On March 11 2011 the Federal Trade Commission (FTC) issued a press release announcing that, by a five-to-zero vote, the commissioners had approved a settlement with Twitter, stemming from charges that the social media and social networking site had deceived consumers by failing to protect personal information and potentially compromising their privacy. Last June, the FTC had charged Twitter with lapses in data security sufficiently serious that hackers were able to compromise administrative control, including both non-public user information and consumers' private tweets. Hackers could send out fraudulent phony or spoofed tweets from virtually any user's account. The complaint originally filed against Twitter alleged that there were at least two instances where hackers were able to get control in early 2009, although it is possible there were other times as well.

Twitter's privacy settings ostensibly permit a user to identify tweets as private, and the FTC has consistently maintained that when a company posts a privacy statement or policy, aside from seeking to form a binding agreement between company and consumer regarding use of the site and the service, it can also make claims, announcing (ie, advertising) the quality, integrity, reliability and security (among other things) of the features, functions and operations of the site on which the public and each consumer using the service can rely. As the FTC noted in its press release, Twitter's privacy policy states:

"Twitter is very concerned about safeguarding the confidentiality of your personally identifiable information. We employ administrative, physical, and electronic measures designed to protect your information from unauthorized access."

From a regulatory perspective, this statement is viewed as constituting a 'claim' relating to the data protection measures that Twitter utilises and how the company treats customer information and activity.

Although a settlement finalised in a consent agreement does not amount to an admission of liability or a violation of any law or regulation, a final consent order does have the force of law against the company going forward. In this case Twitter has agreed that for the next 20 years, it will:

  • not mislead consumers about the extent to which it protects the security, privacy and confidentiality of non-public consumer information;
  • respect and honour consumers' privacy choices; and
  • not mislead consumers about what it does or how safe the mechanisms are that are designed to prevent unauthorised access.

Twitter also agreed that every two years for the next 10 years, it will have an independent auditor review and evaluate its information security programme.

For further information on this topic please contact Joseph I Rosenbaum at Reed Smith LLP by telephone (+1 212 521 5400), fax (+1 212 521 5450) or email ([email protected]).