Twitter said it had “inadvertently” used personal information such as phone numbers and email addresses — provided by users to make their accounts more secure — to target advertising.
The San Francisco-based social media company said in a blog post that it had matched users based on the email and phone numbers they provided “for safety and security purposes”, such as two-factor authentication, to advertisers’ marketing lists. “This was an error and we apologise,” Twitter said.
Data misuse whereby platforms take information gathered for security purposes to instead bolster their ad targeting capabilities is not new, with Twitter rival Facebook coming under fire recently for the practice. Indeed, Facebook was explicitly banned from doing so in July as part of its $5bn settlement with the US Federal Trade Commission following an investigation into its privacy practices.
Twitter said on Tuesday that it “cannot say with certainty how many people were impacted” by its news, but added that “no personal data were ever shared externally with our partners or any other third parties”. The practice affected users globally, it said.
The social media group said it had addressed the problem as of September 17, although it is unclear why the company did not notify users sooner.
It is unclear whether the incident will count as a breach of Europe’s General Data Protection Regulation. Twitter told the Financial Times that it was working in co-operation with regulators where appropriate.
The revelations come just two months after the company admitted it shared certain user and device data with advertisers without the permission of those individuals for almost a year, after their “settings choices may not have worked as intended”. Twitter said in September that it was still conducting an investigation into that matter.
