X

Twitter to Pay $150 Million Fine Over Using Phone Numbers for Targeted Ads

FTC says personal data collected by Twitter for security purposes was also used for targeted advertising.

corinne-reichert-headshot
corinne-reichert-headshot
Corinne Reichert Senior Writer
Corinne Reichert (she/her) grew up in Sydney, Australia and moved to California in 2019. She holds degrees in law and communications, and currently oversees the CNET breaking news desk for the West Coast. Corinne covers everything from phones, social media and security to movies, politics, 5G and pop culture. In her spare time, she watches soccer games, F1 races and Disney movies.
Expertise News
Corinne Reichert
2 min read
Blue Twitter logo with bird displayed on phone against a pink background
Sarah Tew/CNET

Twitter is paying a $150 million penalty as part of a settlement over the US Federal Trade Commission's allegations that it used account security data like phone numbers and email addresses to target advertising at users. 

The company had told users their phone numbers and emails would be used to protect their accounts with two-factor authentication, but then also used them for advertising purposes between 2014 and 2019, the FTC said Wednesday.

"Twitter obtained data from users on the pretext of harnessing it for security purposes, but then ended up also using the data to target users with ads," FTC Chair Lina Khan said in a statement. "This practice affected more than 140 million Twitter users, while boosting Twitter's primary source of revenue."

The conduct violated the FTC Act and the 2011 Commission Act. It also violated the EU-US Privacy Shield and the Swiss-US Privacy Shield agreements, according to the FTC.

Twitter said some of the data was "inadvertently" used for advertising purposes.

"Keeping data secure and respecting privacy is something we take extremely seriously, and we have cooperated with the FTC every step of the way," Twitter said in a blog post. "In reaching this settlement, we have paid a $150M penalty, and we have aligned with the agency on operational updates and program enhancements to ensure that people's personal data remains secure and their privacy protected."

Along with agreeing to pay the $150 million penalty, Twitter is prohibited from "profiting from deceptively collected data" and must allow users to use other two-factor methods like security keys and apps. Twitter must also notify its users that it misused their personal data.