Twitter users’ personal data was used for advertising purposes, without their consent, the company said. It also said that it found this issue recently where users’ settings choices didn’t work the way they should have. There were two separate cases where users’ data was used to target advertisements without their consent:

  • The first case was when users clicked or viewed an advertisement for a mobile application and then interacted with it since May 2018. The company said that in this instance, they may have shared data like country code, date of engagement with the advertisement and information about the ad with advertising partners, even when they didn’t have the permission to do so.
  • In the second case, Twitter said it showed people advertisements based on its “inferences” about users’ devices without their permission. It also said that for this case, users’ data was not used outside the company and did not contain personal information such as passwords or e-mail accounts.

Twitter said that the fault was corrected on August 5 and that an investigation was being conducted to determine how many people had been affected.

The issue here is that Twitter collected information on people who may not have given their explicit consent. It also used that information to run targeted advertisements. Under the EU’s General Data Protection Regulation, consent must to be informed and specific. For this, the data subject must be notified about the controller’s identity, what kind of data will be processed, how it will be used and the purpose of the processing operations as a safeguard against “function creep”. The law also states that consent must be “unambiguous”, that is, it requires either a statement or a clear affirmative act.