Twitter to pay $150m fine for using private user data to serve ads

Less than two years after being fined for breaking GDPR data privacy rules, Federal Trade Commission (FTC), USA, has announced that Twitter has been fined once again. According to FTC, more than 140m users were impacted when Twitter ‘inadvertently’ used email addresses and phone numbers for advertising.

Details of the violation

FTC, which is responsible for protecting consumers against deceptive practices and enforcing data protection regulations in the United States, together with the Department of Justice have accused Twitter for processing personal data for other purposes than those disclosed to data subjects.

According to court documents filed this week, more than 140m users shared their phone numbers and email addresses with Twitter between 2013 and 2019 based on “deceptive statements” that the data would be used for account security – reset passwords, unlock accounts and enable two-factor authentication. However, FTC claimed that Twitter collected users’ data under the pretext of using it for security purposes, but ended up using it to allow advertisers to target specific users with ads as well.


According to the FTC complaint, by using data subject personal data for purposes other than those disclosed, Twitter has violated 2011 FTC order prohibiting the company from misrepresenting their privacy and security practices.

A settlement was reached between the parties, resulting in Twitter having to pay a $150 million (145 million euros) fine for its violations.

In addition to this fine, Twitter is required to improve its data protection practices, in particular:

  • to terminate the processing of users’ telephone numbers and email addresses,
  • to inform data subjects about improper use of their personal data,
  • to provide users with multi-factor authentication method which does not require before mentioned data processing,
  • to implement an enhanced privacy and information security program,
  • to notify the FTC about data breaches,
  • to limit employee access to personal data of users.

What should be learned from this?

In the context of Twitter’s violations, organizations should recall the main data processing principles, particularly:

  • “Lawfulness, fairness and transparency” – personal data should be processed on a lawful basis, without misleading data subjects, while being open and honest about the use of personal data.
  • “Purpose limitation” – personal data should only be collected for explicit, specified and legitimate purposes.

It is also important to note that organisations must obtain the explicit consent of data subjects when processing personal data for direct marketing purposes. This consent must be freely given, specific, informed and unambiguous. Organisations must also provide a clear, accessible and easily enforceable possibility to withdraw consent at any time.

Prepared by Brigida Bacienė, Data Protection Expert of ECOVIS ProventusLaw, and Gabija Bacevičiūtė, junior lawyer of ECOVIS ProventusLaw

Newsletter SubscriptionGet in touch