I can't answer this for twitter, but I can tell you how it works elsewhere.
- When you start a new project, one of the first things you do is talk to the appropriate privacy managers for that area, to get an idea of what concerns they'll have and what they want to see.
- Unless they tell you that you're fine (which basically is only going to happen if what you are doing either never touches user data, or doesn't do anything differently than existing features) you write up a very detailed description of the feature, the behavior, what user data it uses, how it will be used, where it will stored, and how long it will be stored.
- That writeup is reviewed. Everything is documented and stored so the FTC can see it. Product changes likely may be proposed. This process will take weeks.
- Every time any code is checked in, the programmer and reviewer have to confirm that this code either doesn't touch user data, or has been approved under the aegis of an existing project (you have to provide the ID of the approval).
- Product changes may have to repeat the process.
Privacy reviews of code changes, and requests to access user data (Meta has ACLs on their databases at the field level), can be approved anywhere from within minutes (if it's something that can be reviewed automatically) to days to weeks. The FTC is not fooling around, and their fines are not small. In the past Meta has been hit with a $5 billion dollar fine. Twitter recently settled an agreement with the FTC on a $150 million dollar fine.
As @popehat@masthead.social says on Twitter (https://twitter.com/Popehat/status/1590770084276232192?s=20&t=Gm9AcXTAxqoVPs_PqLCp4w), judges are really deferential to the FTC.
Your client may not go to jail, but your client's assets WILL be frozen and their company WILL be shut down and multiple restrictions WILL be imposed with, shall we say, a less factually and legally robust basis that you would expect. It's deeply unsettling.
Elon has no idea what kind of trouble he is in for.
yep! we can attest that we've been part of this process elsewhere, and this is a good description of it. Twitter's consent decree is actually somewhat stronger than the rest of the industry's, it has some novel provisions that haven't been tested yet, so let's see what the FTC does...
