Elon Musk’s lawyer late last week sought to reassure Twitter Inc employees that they would not be held personally liable if the company disregarded a federal order to consider and protect users’ privacy when launching new features.
Former FTC officials do not think it is so clear-cut.
In a May 2022 settlement with the U.S. regulator, Twitter agreed to improve its privacy practices and placed responsibility on people who held certain positions. But compliance has come into question as Musk pursues rapid launches of features to steer the debt-laden, money-losing company into profitability. In addition, several executives in charge of following the orders have quit or been pushed out.
Former officials differed on whether that settlement put Twitter executives directly in legal peril if the company failed to honor the agreement or if the agency would have to take additional steps, such as a new investigation and settlement, before legally pursuing individuals.
Howard Beales, a former director of FTC’s Bureau of Consumer Protection, said that beginning with the Obama administration, the agency had sought to hold executives personally liable for decisions they made for their companies.
He said that the FTC has always had the authority to single out executives who violate orders and hit them with penalties but that it has rarely done so.
David Vladeck, a former director of the FTC’s Bureau of Consumer Protection, said there would likely be another investigation, and potentially another enforcement action before Twitter executives would be held personally liable. But he added, “the FTC will move swiftly if it thinks consumer privacy is at risk.”
Many former FTC officials said the agency’s current chair, Lina Khan, has shown interest in going after executives if consent orders are violated.
The FTC on Thursday said it is “tracking recent developments at Twitter with deep concern. No CEO or company is above the law, and companies must follow our consent decrees.”
Twitter did not respond to requests for comment.
Last Thursday, a Twitter lawyer advised employees to seek whistleblower protection “if you feel uncomfortable about anything you’re being asked to do,” after executives responsible for complying with FTC rules resigned, according to a memo posted on Twitter’s internal Slack channel.
The lawyer warned that due to the rapid speed of software development, the legal team shifted the responsibility for compliance to engineers to “self-certify” that changes comply with FTC requirements. This possibly placed those employees at legal risk, the lawyer said.
“I anticipate that all of you will be pressured by management into pushing out changes that will likely lead to major incidents,” the note said.
The Twitter agreement requires a “written program and any evaluations” to be given to Twitter’s board of directors, which was dissolved by Musk when he took over the company. If there is no board, oversight must be conducted by “a senior officer” at Twitter.
Musk’s attorney, Alex Spiro, sought to downplay the potential risk to individual workers. “I understand that there have been employees at Twitter who do not even work on the FTC matter commenting that they could (go) to jail if we were not in compliance – that is simply not how this works,” Spiro wrote to Twitter staff on Thursday.
“The only party to the decree is Twitter – not individuals who work at Twitter. It is Twitter itself (not individual employees) who is a party and therefore only Twitter the company could be liable,” he wrote.
Musk also sought to reassure employees in an email, according to tech news site the Verge: “I cannot emphasize enough that Twitter will do whatever it takes to adhere to both the letter and spirit of the FTC consent decree,” he wrote. “Anything you read to the contrary is absolutely false. The same goes for any other government regulatory matters where Twitter operates.”
The potential liability could escalate quickly. Failing to comply with the May order could leave Twitter at risk of civil penalties, which can add up: penalties are levied at $46,517 “per violation,” which can be defined as every user and every day. Making false statements to the government in compliance reports separately could open employees to criminal prosecution.
In 2019, Facebook, the world’s biggest social network, agreed to pay $5 billion after it violated a 2012 privacy consent decree.
In the May settlement, Twitter agreed to pay $150 million and assess potential features for data privacy and security issues. It resolved allegations that the company misused private information, such as phone numbers, for advertising after telling users the information would be used for security reasons.