Understanding the FTC’s Regulatory Oversight of X (Formerly Twitter)
The Federal Trade Commission (FTC) maintains ongoing oversight of X, formerly known as Twitter, following a 2011 consent order that addressed systemic failures to protect user data. This regulatory relationship centers on a $150 million settlement reached in 2022, which resolved allegations that the company misused private information for targeted advertising purposes between 2013 and 2019.
How did the FTC settlement originate?
The foundation of the current regulatory scrutiny stems from a 2011 complaint filed by the FTC. The commission alleged that Twitter failed to implement reasonable security measures, which allowed unauthorized access to private user accounts. According to the FTC’s 2011 findings, the company lacked adequate controls to prevent hackers from obtaining administrative access to its platform. This resulted in a consent decree that required the company to establish and maintain a comprehensive information security program for 20 years.

Why was the 2022 settlement necessary?
In May 2022, the FTC filed a new complaint alleging that Twitter violated the 2011 order. The federal regulator stated that while the company told users it collected personal contact information—such as phone numbers and email addresses—for security purposes like account recovery and multi-factor authentication, it simultaneously leveraged that data to serve targeted advertisements. According to the Department of Justice and the FTC, this practice affected more than 140 million users. The company agreed to pay a $150 million civil penalty and implement enhanced privacy and security safeguards to settle these charges.
What is the current status of the compliance program?
Following the acquisition of the platform by Elon Musk in October 2022, the company underwent significant organizational changes. In 2023, the FTC expressed concerns regarding the impact of these corporate changes on the company’s ability to comply with the 2022 order. The commission noted that the departure of key privacy and security personnel, including the Chief Information Security Officer and the Chief Privacy Officer, raised questions about the oversight of the platform’s user data protections.
Key Regulatory Obligations for X
- Privacy-by-Design: X is required to implement a comprehensive privacy program that assesses and mitigates risks associated with new product developments.
- Data Minimization: The company must limit the collection of user information to what is strictly necessary for the stated service.
- Independent Audits: The order mandates biennial assessments by an independent third party to verify the effectiveness of the company’s privacy and security controls.
What happens next for the platform?
The 2022 order remains in effect until May 2042. Any failure to adhere to these provisions could result in additional civil penalties or further enforcement actions by the FTC. The commission continues to monitor the company’s technical infrastructure and management practices to ensure that user privacy remains a core component of its business operations. As of 2024, the company operates under these heightened reporting requirements, which are designed to ensure transparency regarding how user data is handled in the post-acquisition era.

Worth a look