FTC says personal data collected by Twitter for security purposes was also used for targeted advertising.
Twitter is paying a $150 million penalty as part of a settlement over the US Federal Trade Commission's allegations that it used account security data like phone numbers and email addresses to target advertising at users.
The company had told users their phone numbers and emails would be used to protect their accounts with two-factor authentication, but then also used them for advertising purposes between 2014 and 2019, the FTC said Wednesday.
"Twitter obtained data from users on the pretext of harnessing it for security purposes, but then ended up also using the data to target users with ads," FTC Chair Lina Khan said in a statement. "This practice affected more than 140 million Twitter users, while boosting Twitter's primary source of revenue."
The conduct violated the FTC Act and the 2011 Commission Act. It also violated the EU-US Privacy Shield and the Swiss-US Privacy Shield agreements, according to the FTC.
Twitter said some of the data was "inadvertently" used for advertising purposes.
"Keeping data secure and respecting privacy is something we take extremely seriously, and we have cooperated with the FTC every step of the way," Twitter said in a blog post. "In reaching this settlement, we have paid a $150M penalty, and we have aligned with the agency on operational updates and program enhancements to ensure that people's personal data remains secure and their privacy protected."
Along with agreeing to pay the $150 million penalty, Twitter is prohibited from "profiting from deceptively collected data" and must allow users to use other two-factor methods like security keys and apps. Twitter must also notify its users that it misused their personal data.