Twitter faces class-action privacy lawsuit for sharing security info with advertisers

Phone numbers for two-factor authentication were used by advertisers.

Alfred Ng Senior Reporter / CNET News
Alfred Ng was a senior reporter for CNET News. He was raised in Brooklyn and previously worked on the New York Daily News's social media and breaking news teams.
Alfred Ng
3 min read

The lawsuit is seeking $5,000 in damages for every person in Washington affected by Twitter's privacy lapse.

James Martin/CNET

Twitter faces a class-action lawsuit for providing advertisers access to people's phone numbers without consent. The complaint, filed Monday in the United States District Court for the Western District of Washington, seeks $5,000 in damages for every person in the state affected by Twitter's privacy misstep. 

The lawsuit alleges that Twitter violated a Washington law against unauthorized procurement or sale of phone records, as well as its users' civil rights to privacy. The complaint says Twitter should compensate for the "mental pain and suffering" it caused users, and is seeking up to $5 million in total. 

Twitter declined to comment.

Advertisers often use phone numbers to connect people's online identities with their offline activities. For example, if you buy fruit with a credit card that has your phone number attached to it, advertisers can link that phone number to online accounts that also include that number. That lets advertisers serve you more ads for fruit.

Twitter allows this type of ad-targeting through its Tailored Audiences network, using phone numbers people give it voluntarily. In October 2019, however, the social network disclosed that advertisers also had access to phone numbers given specifically for security purposes. At the time, Twitter acknowledged the error.

"When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes," Twitter said in its disclosure last year. "This was an error and we apologize."

The phone numbers were required until November 2019 to enroll in Twitter's two-factor authentication, an important security feature that protects your account from hackers (but that's still susceptible to vulnerabilities). 

Phone numbers given for two-factor authentication aren't supposed to be used for advertising because the practice pits privacy and security against each other. The adoption rate for two-factor authentication is low, and it's more difficult to convince people to use this feature if their privacy is at risk. 

Facebook disclosed in March 2019 that it had a similar issue. The social network stopped the practice as part of its $5 billion settlement with the Federal Trade Commission last December. 

Twitter faces a similar order and anticipates a $250 million fine from the FTC for using security data for advertising. 

The company hasn't disclosed how many people were affected by this issue. It declined to provide that information when asked by CNET. 

Darlin Gray, a Twitter user and a Seattle-based designer, filed the lawsuit on behalf of Washington residents affected by Twitter.

"Those powerful companies disregard their promises to users about privacy because of strong financial incentives," the complaint reads. "Using and trading in private user data can be extraordinarily lucrative for those companies which do so."

Joel Ard, the attorney who filed the case, said it was important to keep companies accountable for privacy violations. 

"You don't have to try to get into a debate over exactly how many dollars it costs to have your privacy invaded," Ard said.

You can read the full lawsuit here: