Greetings from Brussels!

Following on from last week’s editorial on social media privacy policies, this Tuesday saw a blog post come out of Twitter’s help center. It appears the social platform may have used personal data for personalized ads without user consent. More notably, this may have been happening since May 2018.

The statement starts with the standard expected company position of wanting to guarantee you, the user, control over your data, including when your data is shared. Followed by “of course, those options are only good if we follow the choices you make.” I do like this last phrase. Well, it seems for some of us — and I am a Twitter user — that hasn’t quite worked out as intended, and this despite any selected privacy settings to the contrary. They go on to state that they may have inadvertently shared your “engagement” data with trusted advertising and measurement third-parties (I understand this to be analytics providers).

The other admission is that some users may have also been shown ads “based on inferences we made about the devices you use, even if you did not give us permission to do so.” Although, Twitter states that the data stayed within Twitter, and “did not contain things like passwords, email accounts, etc.” Without getting too technical, the whole notion of inference-based targeting is centered on profiling interests and online behavior derived from the tracking of personal browsing activity across devices, in order to push curated advertising.

Having fixed the issues, Twitter made an apology to its users. They are still conducting an internal investigation to determine who may have been impacted and committed to further communications if they discover more information that is useful to their community. Big tech firms have been under considerable scrutiny lately from regulators around the world over their data sharing practices; it remains to be seen be seen whether this case will generate additional regulatory attention, particularly in Europe. There may be some potential breaches of the GDPR in play here.

Yesterday, Twitter went some way further. As reported by The Wall Street Journal, the company stated that it was planning early next year to remove “outside data sources” from its ad-buying system. In other words, they will no longer offer up behavioral data acquired to help advertisers better target its users. This is significant, Twitter appears to be following other tech firms in distancing themselves from third-party data providers.

Preemptive action you may ask? Truly, firms can no longer afford to devalue the trust paradigm with the market, nor can they afford to be on the receiving end of regulatory scrutiny; these two factors alone can do significant reputational damage. Twitter maintains this latest decision is unrelated to rising concerns about data protection and privacy online. Whether this is the case or not, the judicious timing of the announcement is certainly apparent. All said and done, the GDPR and the CCPA are increasingly becoming key catalysts for privacy risk mitigation as well as changes to data management practices.