The FTC and DOJ reached a $150 million penalty settlement with Twitter for violating a 2011 FTC order and deceiving users about how their phone numbers and email addresses collected for security purposes were used. Twitter collected contact information for two-factor authentication, then used that data for targeted advertising without disclosing this to users.
Twitter/X — Repurposing Security Data for Ads FTC Settlement ($150M)
What Went Wrong
Twitter told users their phone numbers and email addresses were needed for account security (2FA). Twitter then used that data for targeted advertising without disclosing this to users. Approximately 140 million users were affected. The practice violated Twitter's own privacy policy representations and a prior 2011 FTC consent order requiring a comprehensive privacy program.
Lessons Learned
Data collected for one purpose cannot be repurposed for another without disclosure and consent. Prior FTC consent orders create heightened obligations — violations carry significantly higher penalties. Security-purpose data (phone numbers for 2FA) is particularly sensitive to repurposing.
Source:
Official Enforcement Record ↗