Data Risk Intelligence
Automated Data Mapping
Do Not Sell/Do Not Share
Cookie Banner Solutions
Consent & Preferences
Data Rights RequestsFTC Continues to Crack Down on Deceptive Data Practices
Most of the legal discussion about Twitter lately has been about “Free Speech” and whether Twitter is effectively a public forum. But now, additional legal questions are being asked regarding Twitter: data privacy questions. The Federal Trade Commission (FTC) is penalizing Twitter, Inc. for using account security data for targeted advertising.
Twitter had asked users to provide their phone numbers and email addresses to protect their accounts. Twitter then used that information for a secondary purpose, providing it to advertisers so advertisers could perform targeted advertising on Twitter users.
Twitter’s behavior was further exacerbated by the fact that it was in violation of a 2011 FTC order that explicitly prohibited them from misrepresenting their privacy and security practices. Twitter may have to pay a $150 million penalty and be prohibited from profiting from the data that they sold to advertisers in violation of the 2011 order.
More than 140 million Twitter users were affected by Twitter’s violation of the 2011 order.
Assuming the facts that the FTC put forward regarding Twitter’s behavior are true, then Twitter’s culpability is clear, as they would have then violated the 2011 FTC order. This would then be at least a malum prohibitum violation, that is the behavior was wrong because it was specifically prohibited.
But is Twitter’s behavior malum in se as well? (Wrong or evil in itself.)
The Fair Information Privacy Principles (FIPPs) are a good starting point to make that analysis. The eight FIPPs are the Collection Limitation Principle, the Data Quality Principle, the Purpose Specification Principle, the Use Limitation Principle, the Security Safeguards Principle, the Openness Principle, the Individual Participation Principle, and the Accountability Principle.
Twitter’s collection of personal data seems to have been limited and obtained by lawful and fair means, with the knowledge and consent of the data subject, consistent with the Collection Limitation Principle.
Their collection of personal data also seems to have been consistent with the Data Quality Principle, the personal data was relevant to the purposes for which it was used and ostensibly accurate, complete, and reasonably up-to-date.
Their collection of personal data was NOT consistent with the Purpose Specification Principle. Twitter did not specify to users at the time that it was collected that the data would be used in the way that it ultimately was.
Their collection and use of personal data was NOT consistent with the Use Limitation Principle. They did use the collected data for purposes other than those they specified at collection and did so without the data subject’s consent and without authority of law.
Twitter’s processing of personal data was ostensibly consistent with the Security Safeguards Principle. They appear to have utilized reasonable security safeguards to protect the personal data.
It isn’t clear whether Twitter’s data practices were consistent with the Openness Principle. They may have subsequently notified users in their privacy policy about the shifting use of the data they collected.
Twitter is presumptively fulfilling data rights requests for EU users, CA users, and other users that they are obligated to by law, so, at least in some respects, they are aligning their behavior with the Individual Participation Principle.
Twitter’s behavior in this instance does not seem to be consistent with the Accountability Principle. They should be accountable for comply with measures which give effect to the other principles. However, one such measure would have been obeying the 2011 FTC order, which the FTC alleges that Twitter did not obey.
The Fair Information Privacy Principles are not law and violating them does not mean that Twitter has done anything wrong. They are however a good tool for analyzing a company’s behaviors with respect to data privacy. Some good tools for complying with data privacy laws are the Clarip suite of data privacy tools. Clarip’s automated data subject request fulfillment, data mapping, consent management, and vendor management are all valuable for companies in meeting their data privacy compliance needs. Visit us at www.clarip.com or call us at 1-888-252-5653 to learn more.
Email Now:
Mike Mango, VP of Sales
mmango@clarip.com
Other Articles on this Topic:
The FTC’s Policy Statement on Education Technology and the Children’s Online Privacy Protection Act
FTC enforces the Children’s Online Privacy Protection Act
