Twitter has apologised for allowing advertisers to target ads using the email addresses and phone numbers provided by users for account security.
The company has admitted that advertisers with its Tailored Audiences and Partner Audiences systems may have been able to target ads at specific users, based on the contact information they provided for two-factor authentification (2FA).
Tailored Audiences allows advertisers to target ads at users whose email addresses or phone numbers they already have. Partner Audiences allows ads to be targeted at audiences provided by third-party partners.
“When an advertiser uploaded their marketing list, we may have matched people on Twitter to their list based on the email or phone number the Twitter account holder provided for safety and security purposes. This was an error and we apologize,” says the company in a statement.
“We cannot say with certainty how many people were impacted by this, but in an effort to be transparent, we wanted to make everyone aware.”
The company says it’s addressed the problem that allowed this to happen and is no longer using phone numbers or email addresses collected for safety or security purposes for advertising.
However, questions remain – not least, why the information was ever on that particular database in the first place.
In addition, the company says it fixed the problem on September 17 – a full three weeks ago. Why were users not alerted before?
The company isn’t contacting individual users affected by the issue, and says it doesn’t even know how many there are. But, depending on where they are in the world, they will likely have legal recourse through data protection laws.
In Europe, for example, the General Data Protection Regulation (GDPR) has heavy penalties for organizations that use data for purposes that users haven’t specifically authorized. Twitter may or may not have reported the breach to the authorities – in the EU, it should have done so within 72 hours of discovering it ‘where feasible’. It should also have notified users individually unless it could argue – as it possibly can – that doing so would involve ‘disproportionate effort’.
And it could face problems in the US too, where there’s a bit of a precedent. Earlier this year, Facebook was found to be similarly using contact information provided for 2FA to allow targeted advertising; it was ordered to stop by the US Federal Trade Commission and given a $5 billion fine.