Twitter acknowledged it could pay up to $250 million to the U.S. Federal Trade Commission for directing targeted advertising to users based off data submitted for security purposes.
In a financial filing submitted to the Securities and Exchange Commission, Twitter estimated it would pay between $150 million and $250 million to the FTC. The penalty comes after the FTC drafted a complaint on July 28 alleging that Twitter used “phone number and/or email address data provided for safety and security purposes for targeted advertising during periods between 2013 and 2019,” Twitter said in the SEC filing.
The complaint suggests Twitter violated a 2011 FTC consent order that required the company to establish a data security program, which required them to be transparent with users about the security and privacy measures in place. In October 2019, the company said it used email addresses and phone numbers to improve targeted advertising efforts.
Twitter users could share their phone numbers with the company to improve their account security via its two-factor authentication feature. With that protocol, Twitter sends a numerical code to a user phone number through an SMS text message, which adds a layer of security to the log-in process. Twitter has since stopped requiring users to submit their phone number in order to use two-factor authentication.
The company has not said how many people were affected by the issue.
“The matter remains unresolved, and there can be no assurance as to the timing or the terms of any final outcome,” Twitter said in its SEC filing.
Twitter submitted the SEC filing days after it’s second-quarter earnings report, in which the company said its number of daily users had grown by 12% to 186 million people, though its revenue fell by 19% from one year earlier to $683 million.
The company also said that its most recent breach, in which attackers took over accounts belonging to the likes of former President Barack Obama and Amazon founder Jeff Bezos as part of a bitcoin scam, could affect its standing with advertisers. The U.S. Department of Justice has charged two men in connection with that breach, while police in Florida also arrested a 17-year-old who coordinated the scam.
“This security breach may have harmed the people and accounts affected by it,” the SEC filing said. “It may also impact the market perception of our security measures, and people may lose trust and confidence in us, decrease the use of our products and services or stop using our products and services in their entirety.”