Thursday, May 26, 2022

A Cautionary Tale About Secondary Use

Twitter has agreed to pay a $150,000,000 fine (13% of revenue) to settle FTC allegations that it enticed consumers into sharing personal information under false pretenses.

Twitter began asking people to provide emails and phone numbers in 2013, explaining that the information would help them reset accounts or enable two-factor authentication. However, over the years, the company used those email addresses and phone numbers as identifiers, sharing them with media agencies and ad networks to create audiences for online advertising.  The Federal Trade Commission viewed this as a "bait-and-switch" tactic in violation of Section 5 of the FTC Act.

When companies tell consumers they need data for certain reasons, and later use it for other reasons, it's called "secondary use," and it's frowned upon by regulators around the globe. Regulators insist on "purpose limitation," meaning that companies should only use personal data for the purposes that were described to the consumer at or before the time the data was collected or used. 
A new purpose that is very closely related to the original purpose might be acceptable, but it's a gray area that requires careful legal judgment. 

This is a good reminder that companies' consumer privacy disclosures should describe *every* likely use of personal data, *before* the data is collected or used.

If additional uses are later identified but are not closely related to the original purposes disclosed to consumers, companies must notify consumers of the new use (or ask for permission, depending upon the type of data and the jurisdiction) before using the data for the additional purpose.


image of the Federal Trade Commission Building