Social media giant Twitter agreed to a $150 million settlement with the Department of Justice (DOJ) and Federal Trade Commission (FTC) on Wednesday for violating a 2011 administrative order by “misrepresenting” how it used nonpublic user information.

According to a complaint filed in the U.S. District Court for the Northern District of California, from May 2013 to September 2019, Twitter violated the FTC Act by misrepresenting the “controls it implemented to keep user accounts secure” after prompting users for phone numbers and emails for two-factor authentication. The company, in turn, allegedly used that data for targeted advertising without consent.

The complaint further alleged Twitter falsely claimed to comply with then-active Privacy Shield regulations, which prohibited companies from “processing user information in ways that are not compatible with the purposes authorized by users,” according to a DOJ press release.

Twitter agreed to pay the $150 million in civil penalties and implement significant new compliance measures to improve its data privacy practices.

“As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads,” FTC Chair Lina Khan said in a press release. “This practice affected more than 140 million Twitter users while boosting Twitter’s primary source of revenue.”

Compliance ramifications: The settlement requires Twitter to:

  • Develop and maintain a comprehensive privacy and information security program;
  • Conduct a privacy review prior to implementing any new product or service that collects users’ private information;
  • Conduct regular testing of its data privacy safeguards;
  • Obtain regular assessments of its data privacy program from an independent party;
  • Provide annual certifications of compliance from a senior officer;
  • Provide reports after any data privacy incidents affecting 250 or more users;
  • Notify all U.S. customers who joined Twitter before Sept. 17, 2019, about the settlement; and
  • Provide users with options for protecting their privacy and security.

Twitter response: In a post on its Help Center, Twitter apologized for the alleged misconduct.

“When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes. This was an error, and we apologize,” the company said.

Along with offering a data protection inquiry form for questions regarding data privacy on the platform, Twitter Chief Privacy Officer Damien Kieran wrote, in part, that moving forward the company will be “conducting regular auditing and reporting to ensure we are mitigating risk at every level and function at Twitter.”