Twitter reveals unauthorised data use, says user's data used for advertising purposes
Twitter apologised for not respecting users' choices, and insisted that it was "taking steps to make sure we don't make a mistake like this again."
The social network Twitter said on Wednesday that user's personal data had been used for advertising purposes, without their consent and despite dedicated settings to counteract such events.
A Twitter statement said the fault was corrected on Monday and that an investigation was being conducted to determine how many people had been affected, while advising users to verify their data sharing settings.
The situation involved two cases, the first one arising if users clicked or viewed an advertisement for a mobile application and then interacted with it since May 2018.
"In that case, we may have shared certain data (e.g country code, if you engaged with the ad and when, information about the ad, etc.,) with trusted measurement and advertising partners, even if you didn't give us permission to do so," the statement said.
The second case involved Twitter showing people ads "based on inferences we made about the devices you use, even if you did not give us permission to do so," it added.
In that case, data was not used outside the company and did not contain personal information such as passwords or e-mail accounts, according to Twitter.
Twitter apologised for not respecting users' choices, and insisted that it was "taking steps to make sure we don't make a mistake like this again."
"What is there for you to do? Aside from checking your settings, we don't believe there is anything for you to do," the statement said.
It provided a link to a form that allows users to contact its office of data protection for more information.
The problems arose after Europe's General Data Protection Regulation (GDPR) took effect in May 2018.
The GDPR binds social media platforms and websites to ensuring they have user's explicit consent to collect personal data for advertising purposes or on behalf of third-party enterprises.
It also obliges companies that have been a victim of personal data loss to alert competent authorities in the country where their European headquarters are located, in this case Ireland, within 48 hours of their discovery, and the people affected as soon as possible.