FTC Considers Modifying $150 Million Privacy Penalty Against X Over Deceptive Use of Account‑Security Data
What Happened — The U.S. Federal Trade Commission announced it is reviewing a 2022 settlement that imposed a $150 million fine on X (formerly Twitter) for collecting phone numbers and email addresses under the pretext of account security and then selling that data to advertisers. X has petitioned to have the order modified or set aside, arguing the company no longer exists in its prior form and that its new privacy program renders the penalty unnecessary.
Why It Matters for TPRM —
- Regulatory actions can retroactively affect contractual obligations and liability exposure for vendors handling personal data.
- A change to the FTC order could alter compliance requirements for downstream partners that rely on X’s advertising platform or data‑sharing APIs.
- Ongoing public comment signals potential shifts in enforcement posture that may impact broader privacy‑law strategies across the tech sector.
Who Is Affected — Social‑media platforms, digital‑advertising networks, SaaS providers that integrate X’s APIs, and any organization that shares user data with X.
Recommended Actions — Review contracts with X for data‑processing clauses, verify that privacy‑by‑design controls meet current FTC guidance, and monitor the FTC comment period for any amendment that could affect compliance obligations.
Technical Notes — The FTC alleges that X obtained user phone numbers and email addresses under a security pretext, then used the data for targeted advertising, violating a 2011 FTC order prohibiting deceptive privacy practices. No technical vulnerability was disclosed; the issue centers on data‑use policy and regulatory enforcement. Source: The Record