Twitter in the United States has been fined $150 million after law enforcement officials accused it of improperly utilizing user data to sell tailored adverts.

According to court records, the Federal Trade Commission (FTC) and the Department of Justice claim that Twitter broke an agreement with regulators.

Twitter has previously stated that it would not provide personal information such as phone numbers and email addresses to advertisers. Federal investigators say the social media company broke those rules.

In December 2020, Twitter was fined £400,000 for violating Europe's GDPR data privacy guidelines. The FTC is an independent US government organization whose aim is to enforce antitrust law and promote consumer protection.

It charges Twitter with violating a 2011 FTC order that expressly prohibits the corporation from misrepresenting its privacy and security procedures.

ICYMI: FTC charges @Twitter with deceptively using account security data to sell targeted ads. FTC and @DOJCivil order Twitter to pay $150 million penalty for violating 2011 FTC order and cease profiting from deceptively collected data: https://t.co/QRWi25K2vo

— FTC (@FTC) May 26, 2022

Twitter's platform, which allows users ranging from consumers to celebrities to corporations to post 280-character messages or tweets, provides the majority of its revenue.

According to a complaint filed on behalf of the FTC by the Department of Justice, Twitter began requesting users in 2013 to supply either a phone number or an email address to strengthen account security.

"As the complaint notes, Twitter obtained data from users on the pretext of harnessing it for security purposes, but then ended up also using the data to target users with ads," said Lina Khan, who chairs the FTC.

"This practice affected more than 140 million Twitter users while boosting Twitter's primary source of revenue."

Authentication violation

Ian Reynolds, managing director of computer security firm Secure Team, told the BBC, "Once again, Twitter is violating the trust that their users have in their platform by using their private information to their own advantage and increasing their own revenue."

He added, "Twitter led their customers into a false sense of security by acquiring their data through claiming it was for security purposes and protecting their account, but ultimately ended up using the data to target their users with ads."

"This reality shows the power that companies still have over your data and that there is a long way to go before users can be comfortable knowing that they have full control over their own digital footprint." In order to authenticate an account, Twitter requires people to provide a telephone number and email address.

Read next: Twitter to pay $150m to settle claims of users’ data misuse

This information is also useful for resetting passwords and unlocking accounts, as well as enabling two-factor authentication.

Two-factor authentication adds an extra layer of protection by delivering a code to either a phone number or an email address to assist users in logging into Twitter in addition to a username and password.

However, according to the FTC, Twitter was also using that information to grow its advertising business until at least September 2019. It is accused of allowing advertisers access to users' security information.

Twitter must:

1. Stop using the phone numbers and email addresses it illegally collected

2. Notify users about its improper use of security information

3. Tell users about the FTC law enforcement action

4. Explain how to turn off personalized adverts and review multi-factor authentication settings

5. Provide multi-factor authentication options that do not need a phone number

6. Implement an enhanced privacy and security program which includes reporting incidents to the FTC within 30 days

"The Department of Justice is committed to protecting the privacy of consumers' sensitive data," said Vanita Gupta, the US associate attorney general.

"The $150m penalty reflects the seriousness of the allegations against Twitter, and the substantial new compliance measures to be imposed as a result of the proposed settlement will help prevent further misleading tactics that threaten users' privacy."