Twitter has revealed it is expecting a $250 million (£192 million) fine from the US Federal Trade Commission (FTC) for misleading users over the use of their data.
The social media giant used phone numbers and emails for targeted advertising between 2013 and 2019, the FTC alleges.
Twitter had already admitted to email addresses and phone numbers being used for advertising purposes last year but said it was done inadvertently.
Twitter generally requests users’ phone numbers and emails for security purposes, including two-factor authentication.
The company is already recovering from a high-profile security breach last month, which it said could have an ‘adverse impact’ on business and reputation.
Scroll down for video
The US Federal Trade Commission is probing Twitter Inc for alleged violations of a law that prevents the social network from using personal data provided for security purposes to target ads
‘On July 28, 2020, the Company received a draft complaint from the Federal Trade Commission (FTC) alleging violations of the Company’s 2011 consent order with the FTC and the FTC Act,’ Twitter said in its 10-Q filing with the US Securities and Exchange Commission.
‘The allegations relate to the Company’s use of phone number and/or email address data provided for safety and security purposes for targeted advertising during periods between 2013 and 2019.
‘The matter remains unresolved, and there can be no assurance as to the timing or the terms of any final outcome.’
According to the filing from Twitter, the FTC’s complaint, lodged last month, could result in a loss of between $150 million and $250 million.
The FTC allegation followed the announcement of Twitter’s Q2 financial results, released the week prior on July 23.
‘We received a draft complaint from the FTC alleging violations of our 2011 consent order,’ the company told MailOnline.
Pictured, Twitter CEO and co-founder Jack Dorsey. According to a regulatory filing from Twitter, the FTC’s complaint, lodged last month, could result in a loss of between $150 million and $250 million
‘Following standard accounting rules we included an estimated range for settlement in our 10Q filed on August 3.’
The imposed fine results from a violation of an agreement with the FTC in 2011 to no longer mislead its users over the use of personal information.
Before the agreement was signed, the FTC alleged that ‘serious lapses’ in Twitter’s data security allowed hackers to obtain unauthorised control of the site.
This included access to non-public user information such as messages, tweets that consumers had designated as private and the ability to ‘send out phoney tweets from any account’.
Twitter disclosed the practice of using phone numbers and emails for advertising last October but said it was done ‘inadvertently’ and apologised for the ‘error’.
‘We recently discovered that when you provided an email address or phone number for safety or security purposes (for example, two-factor authentication),’ it said in a blog post at the time.
‘This data may have inadvertently been used for advertising purposes, specifically in our and Partner Audiences advertising system.’
Twitter didn’t reveal how long the practice had been going on for in the post.
On Twitter, phone numbers were intended to set up two-factor authentication, to help users secure their account from would-be hackers.
If a password is entered incorrectly too many times or Twitter detects a sign-in on a new device that hasn’t been associated with one’s account, the company sends a code to a registered phone number or email address.
However, the company revealed that it inadvertently used the information to help match users’ accounts with stores they may shopped at.
This allowed ad partners that had access to a person’s phone number – such as a retailer with a rewards program – to match that number with a customer’s Twitter account and advertise directly on the platform.
Twitter said that around 130 accounts were affected in a high-profile hack towards the end of July
‘When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes,’ Twitter said back in October.
‘This was an error and we apologise.’
Twitter’s privacy policy reads: ‘We believe you should always know what data we collect from you and how we use it, and that you should have meaningful control over both.’
The news regarding targeted advertising follows Twitter’s high-profile security breach last month, which targeted 130 user accounts.
Twitter said it is ‘continuing to assess what other malicious activity the attackers may have conducted’ in this week’s filing to the US Securities and Exchange Commission.