Twitter has admitted it is facing a fine of up to $250m (£191m) from the US authorities for exploiting users’ phone numbers and email addresses, provided “for safety and security purposes”, to help target advertising.
The fine is the result of violations of Twitter’s 2011 agreement with the US Federal Trade Commission to no longer mislead consumers about how it protects their personal data.
Twitter fessed up to the issue in October last year but claimed it had used the information “inadvertently”, insisting it was simply a “fault”.
At the time, Twitter said the potential data breach involved two cases, the first arising if users clicked or viewed an ad for a mobile application and then interacted with it after May 2018.
“In that case, we may have shared certain data (eg country code, if you engaged with the ad and when, information about the ad etc) with trusted measurement and advertising partners, even if you didn’t give us permission to do so,” the statement said.
The second case involved Twitter showing people ads “based on inferences we made about the devices you use, even if you did not give us permission to do so”, it added.
In that case, data was not used outside the company and did not contain personal information such as passwords or email accounts, Twitter claimed.
Twitter has now been sent a draft complaint by the FTC, detailing alleged violations of the 2011 agreement. Twitter estimates that it could be fined between $150m and $250m, although has only set aside the $150m, according to a filing with the Securities & Exchange Commission.
The document states: “The matter remains unresolved, and there can be no assurance as to the timing or the terms of any final outcome.”
In Europe, the incident would count as a major breach of GDPR, although it is not known whether the Irish Data Protection Commission – which governs Twitter – is also investigating the case.
BA allots £20m for GDPR fine but may not pay a penny
Twitter admits GDPR breach after exploiting user data
Oops we did it again: Twitter admits fresh data gaffe
2019 Review of the Year: Why it’s crunch time for GDPR
Irish data regulator issues first GDPR ruling in two years
Now Germans call for GDPR shake-up to avoid ‘collapse’
Brussels urged to act on GDPR failings or risk demise