Twitter collected the data for multiple purposes and did not disclose the advertising purpose
Between 2013 and 2019, Twitter quietly turned a promise of security into an instrument of commerce, collecting phone numbers and email addresses from over 140 million users under the guise of account protection, then using that data to fuel targeted advertising. The Federal Trade Commission and Department of Justice have now extracted a $150 million settlement — not merely as punishment, but as a reminder that trust, once encoded into a legal order, carries consequences when broken. This is not Twitter's first reckoning with the FTC over privacy; it is its second, which makes the violation something more troubling than an oversight. It is a pattern.
- Over six years, Twitter systematically misled users into surrendering personal contact information by framing a commercial data grab as a safety feature.
- The betrayal cuts deep: people who believed they were securing their accounts were unknowingly building the very advertising profiles that would be used to target them.
- This settlement arrives as a second offense — Twitter had already been ordered in 2011 to stop misrepresenting its privacy practices, and it violated that order anyway.
- The $150 million penalty is accompanied by operational restrictions that may sting more: Twitter is now barred from using the misappropriated data for advertising.
- 140 million affected users must be notified, offered ad opt-outs, and given phone-free authentication alternatives — a structural correction forced by regulatory intervention.
- Future violations of the 2011 order now carry explicit financial consequences, signaling that regulators have moved from warning to enforcement mode.
Twitter has agreed to pay $150 million to settle federal charges that it deceived more than 140 million users about why it was collecting their phone numbers and email addresses. From 2013 to 2019, the company prompted users to provide this information under the banner of account security — promising protection, password recovery, and fraud detection. What users were not told was that Twitter would also use their data to build advertising profiles and serve them targeted ads.
The settlement, announced jointly by the FTC and Department of Justice, is the second time Twitter has faced federal action over privacy misrepresentation. A 2011 FTC order had already required the company to maintain honest privacy practices and stop making false claims about user data security. Twitter agreed then that future violations would carry financial penalties. It violated the order anyway.
Beyond the fine, the settlement imposes restrictions that may prove more consequential. Twitter is prohibited from using the data it collected under false pretenses to serve advertisements, and must notify all 140 million affected users — explaining what happened and how to adjust their privacy and advertising settings. The company must also offer multi-factor authentication methods that do not require a phone number, directly addressing the practice of making phone-based security feel like the only option.
The settlement closes with a warning: any further violation of the 2011 order will trigger substantial new penalties. For a company caught twice breaking the same commitment, the regulatory message is unambiguous. Whether the financial and operational consequences will genuinely reshape how Twitter handles user data — or merely redirect the methods — remains an open question.
Twitter has agreed to pay $150 million to settle charges that it systematically deceived millions of users about why it was collecting their most sensitive contact information. Between May 2013 and September 2019, the company asked at least 140 million people to provide phone numbers and email addresses, framing the request as a security measure. Users were told the data would protect their accounts, enable password recovery, and detect suspicious activity. What Twitter did not tell them was that it would also use those numbers and addresses to build detailed advertising profiles and serve them targeted ads.
The settlement, announced by the Federal Trade Commission and Department of Justice, represents the latest chapter in a long history of privacy troubles at the social media giant. The FTC had already taken action against Twitter in 2010, filing a complaint that the company had misrepresented how it protected user privacy and what control users actually had over their own data. That case resulted in a 2011 order requiring Twitter to maintain reasonable safeguards and to stop making false claims about the security and confidentiality of user information. The company agreed that violating this order would trigger substantial financial penalties.
But Twitter violated it anyway. The new complaint alleges that the company knowingly induced users to hand over personal information by claiming security purposes, then exploited that information for commercial gain. The FTC's language was direct: Twitter "also used it to serve targeted ads for Twitter's financial benefit." The company's own messaging to users emphasized the protective value of providing a phone number or email—"Safeguard your account," the prompts read, or "An extra layer of security helps make sure that you, and only you, can access your Twitter account." These statements were not false in themselves. But they were incomplete in a way that mattered. Twitter was collecting the data for multiple purposes, and it did not disclose the advertising purpose to the users whose information it was harvesting.
The $150 million penalty is substantial, but the settlement includes restrictions that may prove more consequential. Twitter is now prohibited from using the phone numbers and email addresses it collected under false pretenses to serve ads. The company must notify the 140 million affected users about the misuse, explain what happened, and tell them how to disable personalized advertising and review their security settings. Twitter must also offer multi-factor authentication options that do not require users to provide a phone number at all—a direct response to the company's past practice of making phone-based security feel mandatory.
The settlement also carries a forward-looking warning. Any future violation of the 2011 FTC order will result in substantial penalties. For a company that has now been caught twice breaking the same privacy commitment, the message is clear: the regulatory patience has worn thin. What remains to be seen is whether the financial hit and operational restrictions will actually change how Twitter approaches user data, or whether the company will find new ways to monetize information it collects under one stated purpose for another.
Notable Quotes
Twitter asked users for personal information for the express purpose of securing their accounts, but then also used it to serve targeted ads for Twitter's financial benefit— Federal Trade Commission
The Hearth Conversation Another angle on the story
Why does it matter that Twitter collected this data for "security" specifically? Couldn't they have just asked users for their phone numbers for advertising and been honest about it?
They could have, and users might have said no. That's the whole point. Security is a legitimate reason people will hand over sensitive contact information. Advertising targeting is not. Twitter essentially got users to volunteer data they might have refused to share if the true purpose had been disclosed.
But did Twitter actually harm these users? They got targeted ads instead of random ones. Is that worse?
The harm isn't just about the ads themselves. It's about consent and control. These 140 million people made a choice based on incomplete information. They thought they were protecting their accounts. They didn't know their phone numbers were being fed into an advertising machine. That's a breach of trust, and it's why the FTC has rules about it.
This is Twitter's second offense on the same issue. Why didn't the 2011 order stop them?
That's the real question. The order existed. Twitter agreed to it. But the company apparently calculated that the profit from misusing the data outweighed the risk of getting caught. It took six years and 140 million users before the FTC came back with enforcement. That's a long runway for a violation.
What changes now?
Twitter has to tell users what happened and give them ways to opt out of personalized ads. They also have to offer security features that don't require a phone number. But the biggest change is probably the threat of future penalties. A company that's been caught twice tends to pay closer attention.