Twitter
has agreed to pay a $150,000,000 fine (13% of revenue) to settle FTC allegations that it enticed consumers into sharing personal information under false pretenses.
Twitter began
asking people to provide emails and phone numbers in 2013, explaining
that the information would help them reset accounts or enable two-factor
authentication. However, over the years, the company used those email
addresses and phone numbers as identifiers, sharing them with media
agencies and ad networks to create audiences for online advertising. The Federal Trade Commission viewed this as a "bait-and-switch" tactic in violation of Section 5 of the FTC Act.
When
companies tell consumers they need data for certain reasons, and later
use it for other reasons, it's called "secondary use," and it's frowned
upon by regulators around the globe. Regulators insist on "purpose
limitation," meaning that companies should only use personal data for
the purposes that were described to the consumer at or before the time
the data was collected or used. A new purpose that is very closely related to the original purpose might
be acceptable, but it's a gray area that requires careful legal
judgment.
This is a good reminder that
companies' consumer privacy disclosures should describe *every* likely
use of personal data, *before* the data is collected or used.
If
additional uses are later identified but are not closely related to the original purposes disclosed to consumers, companies must notify consumers of the new use
(or ask for permission, depending upon the type of data and the jurisdiction) before using the data for the additional
purpose.