Twitter was fined £400,000 in December 2020 for breaking Europe's GDPR data privacy rules. The FTC is an independent agency of the US government whose mission is the enforcement of anti-trust law and the promotion of consumer protection. It accuses Twitter of breaching a 2011 FTC order that explicitly prohibited the company from misrepresenting its privacy and security practices. Allow Twitter content? This article contains content provided by Twitter. We ask for your permission before anything is loaded, as they may be using cookies and other technologies. You may want to read Twitter’s cookie policy Authentication violation Ian Reynolds, managing director of computer security firm Secure Team, told the BBC: "Once again, Twitter is violating the trust that their users have in their platform by using their private information to their own advantage and increasing their own revenue." He added: "Twitter led their customers into a false sense of security by acquiring their data through claiming it was for security purposes and protecting their account, but ultimately ended up using the data to target their users with ads. "This reality shows the power that companies still have over your data and that there is a long way to go before users can be comfortable knowing that they have full control over their own digital footprint." In order to authenticate an account, Twitter requires people to provide a telephone number and email address. That information also helps people reset their passwords and unlock their accounts if required, as well as for enabling two-factor authentication. Two-factor authentication provides an extra layer of security by sending a code to either a phone number or email address to help users log into Twitter along with a username and password. But, according to the FTC, until at least September 2019, Twitter was also using that information to boost its advertising business. It is accused of allowing advertisers access to users' security information. In addition to the fine, Twitter must also: stop using the phone numbers and email addresses it illegally collected notify users about its improper use of security information tell users about the FTC law enforcement action explain how to turn off personalised adverts and review multi-factor authentication settings provide multi-factor authentication options that do not need a phone number implement an enhanced privacy and security programme which includes reporting incidents to the FTC within 30 days "The Department of Justice is committed to protecting the privacy of consumers' sensitive data," said Vanita Gupta, the US associate attorney general. "The $150m penalty reflects the seriousness of the allegations against Twitter, and the substantial new compliance measures to be imposed as a result of the proposed settlement will help prevent further misleading tactics that threaten users' privacy." Twitter steps up Ukraine misinformation fight