`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Case 3:22-cv-03173-SK Document 1 Filed 05/31/22 Page 1 of 25
`
`
`
`
`MICHAEL F. RAM (SBN 104805)
`MORGAN & MORGAN COMPLEX
`LITIGATION GROUP
`711 Van Ness Avenue, Suite 500
`San Francisco, CA 94102
`Telephone:
`(415) 358-6913
`Facsimile:
`(415) 358-6923
`mram@ForThePeople.com
`
`JOHN A. YANCHUNIS
`(Pro Hac Vice application forthcoming)
`JEAN SUTTON MARTIN
`(Pro Hac Vice application forthcoming)
`PATRICK A. BARTHLE II
`(Pro Hac Vice application forthcoming)
`MORGAN & MORGAN COMPLEX
`LITIGATION GROUP
`201 N. Franklin Street, 7th Floor
`Tampa, Florida 33602
`Telephone: (813) 559-4908
`Facsimile: (813) 222-4795
`jyanchunis@forthepeople.com
`jeanmartin@ForThePeople.com
`pbarthle@ForThePeople.com
`
`
`Attorneys for Plaintiff and the Proposed Class
`
`
`
`
`
`
`UNITED STATES DISTRICT COURT
`NORTHERN DISTRICT OF CALIFORNIA
`
`LAUREN PRICE, individually and on behalf
`of all other similarly situated,
`
`
`Plaintiff,
`
`
`v.
`
`TWITTER, INC., a corporation,
`
`
`
`
`Defendant.
`
`Case No.
`
`CLASS ACTION COMPLAINT
`
`CLASS ACTION FOR
`(1) BREACH OF CONTRACT;
`(2) BREACH OF IMPLIED CONTRACT;
`(3) VIOLATION OF UCL, CAL BUS. &
`PROF. CODE §§ 17200, ET. SEQ., and
`(4) UNJUST ENRICHMENT
`
`DEMAND FOR JURY TRIAL
`
`
`
`CLASS ACTION COMPLAINT
`
`
`
`
`
`
`
`
`

`

`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Case 3:22-cv-03173-SK Document 1 Filed 05/31/22 Page 2 of 25
`
`
`CLASS ACTION COMPLAINT
`
`
`
`Plaintiff Lauren Price, individually and on behalf of all others similarly situated, files this
`
`Class Action Complaint against defendant Twitter, Inc. (“Twitter” or “Defendant”), and in support
`
`states the following.
`
`1.
`
`
`Twitter operates an online communication service
`
`through
`
`its website,
`
`INTRODUCTION
`
`www.twitter.com, and through text messaging and mobile applications. The service allows
`
`registered users to communicate with one another by posting “tweets,” or short messages currently
`
`limited to 280 characters or less, with which other users may interact through a “like,” reply, or
`
`“retweet.”
`
`
`
`2.
`
`In order to follow other accounts, or post, like, and retweet tweets, users must register
`
`for a Twitter account.
`
`3.
`
`This lawsuit concerns Twitter’s surreptitious and undisclosed use of Plaintiff’s and
`
`Class Members’ telephone numbers and email addresses (hereinafter “Personal Information”) for
`
`advertising and marketing purposes, and, ultimately, its own unjust enrichment.
`
`4.
`
` Twitter solicited and collected Plaintiff’s and Class Members’ telephone numbers
`
`and email addresses under the guise that they were to be used for various account security related
`
`functions, including two-factor authentication, account recovery, and account re-authentication, as
`
`further described below.
`
`5.
`
`In reality, Twitter was also using this Personal Information of Plaintiff and Class
`
`Members to line its own pockets—specifically, it utilized the provided telephone numbers and email
`
`addresses in its “Tailored Audiences” and “Partner Audiences” marketing products, thereby
`
`permitting advertisers to target specific groups of Twitter users by matching the telephone numbers
`
`
`and email addresses that Twitter collected to the advertisers’ existing (or purchased) lists of
`
`telephone numbers and email addresses.
`
`6.
`
`On May 25, 2022, the Attorney General by the Federal Trade Commission (“FTC”
`
`or “Commission”) filed a complaint concerning this conduct and likewise announced that Twitter
`
`will pay a $150 million fine to settle the allegations. See United States of America v. Twitter, Inc.,
`
`
`
`2
`
`CLASS ACTION COMPLAINT
`
`
`

`

`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Case 3:22-cv-03173-SK Document 1 Filed 05/31/22 Page 3 of 25
`
`
`Case No. 3:22-cv-3070. ECF. No. 1 (N.D. Cal.) (“2022 FTC Complaint”); Federal Trade Comm.
`
`Twitter to pay $150 million penalty for allegedly breaking its privacy promises – again (May 25,
`
`2022), available at https://www.ftc.gov/business-guidance/blog/2022/05/twitter-pay-150-million-
`
`penalty-allegedly-breaking-its-privacy-promises-again.
`
`7.
`
`This case seeks vindication and recompense on behalf of the individual consumers
`
`
`whose personal information was connivingly collected and deployed.
`
`THE PARTIES
`
`8.
`
`Plaintiff Lauren Price is an adult domiciled in Maryland and has an active Twitter
`
`account and had an active account during the entire Class Period.
`
`9.
`
`
`Plaintiff Lauren Price is a Twitter user who between May 2013 and September 2019
`
`provided her telephone numbers and/or email addresses (hereinafter “Personal Information”) to
`
`Twitter regarding two-factor authentication, account recovery, and/or account re-authentication. She
`
`brings claims on behalf of other similarly-situated Twitter users in the United States (the “Class”
`
`defined in Paragraph 73, hereinafter the members of the Class are referred to as “Class Members”)
`
`arising from Twitter’s knowing, unauthorized, and undisclosed use of their Personal Information for
`
`advertising and/or marketing purposes.
`
`12.
`
`Twitter is a Delaware corporation with its principal place of business at 1355 Market
`
`Street, Suite 900, San Francisco, California, 94103. Twitter transacts or has transacted business in
`
`this District and throughout the United States. At all times material to this Complaint, Twitter has
`
`operated its online communication service through its website, www.twitter.com, and through its
`
`mobile applications.
`
`JURISDICTION AND VENUE
`
`13.
`
`This Court has personal jurisdiction over Defendant because Twitter’s principal
`
`
`place of business is in California. Additionally, Defendant is subject to specific personal
`
`jurisdiction in this State because a substantial part of the events and conduct giving rise to Plaintiff’s
`
`and Class members’ claims occurred in this State, including Google servers in California receiving
`
`the intercepted communications and data at issue, and because of how employees of Google in
`
`California reuse the communications and data collected.
`
`
`
`3
`
`CLASS ACTION COMPLAINT
`
`
`

`

`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Case 3:22-cv-03173-SK Document 1 Filed 05/31/22 Page 4 of 25
`
`
`14.
`
`This Court has subject matter jurisdiction over this entire action pursuant to the Class
`
`Action Fairness Act (“CAFA”), 28 U.S.C. § 1332(d), because this is a class action in which the
`
`amount in controversy exceeds $5,000,000, and at least one Class member is a citizen of a state
`
`other than California or Delaware.
`
`15.
`
`Venue is proper in this District because a substantial portion of the events and actions
`
`
`giving rise to the claims in this matter took place in this judicial District. Furthermore, Twitter is
`
`headquartered in this District and subject to personal jurisdiction in this District.
`
`FACTUAL ALLEGATIONS CONCERNING TWITTER
`
`I.
`
`Twitter’s History of Privacy Violations & Its Agreement with the FTC
`
`
`16.
`
`Twitter’s violation of consumers’ privacy rights is not new – it has been persistent
`
`and pervasive for at least a decade.
`
`17.
`
`In 2011, the FTC charged Twitter with engaging in deceptive acts or practices in
`
`violation of Section 5(a) of the FTC Act, 15 U.S.C. § 45(a), for its failures to provide reasonable
`
`security measures to prevent unauthorized access to nonpublic user information and to honor the
`
`privacy choices exercised by Twitter users. See, In re Twitter, Inc., C-4316, 151 F.T.C. 162 (Mar.
`
`11, 2011) (Administrative Complaint) at ¶¶ 13-17. 1
`
`18.
`
`Specifically, the Administrative Complaint asserted that Twitter had engaged in
`
`deceptive acts or practices by misrepresenting that users could control who had access to their tweets
`
`through a “protected account” or could send private “direct messages” that could only be viewed
`
`by the recipient when, in fact, Twitter lacked reasonable safeguards to ensure those choices were
`
`honored, such as restricting employee access to nonpublic user information based on a person’s job
`
`requirements. See Administrative Complaint at ¶¶ 6, 11-12.
`
`19.
`
`
`The Administrative Complaint also alleged that Twitter had misrepresented the
`
`controls it implemented to keep user accounts secure, when, in fact, Twitter lacked reasonable
`
`safeguards to limit or prevent unauthorized access to nonpublic user information, such as secure
`
`
`
`1 The 2011 Administrative Complaint is also available at:
`https://www.ftc.gov/sites/default/files/documents/cases/2011/03/110311twittercmpt.pdf (last
`visited May 27, 2022).
`
`
`
`4
`
`CLASS ACTION COMPLAINT
`
`
`

`

`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Case 3:22-cv-03173-SK Document 1 Filed 05/31/22 Page 5 of 25
`
`
`password requirements and other administrative, technical, or physical safeguards. See
`
`Administrative Complaint at ¶¶ 10-12.
`
`20.
`
`Twitter entered a consent settlement to resolve the Commission’s Administrative
`
`Complaint for alleged violations of Section 5(a) of the FTC Act which was memorialized in a 2011
`
`order issued by the FTC. See In re Twitter, Inc., C-4316, 151 F.T.C. 162 (Mar. 11, 2011) (Decision
`
`
`and Order) (“Commission Order” or “2011 Order”).2 The Commission Order became final in March
`
`2011 and remains in effect. See Commission Order, Provision VIII.
`
`21.
`
`Provision I of the Commission Order, in relevant part, states:
`
`IT IS ORDERED that respondent, directly or through any
`
`corporation, subsidiary, division, website, or other device, in
`connection with the offering of any product or service, in or affecting
`commerce, shall not misrepresent in any manner, expressly or by
`implication, the extent to which respondent maintains and
`protects the security, privacy, confidentiality, or integrity of any
`nonpublic consumer information, including, but not limited to,
`misrepresentations related to its security measures to: (a) prevent
`unauthorized access to nonpublic consumer information; or (b) honor
`the privacy choices exercised by users.
`
`See Commission Order, Provision I (emphasis added). The Commission Order required Twitter to
`
`refrain from such misrepresentations for a period of 20 years from the date of the Order (at least
`
`March 2, 2031). See Commission Order, Provision VIII.
`
`22.
`
`Importantly, the Commission Order defines “nonpublic consumer information” as,
`
`in relevant part, “an individual consumer’s: (a) email address… [and] (c) mobile telephone
`
`number[.]” See Commission Order, Definition 3.
`
`II.
`
`Twitter Misrepresented the Purposes for Which it Collected Plaintiff’s and Class
`Members’ Telephone Numbers and Email Addresses
`
`23.
`
`Twitter’s platform is widely used. As of September 2019, Twitter had more than 330
`
`
`million monthly active users worldwide, which included journalists, celebrities, commercial brands,
`
`and government officials.
`
`
`
`2 The 2011 Commission Order is also available at:
`https://www.ftc.gov/sites/default/files/documents/cases/2011/03/110311twitterdo.pdf (last
`visited May 27, 2022).
`
`
`
`
`5
`
`CLASS ACTION COMPLAINT
`
`
`

`

`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Case 3:22-cv-03173-SK Document 1 Filed 05/31/22 Page 6 of 25
`
`
`24.
`
`Commercial entities regularly use Twitter to advertise to consumers. Indeed,
`
`Twitter’s core business model monetizes user information by using it for advertising. In fact, of the
`
`$3.4 billion in revenue that Twitter earned in 2019, $2.99 billion flowed from advertising.
`
`25.
`
`Twitter primarily allows companies to advertise on its service through “Promoted
`
`Products,” which can take one of three forms: (1) Promoted Tweets, which appear within a user’s
`
`
`timeline, search results, or profile pages, similar to an ordinary tweet; (2) Promoted Accounts, which
`
`typically appear in the same format and place as other recommended accounts; and (3) Promoted
`
`Trends, which appear at the top of the list of trending topics for an entire day.
`
`26.
`
`Twitter offers various services that advertisers can use to reach their existing
`
`
`marketing lists on Twitter, including “Tailored Audiences” and “Partner Audiences.” Tailored
`
`Audiences allows advertisers to target specific groups of Twitter users by matching the telephone
`
`numbers and email addresses that Twitter collects to the advertisers’ existing lists of telephone
`
`numbers and email addresses. Partner Audiences allows advertisers to import marketing lists from
`
`data brokers like Acxiom and Datalogix to match against the telephone numbers and email
`
`addresses collected by Twitter. Twitter has provided advertisers the ability to match against lists of
`
`email addresses since January 2014 and against lists of telephone numbers since September 2014.
`
`27.
`
`Twitter has prompted users to provide a telephone number or email address for the
`
`express purpose of securing or authenticating their Twitter accounts. However, through at least
`
`September 2019, Twitter also used this information to serve targeted advertising and further its own
`
`business interests through its Tailored Audiences and Partner Audiences services. For example,
`
`from at least May 2013 until at least September 2019, Twitter collected telephone numbers and
`
`email addresses from users specifically for purposes of allowing users to enable two-factor
`
`authentication, to assist with account recovery (e.g., to provide access to accounts when users have
`
`
`forgotten their passwords), and to re-authenticate users (e.g., to re-enable full access to an account
`
`after Twitter has detected suspicious or malicious activity). From at least May 2013 through at least
`
`September 2019, Twitter did not disclose, or did not disclose adequately, that it used these telephone
`
`numbers and email addresses to target advertisements to those users through its Tailored Audiences
`
`and Partner Audiences services.
`
`
`
`6
`
`CLASS ACTION COMPLAINT
`
`
`

`

`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Case 3:22-cv-03173-SK Document 1 Filed 05/31/22 Page 7 of 25
`
`
`28.
`
`As noted above, the 2011 Commission Order, among other things, prohibited Twitter
`
`from misrepresenting the extent to which Twitter maintains and protects the security, privacy,
`
`confidentiality, or integrity of any nonpublic consumer information.
`
`29.
`
`Yet, from at least May 2013 until at least September 2019, Twitter misrepresented
`
`to users of its online communication service the extent to which it maintained and protected the
`
`
`security and privacy of their Personal Information. Specifically, while Twitter represented to users
`
`that it collected their telephone numbers and email addresses to secure their accounts, Twitter failed
`
`to disclose that it also used user’s Personal Information to aid advertisers in reaching their preferred
`
`audiences. Twitter’s misrepresentations violate the FTC Act and the 2011 Order, which specifically
`
`
`prohibited the company from making misrepresentations regarding the security of nonpublic
`
`consumer information like the Personal Information
`
`30.
`
`According to the 2022 FTC Complaint, more than 140 million Twitter users
`
`provided email addresses or telephone numbers to Twitter based on Twitter’s deceptive statements
`
`that their information would be used for specific purposes related to account security. Twitter knew
`
`or should have known that its conduct violated the 2011 Order, which prohibits misrepresentations
`
`concerning how Twitter maintains email addresses and telephone numbers collected from users.
`
`31.
`
`Technology companies like Twitter recognize the monetary value of users’ personal
`
`information, insofar as they encourage users to install applications explicitly for the purpose of
`
`selling that information to technology companies in exchange for monetary benefits.3
`
`32.
`
`Through its deceptive information collection techniques and misrepresentations,
`
`Twitter is unjustly enriching itself at the cost of consumer choice, when the consumer would
`
`
`
`
`3 Kari Paul, Google launches app that will pay users for their data, The Guardian (June 11,
`2019), https://www.theguardian.com/technology/2019/jun/11/facebook-user-data-app-privacy-
`study (last visited May 27, 2022); Saheli Roy Choudhury and Ryan Browne, Facebook pays
`teens to install an app that could collect all kinds of data, CNBC (Jan. 30, 2019),
`https://www.cnbc.com/2019/01/29/facebook-paying-users-to-install-app-to-collect-data-
`techcrunch.html (last visited May 27, 2022);; Jay Peters, Facebook will now pay you for your
`voice recordings, The Verge (Feb. 20, 2020),
`https://www.theverge.com/2020/2/20/21145584/facebook-pay-record-voice-speech-recognition-
`viewpoints-proununciations-app (last visited May 27, 2022);.
`7
`
`CLASS ACTION COMPLAINT
`
`
`
`
`

`

`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Case 3:22-cv-03173-SK Document 1 Filed 05/31/22 Page 8 of 25
`
`
`otherwise have the ability to choose how they would monetize their own data.
`
`A.
`
`Twitter’s Deceptive Collection of Personal Information for Two-Factor
`Authentication
`
`33.
`
`Since May 2013, Twitter has allowed users to log into Twitter with two-factor
`
`authentication using their telephone numbers. Users who enable this security feature log into their
`
`
`Twitter accounts with their usernames, passwords, and a code texted to their telephone numbers
`
`whenever they log in from a new or unrecognized device.
`
`34.
`
`Twitter prompts users to enable two-factor authentication through notices on their
`
`timelines and after users reset their passwords. Twitter also encourages users to turn on two-factor
`
`
`authentication in tweets from Twitter-operated accounts, Help Center documentation, and blog
`
`posts.
`
`35.
`
`To enable two-factor authentication, Twitter users must navigate to an account
`
`settings page. After clicking on “Security,” users see a screen similar to the one depicted below
`
`
`
`
`
`
`
`
`
`
`
`
`
`36. When users click on the “Learn more” link, they see a webpage that says, “How to
`
`use two-factor authentication.” This page states, in relevant part
`
`Two-factor authentication is an extra layer of security for your
`
`Twitter account. Instead of only entering a password to log in, you’ll
`
`
`also enter a code or use a security key. This additional step helps
`
`make sure that you, and only you, can access your account.
`
`37.
`
`After clicking on the “Login Verification” checkbox above, users see additional
`
`instructions about how to enable two-factor authentication. The last screen in the user flow related
`
`to two-factor authentication using a telephone number is similar to the one depicted below:
`
`
`
`8
`
`CLASS ACTION COMPLAINT
`
`
`

`

`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Case 3:22-cv-03173-SK Document 1 Filed 05/31/22 Page 9 of 25
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`38.
`
`Since at least September 2018, Twitter has prompted users to enable two-factor
`
`authentication directly on users’ timelines through a prompt similar to the screen depicted below:
`
`
`
`
`
`
`
`
`
`
`
`
`
`39.
`
`According to the 2022 FTC Complaint, until September 2019, Twitter did not
`
`disclose at any point in the two-factor authentication pathway or in any of the associated links
`
`described above that it was using the telephone numbers users provided for two-factor
`
`authentication to target advertisements to those users.
`
`40.
`
`According to the 2022 FTC Complaint, from May 2013, approximately two million
`
`
`users provided a telephone number to enable two-factor authentication.
`
`41.
`
`The fact that Twitter used the telephone numbers provided for two-factor
`
`authentication for advertising would be material to users when deciding whether to provide a
`
`telephone number for two-factor authentication.
`
`
`
`9
`
`CLASS ACTION COMPLAINT
`
`
`

`

`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Case 3:22-cv-03173-SK Document 1 Filed 05/31/22 Page 10 of 25
`
`
`
`
`B.
`
`Twitter’s Deceptive Collection of Personal Information for Account
`Recovery
`
`42.
`
`In June 2015, Twitter began prompting users to add a telephone number to their
`
`Twitter accounts as a safeguard in the event of a lost password. Then, in April 2018, Twitter also
`
`began prompting users to add an email address.
`
`
`
`43.
`
`Since June 2015, if users do not have a telephone number associated with their
`
`accounts, Twitter may prompt the users to add a telephone number through a message similar to the
`
`one depicted below:
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`44.
`
`Similarly, since April 2018, if a user does not have an email address associated with
`
`their account, Twitter may prompt the user to add an email address through a message similar to
`
`the one depicted below:
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`45.
`
`Through September 2019, Twitter did not disclose at any point in the account
`
`recovery pathway or any of the messages described above that it was using the telephone numbers
`
`or email addresses users provided for account recovery to target advertisements to those users.
`
`46.
`
`According to the 2022 FTC Complaint, from June 2015, approximately 37 million
`
`
`
`10
`
`CLASS ACTION COMPLAINT
`
`
`

`

`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Case 3:22-cv-03173-SK Document 1 Filed 05/31/22 Page 11 of 25
`
`
`users provided a telephone number or email address for account recovery purposes.
`
`47.
`
`The fact that Twitter used the telephone numbers and email addresses provided by
`
`users for the purpose of safeguarding their accounts for advertising would be material to users when
`
`deciding whether to provide their information for account recovery purposes.
`
`C.
`
`Twitter’s Deceptive Collection of Personal Information for Re-
`Authentication
`
`
`48.
`
`In December 2013, Twitter began requiring users to provide a telephone number or
`
`email address for re-authentication (e.g., to re-enable full access to an account after Twitter has
`
`detected suspicious or malicious activity).
`
`49.
`
`
`If Twitter detects suspicious or malicious activity on a user’s account, or suspects
`
`that the account may belong to a previously-banned user, Twitter may require the user to re-
`
`authenticate by providing a telephone number through a prompt similar to the one depicted below:
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`50.
`
`If users click the “Start” button pictured above, they are instructed to enter a
`
`telephone number through a prompt similar to the one depicted below:
`
`
`
`
`
`
`
`11
`
`CLASS ACTION COMPLAINT
`
`
`

`

`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Case 3:22-cv-03173-SK Document 1 Filed 05/31/22 Page 12 of 25
`
`
`
`
`
`
`51.
`
`Similarly, Twitter may require users to provide an email address to re-enable full
`
`access to their accounts with a prompt similar to the one depicted below:
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`52.
`
`Through September 2019, Twitter did not disclose at any point in the re-
`
`
`authentication pathway described above that it was using the telephone numbers or email addresses
`
`users provided for re-authentication to target advertisements to those users.
`
`53.
`
`According to the 2022 FTC Complaint, from September 2014, approximately 104
`
`million users provided a telephone number or email address in response to a prompt for re-
`
`
`
`12
`
`CLASS ACTION COMPLAINT
`
`
`

`

`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Case 3:22-cv-03173-SK Document 1 Filed 05/31/22 Page 13 of 25
`
`
`authentication.
`
`54.
`
`The fact that Twitter used the telephone numbers and email addresses provided for
`
`re-authentication for advertising would be material to users when deciding whether to provide their
`
`information in response to a prompt for re-authentication.
`
`III. Twitter Misrepresented that it Processed Personal Data in Accordance with the EU-
`U.S. and Swiss-U.S. Privacy Shield Frameworks
`
`
`55.
`
`The European Union and Switzerland have each established regulatory regimes to
`
`protect individuals’ right to privacy with respect to the processing of their personal data. Both
`
`privacy regimes generally prohibit businesses from transferring personal data to third countries
`
`
`unless the recipient jurisdiction’s laws are deemed to adequately protect personal data.
`
`56.
`
`To ensure adequate privacy protections for commercial data transfers, the
`
`International Trade Administration of the U.S. Department of Commerce (“Commerce”)
`
`coordinated with the European Commission and the Swiss Administration to craft the EU-U.S. and
`
`Swiss-U.S. Privacy Shield Frameworks (“Privacy Shield” or “Frameworks”). The Frameworks are
`
`materially identical.
`
`57.
`
`To rely on the Privacy Shield for data transfers, a company needed to self-certify
`
`and annually affirm to Commerce that it complied with the Privacy Shield Principles (the
`
`“Principles”). Of note, Principle 5(a) provided that “[a]n organization may not process personal
`
`information in a way that is incompatible with the purposes for which it has been collected or
`
`subsequently authorized by the individual.” The Frameworks defined “processing” to include “any
`
`operation or set of operations which is performed upon personal data, whether or not by automated
`
`means” and includes, among other things, “collection,” “storage,” and “use” of personal
`
`information.
`
`
`
`58.
`
`Companies under the enforcement jurisdiction of the FTC, as well as the U.S.
`
`Department of Transportation, were eligible to join the EU-U.S. and Swiss-U.S. Privacy Shield
`
`Frameworks. A company under the FTC’s jurisdiction that self-certified to the Privacy Shield
`
`Principles, but failed to comply with the Privacy Shield, may be subject to an enforcement action
`
`based on the FTC’s deception authority under Section 5 of the FTC Act.
`
`
`
`13
`
`CLASS ACTION COMPLAINT
`
`
`

`

`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Case 3:22-cv-03173-SK Document 1 Filed 05/31/22 Page 14 of 25
`
`
`59.
`
`Commerce maintains a public website, https://www.privacyshield.gov, where it
`
`posts the names of companies that have self-certified to the Privacy Shield. The listing of
`
`companies, found at https://www.privacyshield.gov/list, indicates whether the company’s self-
`
`certification is current.
`
`60.
`
`On November 16, 2016, Twitter self-certified its participation in the Privacy Shield.
`
`
`Twitter has reaffirmed its participation in the Privacy Shield to Commerce each year thereafter.
`
`61.
`
`As described above, through at least September 2019, Twitter deceptively used
`
`personal information collected for specific security-related purposes for advertising.
`
`62.
`
`Twitter’s use of such personal information for advertising purposes was not
`
`
`compatible with the purposes for which the information was collected, and Twitter did not obtain
`
`subsequent authorization from any individual to use such information for advertising.
`
`63.
`
`As a company under the jurisdiction of the FTC, Twitter’s failure to comply with the
`
`Privacy Shield, is a violation of Section 5 of the FTC Act.
`
`IV.
`
`Twitter Violated Its Privacy Policy and Cal. Bus. & Prof. Code § 22576
`
`64.
`
`Pursuant
`
`to
`
`its
`
`Terms
`
`of
`
`Service,
`
`Twitter’s
`
`“ Privacy
`
`Policy (https://www.twitter.com/privacy) describes how we handle the information you provide to
`
`us when you use our Services. You understand that through your use of the Services you consent to
`
`the collection and use (as set forth in the Privacy Policy) of this information . . .”4
`
`65.
`
`Twitter’s Privacy Policy—as set out at https://twitter.com/en/privacy—repeatedly
`
`touts how it respects its users privacy, and does not disclose user’s information without their
`
`consent.
`
`66.
`
`For example, it states:
`
`
`• “We believe you should always know what data we collect from you and how we
`
`
`
`4 Twitter Terms of Service, effective May 25, 2018, at § 2, available at
`https://twitter.com/en/tos/previous/version_13. Prior versions of the Terms of Service are
`virtually identical in this respect. See, e.g., Twitter Terms of Service, effective June 25, 2012, at
`§ 2, available at https://twitter.com/en/tos/previous/version_7 (“Any information that you
`provide to Twitter is subject to our Privacy Policy, which governs our collection and use of your
`information. You understand that through your use of the Services you consent to the collection
`and use (as set forth in the Privacy Policy) of this information . . ..”.
`14
`
`CLASS ACTION COMPLAINT
`
`
`
`
`

`

`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`1
`
`2
`
`3
`
`4
`
`5
`
`6
`
`7
`
`8
`
`9
`
`10
`
`11
`
`12
`
`13
`
`14
`
`15
`
`16
`
`17
`
`18
`
`19
`
`20
`
`21
`
`22
`
`23
`
`24
`
`25
`
`26
`
`27
`
`28
`
`Case 3:22-cv-03173-SK Document 1 Filed 05/31/22 Page 15 of 25
`
`
`use it, and that you should have meaningful control over both. We want to empower
`
`you to make the best decisions about the information that you share with us.” Privacy
`
`Policy, p. 1.
`
`• “We give you control through your settings to limit the data we collect from you and
`
`how we use it, and to control things like account security, marketing preferences,
`
`
`apps that can access your account, and address book contacts you’ve uploaded to
`
`Twitter. You can also download information you have shared on Twitter.” Privacy
`
`Policy, p. 2.
`
`67. Most notably, § 3.1 of the Privacy Policy promises that:
`
`
`We share or disclose your personal data with your consent or at
`your direction, such as when you authorize a third-party web client
`or application to access your account or when you direct us to share
`your feedback with a business. . . .
`
`Subject to your settings, we also provide certain third parties with
`personal data to help us offer or operate our services. You can learn
`more about these partnerships in our Help Center, and you can
`control whether Twitter shares your personal data in this way
`by using the “Allow additional information sharing with
`business partners” option in your Personalization and Data
`settings. (This setting does not control sharing described elsewhere
`in our Privacy Policy, such as when we share data with our service
`providers, or through partnerships other than as described in our
`Help Center.)
`
`68.
`
`As described herein, Twitter did not abide by its Privacy Policy in t