Twitter has been forced to fess up that it has been exploiting the personal data of potentially millions of its users without their consent to bombard them with advertising, in direct contravention of GDPR.
In a statement, Twitter said the “fault” has already been fixed and that an investigation is being carried out to determine how many people had been affected; it has also advised users to verify their data sharing settings.
The potential data breach involved two cases, the first arising if users clicked or viewed an ad for a mobile application and then interacted with it since May 2018.
“In that case, we may have shared certain data (eg country code, if you engaged with the ad and when, information about the ad etc) with trusted measurement and advertising partners, even if you didn’t give us permission to do so,” the statement said.
The second case involved Twitter showing people ads “based on inferences we made about the devices you use, even if you did not give us permission to do so,” it added.
In that case, data was not used outside the company and did not contain personal information such as passwords or email accounts, Twitter claimed.
The tech giant has apologised for not respecting users’ choices, and insists that it was “taking steps to make sure we don’t make a mistake like this again”. It added: “What is there for you to do? Aside from checking your settings, we don’t believe there is anything for you to do,” the statement said.
Under GDPR, companies must ensure they have user’s explicit consent to collect personal data for advertising purposes or on behalf of third-parties. It is not known whether Twitter has reported the incident to the Irish Data Protection Commissioner, which governs its activities in the EU.
Brussels hails GDPR but warns of more work to be done
Now Marriott takes a £99m battering for GDPR failings
BA faces record £183m GDPR fine for data meltdown
GDPR one year on: Data is now a major boardroom issue