The Federal Trade Commission has finalized a proposed settlement that it announced in June 2010 with social networking site Twitter, which resolved charges that Twitter deceived consumers and put their privacy at risk by failing to safeguard their personal information.

UNITED STATES OF AMERICA BEFORE THE FEDERAL TRADE COMMISSION

COMMISSIONERS: Jon Leibowitz, Chairman William E. Kovacic J. Thomas Rosch, Edith Ramirez, Julie Brill
In the Matter of TWITTER, INC., a corporation

DOCKET NO: C-4316

Case No. 3:22-cv-3070

COMPLAINT FOR CIVIL PENALTIES, PERMANENT INJUNCTION, MONETARY RELIEF, AND OTHER EQUITABLE RELIEF

Plaintiff, the United States of America, acting upon notification and authorization to the Attorney General by the Federal Trade Commission (“FTC” or “Commission”), for its Complaint alleges:

• Plaintiff brings this action against Defendant Twitter, Inc. (“Twitter”) under Section 16(a)(1) of the Federal Trade Commission Act (“FTC Act”), 15 U.S.C. § 56(a)(1), which authorizes Plaintiff to seek, and the Court to order, permanent injunctive relief, monetary relief, civil penalties, and other equitable relief for Twitter’s acts or practices in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), and a 2011 order previously issued by the FTC for alleged violations of Section 5(a) of the FTC Act. See Exhibit A, In re Twitter, Inc., C-4316, 151 F.T.C. 162 (Mar. 11, 2011) (Decision and Order) (“Commission Order” or “2011 Order”).

• From at least May 2013 until at least September 2019, Twitter misrepresented to users of its online communication service the extent to which it maintained and protected the security and privacy of their nonpublic contact information. Specifically, while Twitter represented to users that it collected their telephone numbers and email addresses to secure their accounts, Twitter failed to disclose that it also used user contact information to aid advertisers in reaching their preferred audiences. Twitter’s misrepresentations violate the FTC Act and the 2011 Order, which specifically prohibits the company from making misrepresentations regarding the security of nonpublic consumer information. Plaintiff therefore seeks civil penalties for Twitter’s violations, as well as a permanent injunction and other equitable relief, to ensure Twitter’s future compliance with the law.

JURISDICTION, VENUE, AND DIVISIONAL ASSIGNMENT

• This Court has subject matter jurisdiction over this action pursuant to 28 U.S.C. §§ 1331, 1337(a), 1345, and 1355, and 15 U.S.C. § 56(l), because it involves claims arising under federal laws regulating commerce and is commenced by the United States of America.

• Venue is proper in this District under 28 U.S.C. §§ 1391(b)(1), (b)(2), (c)(2), (d), and 1395(a), as well as 15 U.S.C. § 53(b), because Twitter has its principal place of business in this District, because Twitter transacts business in this District, and because a substantial part of the events or omissions giving rise to the claims occurred in this District.

• Divisional assignment to the San Francisco or Oakland Division is proper under Local Rule 3-2(c) and (d) because Twitter has its principal place of business in San Francisco and because a substantial part of the events or omissions giving rise to the claims occurred there.

PLAINTIFF

• Plaintiff, the United States of America, brings this action under Sections 5(a) and (l), 13(b), and 16(a)(1) of the FTC Act, 15 U.S.C. §§ 45(a) and (l), 53(b), and 56(a)(1), which prohibit unfair or deceptive acts or practices in or affecting commerce, and the 2011 Order.

DEFENDANT

• Twitter is a Delaware corporation with its principal place of business at 1355 Market Street, Suite 900, San Francisco, California, 94103. Twitter transacts or has transacted business in this District and throughout the United States. At all times material to this Complaint, Twitter has operated its online communication service through its website, www.twitter.com, and through its mobile applications.

COMMERCE

• At all times relevant to this Complaint, Twitter has maintained a substantial course of trade in or affecting commerce, as “commerce” is defined in Section 4 of the FTC Act, 15 U.S.C. § 44.

THE FTC ACT

• Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), prohibits “unfair or deceptive acts or practices in or affecting commerce.”

• Acts or practices are unfair under Section 5(a) of the FTC Act if they cause or are likely to cause substantial injury to consumers that those consumers cannot reasonably avoid themselves and that is not outweighed by countervailing benefits to consumers or competition. 15 U.S.C. § 45(n).

• Misrepresentations or deceptive omissions of material fact constitute deceptive acts or practices prohibited by Section 5(a) of the FTC Act.

• Section 5(l) of the FTC Act, 15 U.S.C. § 45(l), declares that “[a]ny person, partnership, or corporation who violates an order of the Commission after it has become final, and while such order is in effect, shall forfeit and pay to the United States a civil penalty[.]”

THE COMMISSION ORDER

• In the Commission’s 2011 Administrative Complaint in the proceeding bearing Docket No. C-4316 (the “Administrative Complaint”), the Commission charged Twitter with engaging in deceptive acts or practices in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), for its failures to provide reasonable security measures to prevent unauthorized access to nonpublic user information and to honor the privacy choices exercised by Twitter users.

• Specifically, the Administrative Complaint asserted that Twitter had engaged in deceptive acts or practices by misrepresenting that users could control who had access to their tweets through a “protected account” or could send private “direct messages” that could only be viewed by the recipient when, in fact, Twitter lacked reasonable safeguards to ensure those choices were honored, such as restricting employee access to nonpublic user information based on a person’s job requirements.

• The Administrative Complaint also alleged that Twitter had misrepresented the controls it implemented to keep user accounts secure, when, in fact, Twitter lacked reasonable safeguards to limit or prevent unauthorized access to nonpublic user information, such as secure password requirements and other administrative, technical, or physical safeguards. See Exhibit B, In re Twitter, Inc., C-4316, 151 F.T.C. 162 (Mar. 11, 2011) (Administrative Complaint) at ¶¶ 10-12.

• Twitter settled the Commission’s Administrative Complaint with the Commission Order. The Commission Order became final in March 2011 and remains in effect.

• Provision I of the Commission Order, in relevant part, states that respondent, directly or through any corporation, subsidiary, division, website, or other device, in connection with the offering of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the extent to which respondent maintains and protects the security, privacy, confidentiality, or integrity of any nonpublic consumer information, including, but not limited to, misrepresentations related to its security measures to:

  • (a) prevent unauthorized access to nonpublic consumer information; or
  • (b) honor the privacy choices exercised by users.

• The Commission Order defines “nonpublic consumer information” as, in relevant part, “an individual consumer’s:

  • (a) email address...
  • (c) mobile telephone number.”

TWITTER’S NOTICE OF THE COMMISSION ORDER

• Twitter’s General Counsel signed the Commission Order on behalf of Twitter. The Commission served the Commission Order in March 2011.

NATURE OF THE CASE

• Twitter operates an online communication service through its website, www.twitter.com, and through text messaging and mobile applications. The service allows registered users to communicate with one another by posting "tweets," or short messages currently limited to 280 characters or less, with which other users may interact through a "like," reply, or "retweet."

• In order to follow other accounts, or post, like, and retweet tweets, users must register for a Twitter account. The main page for a registered user who navigates to www.twitter.com or who opens the Twitter mobile application is known as a Twitter "timeline." The timeline displays:

  • A stream of tweets from accounts the user has chosen to follow.
  • A search engine.
  • Recommendations for additional accounts to follow.
  • A list of trending topics.
  • Registered users can also navigate to their own profile page to view their own tweets.

• Twitter's service is widely used. As of September 2019, Twitter had more than 330 million monthly active users worldwide, including journalists, celebrities, commercial brands, and government officials.

• Commercial entities regularly use Twitter to promote offers or advertise to consumers, and many tweets contain links to other websites, including websites that users may use to purchase commercial products or services.

• Twitter’s core business model monetizes user information by using it for advertising. Of the $3.4 billion in revenue that Twitter earned in 2019, $2.99 billion flowed from advertising.

• Twitter primarily allows companies to advertise on its service through "Promoted Products," which can take one of three forms:

  • Promoted Tweets, which appear within a user’s timeline, search results, or profile pages, similar to an ordinary tweet.
  • Promoted Accounts, which typically appear in the same format and place as other recommended accounts.
  • Promoted Trends, which appear at the top of the list of trending topics for an entire day.

• Twitter offers various services that advertisers can use to reach their existing marketing lists on Twitter, including:

  • Tailored Audiences: Allows advertisers to target specific groups of Twitter users by matching the telephone numbers and email addresses that Twitter collects to the advertisers' existing lists of telephone numbers and email addresses.
  • Partner Audiences: Allows advertisers to import marketing lists from data brokers like Acxiom and Datalogix to match against the telephone numbers and email addresses collected by Twitter.

• Twitter has provided advertisers the ability to match against lists of email addresses since January 2014 and against lists of telephone numbers since September 2014.

• Twitter has prompted users to provide a telephone number or email address for the express purpose of securing or authenticating their Twitter accounts. However, through at least September 2019, Twitter also used this information to:

  • Serve targeted advertising and further its own business interests through its Tailored Audiences and Partner Audiences services.

• For example, from at least May 2013 until at least September 2019, Twitter collected telephone numbers and email addresses from users specifically for purposes of allowing users to:

  • Enable two-factor authentication.
  • Assist with account recovery (e.g., to provide access to accounts when users have forgotten their passwords).
  • Re-authenticate users (e.g., to re-enable full access to an account after Twitter has detected suspicious or malicious activity).

• From at least May 2013 through at least September 2019, Twitter did not disclose, or did not disclose adequately, that it used these telephone numbers and email addresses to target advertisements to those users through its Tailored Audiences and Partner Audiences services.

• In 2011, after an FTC investigation, Twitter settled allegations that it had misrepresented the extent to which Twitter protected the privacy and security of nonpublic consumer information. The resulting Commission Order, among other things, prohibits Twitter from misrepresenting the extent to which Twitter maintains and protects the security, privacy, confidentiality, or integrity of any nonpublic consumer information.

• More than 140 million Twitter users provided email addresses or telephone numbers to Twitter based on Twitter's deceptive statements that their information would be used for specific purposes related to account security. Twitter knew or should have known that its conduct violated the 2011 Order, which prohibits misrepresentations concerning how Twitter maintains email addresses and telephone numbers collected from users.

TWITTER’S BUSINESS ACTIVITIES

Twitter Deceptively Used Information Provided for Two-Factor Authentication to Serve Targeted Advertisements

• Since May 2013, Twitter has allowed users to log into Twitter with two-factor authentication using their telephone numbers. Users who enable this security feature log into their Twitter accounts with their usernames, passwords, and a code texted to their telephone numbers whenever they log in from a new or unrecognized device.

• Twitter prompts users to enable two-factor authentication through notices on their timelines and after users reset their passwords. Twitter also encourages users to turn on two-factor authentication in tweets from Twitter-operated accounts, Help Center documentation, and blog posts.

• To enable two-factor authentication, Twitter users must navigate to an account settings page. After clicking on “Security,” users see a screen similar to the one depicted below:

• When users click on the “Learn more” link, they see a webpage that says, “How to use two-factor authentication.” This page states, in relevant part:

• Two-factor authentication is an extra layer of security for your Twitter account. Instead of only entering a password to log in, you’ll also enter a code or use a security key. This additional step helps make sure that you, and only you, can access your account.

• After clicking on the “Login Verification” checkbox above, users see additional instructions about how to enable two-factor authentication. The last screen in the user flow related to two-factor authentication using a telephone number is similar to the one depicted below:

• Since at least September 2018, Twitter has prompted users to enable two-factor authentication directly on users’ timelines through a prompt similar to the screen depicted below:

• Until September 2019, Twitter did not disclose at any point in the two-factor authentication pathway or in any of the associated links described above that it was using the telephone numbers users provided for two-factor authentication to target advertisements to those users.

• From May 2013, approximately two million users provided a telephone number to enable two-factor authentication.

• The fact that Twitter used the telephone numbers provided for two-factor authentication for advertising would be material to users when deciding whether to provide a telephone number for two-factor authentication. In fact, public reaction to Twitter’s disclosure of this practice in late 2019 was largely negative, with one news outlet describing the practice as “particularly shameful.”

Twitter Deceptively Used Information Provided for Future Account Recovery to Serve Targeted Advertisements

• In June 2015, Twitter began prompting users to add a telephone number to their Twitter accounts as a safeguard in the event of a lost password. Then, in April 2018, Twitter also began prompting users to add an email address.

• Since June 2015, if users do not have a telephone number associated with their accounts, Twitter may prompt the users to add a telephone number through a message similar to the one depicted below:

• Similarly, since April 2018, if a user does not have an email address associated with their account, Twitter may prompt the user to add an email address through a message similar to the one depicted below:

• Through September 2019, Twitter did not disclose at any point in the account recovery pathway or in any of the messages described that it was using the telephone numbers or email addresses users provided for account recovery to target advertisements to those users.

• From June 2015, approximately 37 million users provided a telephone number or email address for account recovery purposes.

• The fact that Twitter used the telephone numbers and email addresses provided by users to safeguard their accounts for advertising would be material to users when deciding whether to provide their information for account recovery purposes.

Twitter Deceptively Used Information Provided for Re-authentication to Serve Targeted Advertisements

• In December 2013, Twitter began requiring users to provide a telephone number or email address for re-authentication (e.g., to re-enable full access to an account after Twitter detected suspicious or malicious activity).

• If Twitter detects suspicious or malicious activity on a user’s account, or suspects that the account may belong to a previously-banned user, Twitter may require the user to re-authenticate by providing a telephone number through a prompt similar to the one depicted below:

• If users click the “Start” button, they are instructed to enter a telephone number through a prompt similar to the one depicted below:

• Similarly, Twitter may require users to provide an email address to re-enable full access to their accounts through a prompt similar to the one depicted below:

• Through September 2019, Twitter did not disclose at any point in the re-authentication pathway that it was using the telephone numbers or email addresses users provided for re-authentication to target advertisements to those users.

• From September 2014, approximately 104 million users provided a telephone number or email address in response to a prompt for re-authentication.

• The fact that Twitter used the telephone numbers and email addresses provided for re-authentication for advertising would be material to users when deciding whether to provide their information in response to a prompt for re-authentication.

Twitter Misrepresented that it Processed Personal Data in Accordance with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks

• The European Union and Switzerland have each established regulatory regimes to protect individuals’ right to privacy with respect to the processing of their personal data. Both privacy regimes generally prohibit businesses from transferring personal data to third countries unless the recipient jurisdiction’s laws are deemed to adequately protect personal data.

• To ensure adequate privacy protections for commercial data transfers, the International Trade Administration of the U.S. Department of Commerce (“Commerce”) coordinated with the European Commission and the Swiss Administration to craft the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks (“Privacy Shield” or “Frameworks”). The Frameworks are materially identical.

• To rely on the Privacy Shield for data transfers, a company needed to self-certify and annually affirm to Commerce that it complied with the Privacy Shield Principles (the “Principles”). Of note, Principle 5(a) provided that “[a]n organization may not process personal information in a way that is incompatible with the purposes for which it has been collected or subsequently authorized by the individual.” The Frameworks defined “processing” to include “any operation or set of operations which is performed upon personal data, whether or not by automated means” and includes, among other things, “collection,” “storage,” and “use” of personal information.

• Companies under the enforcement jurisdiction of the FTC, as well as the U.S. Department of Transportation, were eligible to join the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. A company under the FTC’s jurisdiction that self-certified to the Privacy Shield Principles, but failed to comply with the Privacy Shield, may be subject to an enforcement action based on the FTC’s deception authority under Section 5 of the FTC Act.

• Commerce maintains a public website, https://www.privacyshield.gov, where it posts the names of companies that have self-certified to the Privacy Shield. The listing of companies, found at https://www.privacyshield.gov/list, indicates whether the company’s self-certification is current.

• On November 16, 2016, Twitter self-certified its participation in the Privacy Shield. Twitter has reaffirmed its participation in the Privacy Shield to Commerce each year thereafter.

• As described in Paragraphs 30 through 51, through at least September 2019, Twitter deceptively used personal information collected for specific security-related purposes for advertising. Twitter’s use of such personal information for advertising purposes was not compatible with the purposes for which the information was collected, and Twitter did not obtain subsequent authorization from any individual to use such information for advertising.

Ongoing Conduct

• Based on the facts and violations of law alleged in this Complaint, the FTC has reason to believe that Twitter is violating or is about to violate laws enforced by the Commission. Among other things, Twitter is a recidivist that engaged in unlawful conduct even after law enforcement action. In addition, Twitter still makes most of its money by directing advertisements to its users, including by targeting particular users based on information the users provide. Therefore, Twitter has an incentive to resume its unlawful conduct, and it retains the means and ability to do so. Twitter also engaged in the unlawful conduct at issue here from at least January 2014 through at least September 2019—a period of almost six years.

Violations of the FTC Act

Count I. Deceptive Practices Regarding the Use of Telephone Numbers Provided for Two-Factor Authentication

• Paragraphs 1 through 59 are incorporated as if set forth herein.

• As described above in Paragraphs 30 through 38, Twitter represented, directly or indirectly, expressly or by implication, that users’ telephone numbers provided for two-factor authentication would be used for security purposes.

• In numerous instances in which Twitter has made the representation set forth in Paragraph 61, Twitter failed to disclose, or failed to disclose adequately, that Twitter would also use telephone numbers provided by users for two-factor authentication for targeting advertisements to those users.

• Twitter’s failure to disclose or disclose adequately the material information described in Paragraph 62, in light of the representations set forth in Paragraph 61, is a deceptive act or practice in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).

Count II. Deceptive Practices Regarding the Use of Telephone Numbers and Email Addresses Provided for Account Recovery

• Paragraphs 1 through 59 are incorporated as if set forth herein.

• As described above in Paragraphs 39 through 44, Twitter represented, directly or indirectly, expressly or by implication, that users’ telephone numbers and email addresses provided for account recovery would be used for security purposes.

• In numerous instances in which Twitter has made the representation set forth in Paragraph 65, Twitter failed to disclose, or failed to disclose adequately, that Twitter would also use telephone numbers and email addresses provided by users for account recovery for targeting advertisements to those users.

• Twitter’s failure to disclose or disclose adequately the material information described in Paragraph 66, in light of the representations set forth in Paragraph 65, is a deceptive act or practice in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).

Count III. Deceptive Practices Regarding the Use of Telephone Numbers and Email Addresses Provided for Re-authentication

• Paragraphs 1 through 59 are incorporated as if set forth herein.

• As described above in Paragraphs 45 through 51, Twitter represented, directly or indirectly, expressly or by implication, that users’ telephone numbers and email addresses provided for account re-authentication would be used for security purposes.

• In numerous instances in which Twitter has made the representation set forth in Paragraph 69, Twitter failed to disclose, or failed to disclose adequately, that Twitter would also use telephone numbers and email addresses provided by users for account re-authentication for targeting advertisements to those users.

• Twitter’s failure to disclose or disclose adequately the material information described in Paragraph 70, in light of the representations set forth in Paragraph 69, is a deceptive act or practice in violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a).

Count IV. Deceptive Practices Regarding Twitter’s Compliance with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks

• Paragraphs 1 through 59 are incorporated as if set forth herein.

• As described in Paragraph 57, Twitter has represented, directly or indirectly, expressly or by implication, that it has complied with the Privacy Shield Principles since at least November 16, 2016.

• In fact, as described in Paragraph 58, until at least September 2019, Twitter failed to comply with the Privacy Shield Principles’ requirement that it may not process personal information in a way that is incompatible with the purposes for which it was collected or subsequently authorized by the individual about whom the information pertains. Therefore, the representation set forth in Paragraph 73 was false or misleading.

• The acts and practices of Twitter as alleged in this Complaint constitute unfair or deceptive acts or practices in or affecting commerce in violation of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C. § 45(a).

Violations of the Commission Order

• Each representation Twitter has made in violation of the Commission Order constitutes a separate violation for which Plaintiff may seek a civil penalty pursuant to Section 5(l) of the FTC Act, 15 U.S.C. § 45(l).

• Section 5(l) of the FTC Act, 15 U.S.C. § 45(l), as modified by Section 4 of the Federal Civil Penalties Inflation Adjustment Act of 1990, 28 U.S.C. § 2461, and Section 1.98(c) of the FTC’s Rules of Practice, 16 C.F.R. § 1.98(c), directs that a defendant who violates an order of the Commission after it has become final, and while such order is in effect, “shall forfeit and pay to the United States a civil penalty of not more than $46,517 for each violation.”

• Sections 5(l) and 13(b) of the FTC Act, 15 U.S.C. §§ 45(l) and 53(b), also authorize this Court to grant an “injunction[] and such other and further equitable relief” as it may deem appropriate to halt and redress violations of any provision of law enforced by the FTC Act and to enforce the Commission Order.

Count V. Misrepresenting the Extent to Which Twitter Maintains and Protects the Privacy of Nonpublic Consumer Information as it Relates to Telephone Numbers Provided for Two-Factor Authentication

• Paragraphs 1 through 59 are incorporated as if set forth herein.

• Provision I of the Commission Order prohibits Twitter from misrepresenting “the extent to which [Twitter] maintains and protects the security, privacy, confidentiality, or integrity of any nonpublic consumer information, including, but not limited to, misrepresentations related to its security measures to: (a) prevent unauthorized access to nonpublic consumer information; or (b) honor the privacy choices exercised by users.”

• As described above in Paragraphs 30 through 38, Twitter represented, directly or indirectly, expressly or by implication, that it would maintain and protect the privacy of users’ telephone numbers collected specifically for purposes of enabling two-factor authentication.

• In fact, Twitter failed to disclose, or failed to disclose adequately, that Twitter would also use the telephone numbers described in Paragraph 81 for targeted advertising.

• Twitter’s failure to disclose or disclose adequately the material information described in Paragraph 82, in light of the representations set forth in Paragraph 81, misrepresented the extent to which Twitter maintains and protects the privacy of nonpublic consumer information.

• Therefore, the representations described in Paragraph 81 violated Provision I of the Commission Order.

Count VI. Misrepresenting the Extent to Which Twitter Maintains and Protects the Privacy of Nonpublic Consumer Information as it Relates to Telephone Numbers and Email Addresses Provided for Account Recovery

• Paragraphs 1 through 59 are incorporated as if set forth herein.
• Provision I of the Commission Order prohibits Twitter from misrepresenting "the extent to which [Twitter] maintains and protects the security, privacy, confidentiality, or integrity of any nonpublic consumer information, including, but not limited to, misrepresentations related to its security measures to: (a) prevent unauthorized access to nonpublic consumer information; or (b) honor the privacy choices exercised by users."
• As described above in Paragraphs 39 through 44, Twitter represented, directly or indirectly, expressly or by implication, that it would maintain and protect the privacy of users’ telephone numbers and email addresses collected for purposes of account recovery.
• In fact, Twitter failed to disclose, or failed to disclose adequately, that Twitter would also use the telephone numbers and email addresses described for targeted advertising.
• Twitter’s failure to disclose or disclose adequately the material information described, in light of the representations set forth above, misrepresented the extent to which Twitter maintains and protects the privacy of nonpublic consumer information.
• Therefore, the representations described violated Provision I of the Commission Order.

Count VII. Misrepresenting the Extent to Which Twitter Maintains and Protects the Privacy of Nonpublic Consumer Information as it Relates to Telephone Numbers and Email Addresses Provided for Re-authentication

• Paragraphs 1 through 59 are incorporated as if set forth herein.
• Provision I of the Commission Order prohibits Twitter from misrepresenting "the extent to which [Twitter] maintains and protects the security, privacy, confidentiality, or integrity of any nonpublic consumer information, including, but not limited to, misrepresentations related to its security measures to: (a) prevent unauthorized access to nonpublic consumer information; or (b) honor the privacy choices exercised by users."
• As described above in Paragraphs 45 through 51, Twitter represented, directly or indirectly, expressly or by implication, that it would maintain and protect the privacy of users’ telephone numbers and email addresses collected to re-authenticate a user’s Twitter account.
• In fact, Twitter failed to disclose, or failed to disclose adequately, that Twitter would also use the telephone numbers and email addresses for targeted advertising.
• Twitter’s failure to disclose or disclose adequately the material information, in light of the representations set forth above, misrepresented the extent to which Twitter maintains and protects the privacy of nonpublic consumer information.
• Therefore, the representations described violated Provision I of the Commission Order.

CONSUMER INJURY

• Consumers have suffered and will continue to suffer substantial injury as a result of Twitter’s violations of the FTC Act and the 2011 Order.
• In addition, Twitter has been unjustly enriched as a result of its unlawful acts or practices.
• Absent injunctive relief by this Court, Twitter is likely to continue to injure consumers, reap unjust enrichment, and harm the public interest.

PRAYER FOR RELIEF

• Enter judgment against Twitter and in favor of Plaintiff for violating the 2011 Order and the FTC Act as alleged in this Complaint.
• Award Plaintiff monetary civil penalties from Twitter for each violation of the 2011 Order.
• Enter a permanent injunction to prevent future violations by Twitter of the 2011 Order, or as it is subsequently modified by operation of law, and the FTC Act.
• Award monetary and other relief within the Court’s power to grant
• Award any additional relief as the Court determines to be just and proper.

EXHIBIT A

DECISION AND ORDER

• Respondent Twitter, Inc. (“Twitter”) is a Delaware corporation with its principal office or place of business at 795 Folsom Street, Suite 600, San Francisco, CA 94103.
• The Federal Trade Commission has jurisdiction of the subject matter of this proceeding and of the Respondent, and the proceeding is in the public interest.

ORDER 

DEFINITIONS

• Unless otherwise specified, “respondent” shall mean Twitter, its successors and assigns, officers, agents, representatives, and employees.


• “Consumer” shall mean any person, including, but not limited to, any user of respondent’s services, any employee of respondent, or any individual seeking to become an employee, where “employee” shall mean an agent, servant, salesperson, associate, independent contractor, or other person directly or indirectly under the control of respondent.


• “Nonpublic consumer information” shall mean nonpublic, individually-identifiable information from or about an individual consumer, including, but not limited to, an individual consumer’s: (a) email address; (b) Internet Protocol (“IP”) address or other persistent identifier; (c) mobile telephone number; and (d) nonpublic communications made using respondent’s microblogging platform. “Nonpublic consumer information” shall not include public communications made using respondent’s microblogging platform.


• “Administrative control of Twitter” shall mean the ability to access, modify, or operate any function of the Twitter system by using systems, features, or credentials that were designed exclusively for use by authorized employees or agents of Twitter.
• “Commerce” shall mean as defined in Section 4 of the Federal Trade Commission Act, 15 U.S.C. § 44.


I.

IT IS ORDERED that respondent, directly or through any corporation, subsidiary, division, website, or other device, in connection with the offering of any product or service, in or affecting commerce, shall not misrepresent in any manner, expressly or by implication, the extent to which respondent maintains and protects the security, privacy, confidentiality, or integrity of any nonpublic consumer information, including, but not limited to, misrepresentations related to its security measures to: (a) prevent unauthorized access to nonpublic consumer information; or (b) honor the privacy choices exercised by users.


II.

• the designation of an employee or employees to coordinate and be accountable for the information security program.

• the identification of reasonably-foreseeable, material risks, both internal and external, that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of nonpublic consumer information or in unauthorized administrative control of the Twitter system, and an assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, account takeovers, or other systems failures.

• the design and implementation of reasonable safeguards to control the risks identified through risk assessment, and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures.

• the development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding nonpublic consumer information such service providers receive from respondent or obtain on respondent’s behalf, and the requirement, by contract, that such service providers implement and maintain appropriate safeguards; provided, however, that this subparagraph shall not apply to personal information about a consumer that respondent provides to a government agency or lawful information supplier when the agency or supplier already possesses the information and uses it only to retrieve, and supply to respondent, additional personal information about the consumer.
• the evaluation and adjustment of respondent’s information security program in light of the results of the testing and monitoring required by subparagraph C, any material changes to respondent’s operations or business arrangements, or any other circumstances that respondent knows or has reason to know may have a material impact on the effectiveness of its information security program.

III.

IT IS FURTHER ORDERED that, in connection with its compliance with Paragraph II of this order, respondent shall obtain initial and biennial assessments and reports (“Assessments”) from a qualified, objective, independent third-party professional, who uses procedures and standards generally accepted in the profession. Professionals qualified to prepare such assessments shall be: a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; or a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580. The reporting period for the Assessments shall cover: (1) the first one hundred and eighty (180) days after service of the order for the initial Assessment, and (2) each two (2) year period thereafter for ten (10) years after service of the order for the biennial Assessments. Each Assessment shall:

• set forth the specific administrative, technical, and physical safeguards that respondent has implemented and maintained during the reporting period;
• explain how such safeguards are appropriate to respondent’s size and complexity, the nature and scope of respondent’s activities, and the sensitivity of the nonpublic personal information collected from or about consumers;

• explain how the safeguards that have been implemented meet or exceed the protections required by Paragraph II of this order; and
• certify that respondent’s security program is operating with sufficient effectiveness to provide reasonable assurance to protect the security, privacy, confidentiality, and integrity of nonpublic consumer information and that the program has so operated throughout the reporting period.

Each Assessment shall be prepared and completed within sixty (60) days after the end of the reporting period to which the Assessment applies. Respondent shall provide the initial Assessment to the Associate Director for Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580, within ten (10) days after the Assessment has been prepared. All subsequent biennial Assessments shall be retained by respondent until the order is terminated and provided to the Associate Director of Enforcement within ten (10) days of request.

IV.

• for a period of three (3) years from the date of preparation or dissemination, whichever is later, all widely-disseminated statements, including, but not limited to, statements posted on respondent’s website that describe the extent to which respondent maintains and protects the security, privacy, confidentiality, or integrity of any nonpublic consumer information, with all materials relied upon in making or disseminating such statements, except that respondent shall not be required to provide any such statements that are made using the Twitter microblogging platform;

• for a period of six (6) months from the date received, all consumer complaints directed at respondent, or forwarded to respondent by a third party, that relate to respondent’s activities as alleged in the draft complaint and any responses to such complaints;

• for a period of two (2) years from the date received, copies of all subpoenas and other communications with law enforcement entities or personnel, if such communications raise issues that relate to respondent’s compliance with the provisions of this order;

• for a period of five (5) years from the date received, any documents, whether prepared by or on behalf of respondent, that contradict, qualify, or call into question respondent’s compliance with this order; and

• for a period of three (3) years after the date of preparation of each Assessment required under Part III of this order, all materials relied upon to prepare the Assessment, whether prepared by or on behalf of the respondent, including but not limited to all plans, reports, studies, reviews, audits, audit trails, policies, training materials, and assessments, for the compliance period covered by such Assessment.

V.

IT IS FURTHER ORDERED that respondent shall deliver a copy of this order to all current and future principals, officers, directors, and managers, and to all current and future employees, agents, and representatives having responsibilities relating to the subject matter of this order. Respondent shall deliver this order to such current personnel within thirty (30) days after service of this order, and to such future personnel within thirty (30) days after the person assumes such position or responsibilities.

VI.

IT IS FURTHER ORDERED that respondent shall notify the Commission at least thirty (30) days prior to any change in the corporation that may affect compliance obligations arising under this order, including, but not limited to, a dissolution, assignment, sale, merger, or other action that would result in the emergence of a successor corporation; the creation or dissolution of a subsidiary, parent, or affiliate that engages in any acts or practices subject to this order; the proposed filing of a bankruptcy petition; or a change in either corporate name or address. ~Provided, however~, that, with respect to any proposed change in the corporation about which respondent learns less than thirty (30) days prior to the date such action is to take place, respondent shall notify the Commission as soon as is practicable after obtaining such knowledge. All notices required by this Paragraph shall be sent by certified mail to the Associate Director, Division of Enforcement, Bureau of Consumer Protection, Federal Trade Commission, Washington, D.C. 20580.

VII.

IT IS FURTHER ORDERED that respondent shall, within sixty (60) days after the date of service of this order file with the Commission a true and accurate report, in writing, setting forth in detail the manner and form in which respondent has complied with this order. Within ten (10) days of receipt of written notice from a representative of the Commission, respondent shall submit additional true and accurate written reports.

VIII.

• any Part in this order that terminates in fewer than twenty (20) years;
• this order if such complaint is filed after the order has terminated pursuant to this Part.

Provided, further, that if such complaint is dismissed or  federal court rules that respondent did not violate any provision of the order, and the dismissal or ruling is either not appealed or upheld on appeal, then the order as to such respondent will terminate according to this Part as though the complaint had never been filed, except that the order will not terminate between the date
such complaint is filed and the later of the deadline for appealing such dismissal or ruling and the date such dismissal or ruling is upheld on appeal.

By the Commission.

ISSUED: March 2, 2011

EXHIBIT 1

For more information, refer to the original source: https://www.ftc.gov/system/files/ftc_gov/pdf/2023062TwitterFiledComplaint.pdf

EXHIBIT 2

EXHIBIT 3