Twitter fined $150 million for data privacy violationsTwitter fined $150 million for data privacy violations

Alleged breaches affected more than 140 million users.

The Federal Trade Commission is fining Twitter $150 million in civil penalties for misrepresenting how it handled the private contact information of its users.

In a lawsuit filed with the U.S. District Court for the Northern District of California, the government accused Twitter of “deceiving” users in a practice that affected more than 140 million on its platform.

From May 2013 to September 2019, the social media platform allegedly told users it was collecting their phone numbers and email addresses to secure their accounts but did not say it would also use the data to help companies send them targeted ads.

In addition, the government accused Twitter of falsely claiming that it complied with the European Union-U.S and Swiss-U.S. Privacy Shield Frameworks, which ban companies from using private information in ways not compatible with purposes users have authorized.

Twitter said in a blog that some personal information was "inadvertently used for advertising" following an internal discovery of the incident, which it disclosed in 2019. The issue was fixed on Sept. 17, 2019. Twitter also said it created a data governance committee. Remedies Twitter agreed to pay the penalty and also adopt “significant” new compliance measures to ensure improved data privacy practices, the government said. Such measures include developing and maintaining a comprehensive privacy and information security program, conducting a privacy review and writing a report before implementing any new product or serve that collects users’ private data, and regularly test its data privacy safeguards. Twitter also must get regular assessments of its data privacy program from an independent assessor, provide annual certifications of compliance from a senior officer, provide reports after any data privacy incidents affecting at least 250 users, and comply with other reporting and record-keeping rules. The company must notify all U.S. users who joined the platform before Sept. 17, 2019 about the settlement and provide them with options to protect their privacy and security.