Written By ESR News Blog Editor Thomas Ahearn

In May 2022, the Federal Trade Commission (FTC) and the U.S. Department of Justice (DOJ) charged a microblogging and social networking service with allegedly violating a 2011 FTC order that prohibited the company from misrepresenting privacy and security practices and ordered it to pay a $150 million penalty.

According to a complaint filed by the DOJ on behalf of the FTC, in 2013 the company began asking users to provide either a phone number or email address to improve account security such as resetting user passwords, unlocking accounts blocked due to suspicious activity, and enabling two-factor authentication.

From 2014 to 2019, more than 140 million users provided their phone numbers or email addresses after the company told them this information would help secure their accounts but failed to mention that it also would be used for targeted advertising. In addition to the $150 million penalty, the proposed order would:

  • Prohibit the company from profiting from deceptively collected data;
  • Allow users to use other multi-factor authentication methods such as mobile authentication apps or security keys that do not require users to provide their telephone numbers;
  • Notify users that it misused phone numbers and email addresses collected for account security to also target ads to them and provide information about the company’s privacy and security controls;
  • Implement and maintain a comprehensive privacy and information security program that requires the company, among other things, to examine and address the potential privacy and security risks of new products;
  • Limit employee access to users’ personal data; and
  • Notify the FTC if the company experiences a data breach.

The company’s deceptive use of phone numbers and email addresses for targeted advertising also violated the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield agreements, which required participating companies to follow certain privacy principles to legally transfer data from European Union (EU) countries and Switzerland.

“As the complaint notes, (the company) obtained data from users on the pretext of harnessing it for security purposes but then ended up also using the data to target users with ads,” FTC Chair Lina M. Khan stated. “This practice affected more than 140 million users, while boosting (the company’s) primary source of revenue.”

The FTC vote to refer the complaint and stipulated final order to the FOJ for filing was 4-0. The DOJ filed the complaint and stipulated final order in the District Court of Northern California, San Francisco Division. FTC Chair Lina M. Khan and FTC Commissioner Rebecca Kelly Slaughter issued a joint statement

Employment Screening Resources (ESR) is a service offering of ClearStar, a leading HR-technology company specializing in background and medical screening. ClearStar and ESR are certified under the EU-U.S. Privacy Shield and Swiss-U.S. Privacy Shield to protect consumer information. To learn more, contact ESR today.

NOTE: Employment Screening Resources (ESR) – a service offering of ClearStar – does not provide or offer legal services or legal advice of any kind or nature. Any information on this website is for educational purposes only.

© 2022 Employment Screening Resources (ESR) – A Service Offering of ClearStar – Making copies of or using any part of the ESR News Blog or ESR website for any purpose other than your own personal use is prohibited unless written authorization is first obtained from ESR.

Share on Social Media