When Elon Musk bought Twitter for $44 billion last year, he became the steward of a company enmeshed in longstanding data-privacy problems with the US government.
Twitter had been operating under a consent decree with the US Federal Trade Commission, the government’s consumer-protection watchdog, since 2011. A consent decree—a form of legal settlement—comes with stipulations about how the offending company may operate if it wants to stay in compliance.
But around the time Musk was trying to buy the company in spring 2022, Twitter was already in the process of settling new charges. Twitter violated the first consent decree and the consequences included a major fine—a $150 million civil penalty—and a much stricter set of requirements under a second consent decree.
Among other things, the new consent decree called for Twitter to be extremely careful with users’ private data, submit to even more internal tests and external audits, and to move very slowly when releasing new features that collect data.
Instead, soon after taking over in October 2022, Musk laid off the majority of Twitter’s staff (including many people responsible for data privacy), reportedly told engineers to “self-certify” legal compliance, and quickly launched new features like a revamped subscription service.
Now, a new legal filing confirms that Musk is in deep trouble with the government. If Twitter violated a second consent decree, the civil penalties could be massive and the government would surely give Musk even more stringent requirements on how to run the business.
In March, House Republicans disclosed that the FTC was once again investigating Twitter—this time over the mass layoffs under Musk—framing the probe as politically-motivated.
“Protecting consumers’ privacy is exactly what the FTC is supposed to do,” an agency spokesperson told the House at the time. “It should come as no surprise that career staff at the commission are conducting a rigorous investigation into Twitter’s compliance with a consent order that came into effect long before Mr. Musk purchased the company.”
In July, lawyers for Twitter—now called X Corp.—asked a federal court to end the consent decree governing the company’s data practices, claiming it was “tainted with bias.” It also asked the judge to prevent the FTC from deposing Musk, writing he “is not, and never has been, a party to the consent order.”
The US Justice Department seized on the opportunity not only to rebut Twitter’s argument but to spell out its case against the company. Depositions with five former Twitter employees, the government wrote (pdf), revealed a “chaotic environment at the company that raised serious questions about whether and how Musk and other leaders were ensuring X Corp.’s compliance with the 2022 Administrative Order.”
The government also outlined how difficult it has been to get current employees to testify, which doubles as further evidence for their accusation that the company has let compliance slip without proper staffing. “The FTC has had to focus its prior depositions on former employees because nearly every employee who has been identified as a point person for privacy or data security either resigned or was terminated before the FTC could talk to them.”
The Justice Department filing claims that Twitter was in “privacy compliance chaos” after Musk took over, according to John Davisson, director of litigation at the nonprofit Electronic Privacy Information Center (EPIC). “Responsible officials exited the company, security controls were abandoned, products were introduced or radically altered with no attention paid to user privacy,” Davisson said. “Musk’s erratic decision-making repeatedly put the privacy of users at risk and clearly violated the 2022 consent decree.”
Twitter’s 2022 woes largely stemmed from improperly using cell phone data, provided for two-factor authentication, for advertising purposes.
Kathleen McGee, a partner at the law firm Lowenstein Sandler, called the filing a “roadmap” for the government’s future case against Twitter, and said the Justice Department is already signaling that compliance failures are causing “real consumer harm.” In one footnote, the government pointed to a case where Eli Lilly stock tanked after an account posing as the pharmaceutical company, and verified via X’s pay-to-play Twitter blue service, claimed it was making insulin free. It cost the impersonator just $8 a month to wreak stock market havoc.
If the government finds that Twitter violated the consent decree, it has a few options, Davisson and McGee told Quartz. It can negotiate a third consent decree and levy an even bigger civil penalty than the $150 million Twitter agreed to pay in 2022, it can sue Twitter and hash it out in court if the company won’t agree to settle, it could impose an independent monitor to oversee Twitter’s compliance, or it could limit the ways Twitter makes money off of user data.
In extreme cases, McGee added, the FTC has imposed “injunctive relief” against individual officers of a company—limiting what they’re allowed to do—and made them personally liable under the terms of a settlement agreement. She called this speculative, but said it’s a possible route if they find “active deception” by Twitter’s executives.