deal comes as Tesla Chief Executive Elon Musk pursues a $44 billion takeover of Twitter. The settlement’s $150 million civil penalty represents about 3% of Twitter’s revenue in 2021.
The FTC order also requires Twitter to notify affected consumers, alert the FTC of future data breaches and undergo independent security audits every other year for the next two decades. The company must provide users multi-factor authentication options that don’t rely on phone numbers, a provision that the FTC has begun pushing this year.
The FTC approved the settlement by a unanimous 4-0 vote.
The deal echoes the FTC’s $5 billion penalty against Meta Platforms Inc. in 2020 for allegedly violating a consent order through deceptive practices such as using personal information from security features to sell ads. The company, formerly known as Facebook, didn’t admit to any wrongdoing as part of the settlement.
Ms. Khan has said she hopes to write privacy rules to bar companies from certain data uses and give her agency authority to levy such fines on first offense. Current and former officials warn the effort would prove to be a resource-intensive process that faces legal hurdles.
Ms. Khan and Democratic FTC Commissioner Rebecca Kelly Slaughter renewed their calls for privacy rules in a statement on Wednesday. Fellow Democrat Alvaro Bedoya was sworn in as an FTC commissioner this month after a lengthy confirmation process, giving their party the majority to push ahead with such regulation.
“In the meantime, we must also hold companies accountable for violating existing laws, including through deceptive disclosures,” Ms. Khan and Ms. Slaughter said in the statement.
Write to David Uberti at david.uberti@wsj.com
Copyright ©2022 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8