If you say you will use information for one purpose, don’t use it for another purpose without getting consent.

The FTC has been saying this for a long time, but it is now is taking action against Twitter under both Section 5 of the FTC Act and the EU-US Privacy Shield. In all, it includes a potential $150 million fine and a prohibition of profit from deceptively collected data.

“Consumers who share their private information have a right to know if that information is being used to help advertisers target customers,” said U.S. Attorney Stephanie M. Hinds for the Northern District of California. “Social media companies that are not honest with consumers about how their personal information is being used will be held accountable.”

At issue: Twitter asked users to give their phone numbers and email addresses to protect their accounts (for account recovery or multi-factor authentication), but then allowed advertisers to use this data to target specific users. Per the complaint this affected 140 million users.

Key points:

  • This is a violation of a 2011 FTC order that explicitly prohibited the company from misrepresenting its privacy and security practices.
  • This is also a violation of the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield agreements by processing personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual.

Twitter will be required, among other things to:

  • Allow users to use other multi-factor authentication methods, such as mobile authentication apps or security keys that do not require users to provide their telephone numbers.
  • Implement and maintain a comprehensive privacy and information security program that requires the company, among other things, to examine and address the potential privacy and security risks of new products.
  • Limit employee access to users’ personal data.