The Federal Trade Commission (FTC) and the Department of Justice say Twitter violated an agreement to not give personal information like phone numbers and email addresses to advertisers, court documents showed.

Federal investigators say the social media company broke those rules and is now being fined  $150m (£119m). This comes after Twitter was fined £400,000 in December 2020 for breaking Europe’s GDPR data privacy rules.

The FTC accuses Twitter of breaching a 2011 FTC order that explicitly prohibited the company from misrepresenting its privacy and security practices. “As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes, but then ended up also using the data to target users with ads,” said Lina Khan, who chairs the FTC.

She continues: “This practice affected more than 140 million Twitter users while boosting Twitter’s primary source of revenue.”

Ian Reynolds, managing director of computer security firm Secure Team, adds: “Twitter led their customers into a false sense of security by acquiring their data through claiming it was for security purposes and protecting their account, but ultimately ended up using the data to target their users with ads […] This reality shows the power that companies still have over your data and that there is a long way to go before users can be comfortable knowing that they have full control over their own digital footprint.”

In addition to the fine, the social media platform must also stop using the phone numbers and email addresses it illegally collected, notify users about its improper use of security information, tell users about the FTC law enforcement action, explain how to turn off personalized adverts and review multi-factor authentication settings, provide multi-factor authentication options that do not need a phone number, and implement an enhanced privacy and security program which includes reporting incidents to the FTC within 30 days.

Vanita Gupta, the US associate attorney general, states: “The $150m penalty reflects the seriousness of the allegations against Twitter, and the substantial new compliance measures to be imposed as a result of the proposed settlement will help prevent further misleading tactics that threaten users’ privacy.”