On Friday, March 11, 2011, the Federal Trade Commission issued a press release announcing that, by a 5-0 vote, the Commissioners had approved a settlement with Twitter, stemming from charges that the social media and social networking site had deceived consumers by failing to protect personal information and potentially compromising their privacy. Last June, the FTC had charged Twitter with lapses in data security sufficiently serious that hackers were able to compromise administrative control, including both non-public user information and consumers’ private tweets. Hackers could send out fraudulent phony or spoofed tweets from virtually any user’s account. The complaint originally filed against Twitter alleged that there were at least two instances where hackers were able to get control in early 2009, although it is possible there were other times as well.
Twitter’s privacy settings ostensibly permit a user to identify tweets as private, and the FTC has consistently maintained that when a company posts a privacy statement or policy, aside from seeking to form a binding agreement between company and consumer regarding use of the site and the service, it also can make claims, announcing (i.e., advertising) the quality, integrity, reliability and security (among other things) of the features, functions and operations of the site that the public and each consumer using the service can rely upon. As the FTC noted in its press release, Twitter’s privacy policy says, "Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access." From a regulatory perspective, this statement is viewed as constituting a ‘claim’ relating to the data protection measures Twitter utilizes and how the company treats customer information and activity.
Although a settlement finalized in a consent agreement doesn’t amount to an admission of liability or a violation of any law or regulation, a final consent order does have the force of law against the company going forward. In this case, Twitter has agreed that for the next 20 years it will (a) not mislead consumers about the extent to which it protects the security, privacy and confidentiality of nonpublic consumer information, (b) respect and honor consumers’ privacy choices, and (c) not mislead consumers about what it does or how safe the mechanisms are that are designed to prevent unauthorized access. Twitter also agreed that every two years for the next ten years, it will have an independent auditor review and evaluate Twitter’s information security program.
Need more information about how the FTC views terms of use, privacy statements and the ‘advertising’ claims that arise in social media? Contact me or the Rimon attorney with whom you regularly work.