The government alleges that Twitter violated the FTC Act and an FTC 2011 order by telling its users that it was collecting their telephone numbers and email addresses for account-security purposes from May 2013 to September 2019, but failed to disclose that it also would use that information to help companies send targeted advertisements to consumers.
As part of the settlement, Twitter will be required to develop and maintain a comprehensive privacy and information-security program, conduct a privacy review with a written report prior to implementing any new product or service that collects users’ private information, and conduct regular testing of its data privacy safeguards.
Twitter also will be required to obtain regular assessments of its data privacy program from an independent assessor, provide annual certifications of compliance from a senior officer, provide reports after any data privacy incidents affecting 250 or more users, and comply with numerous other reporting and record-keeping requirements.
The settlement requires Twitter to notify all U.S. customers who joined Twitter before Sept. 17, 2019, about the settlement and to provide users with options for protecting their privacy and security. It now awaits approval by a federal court.