On May 25, the DOJ deposit a complaint on behalf of the FTC against a global social media company for allegedly misusing users’ phone numbers and email addresses uploaded for security purposes to target users with advertisements. (See also FTC press release here.) According to the complaint, the defendant misled users about the extent to which it maintained and protected the security and confidentiality of users’ non-public contact information. Specifically, from May 2013 to September 2019, the defendant asked users to provide either a phone number or an email address to improve account security. The defendant, however, allegedly failed to inform the more than 140 million users who provided phone numbers or email addresses that their information would also be used for targeted advertising. The FTC claimed that the defendant used the collected information to allow advertisers to target specific advertisements to specific users by matching phone numbers or email addresses with data they already had or obtained from data brokers. The DOJ complaint alleged that the defendant’s conduct violated the FTC Act and the EU-US Privacy Shield and Swiss-US Privacy Shield agreements, which require participating countries to adhere to certain privacy principles in order to lawfully transfer data from the countries of the EU and Switzerland. This conduct would also have violated a 2011 FTC Consent Order with the defendant arising from allegations that the defendant deceived users and endangered their privacy by failing to protect their personal information. According to the DOJ complaint, the 2011 order “specifically prohibits the company from making false representations regarding the security of nonpublic consumer information.”
Under the terms of the proposed order, the defendant would be required to pay a civil penalty of $150 million and implement robust compliance measures to improve its data privacy practices. According to the FTC and DOJ announcements, these measures (i) “would allow users to use other multi-factor authentication methods such as mobile authenticator apps or security keys that do not require that users provide their telephone numbers”; (ii) require Respondent to “notify users that it has misused phone numbers and email addresses collected for account security to also target advertisements to them and provide information about [its] privacy and security controls”; (iii) require Respondent to implement and maintain a comprehensive privacy and information security program, including conducting a “privacy review with a written report prior to implementing any new product or service which collects users’ private information”, regularly testing its data privacy safeguards, and obtaining regular independent evaluations of its data privacy program; (iv) limit employee access to users’ personal data; and (v) require Defendant to notify the FTC of any data breach and provide reports after any data privacy incident affecting 250 or more users. In addition, the defendant would be prohibited from profiting from data collected in a deceptive manner.
